JLT
Protecting your local government from fraud
By: LGIS

LGIS is aware of an increase in the frequency of social engineering fraud attempts on WA local governments, and over the past few months members of the South Australian local government scheme have reported claims as a result of ransomware attacks.

What is social engineering?

Social engineering fraud refers to the scams used by fraudsters to trick, deceive, and manipulate their victims into releasing confidential information and/or funds.  It relies on abusing the target's trust rather than trying to hack into a secured computer system.

What is ransomware?

Ransomware attacks use rogue software to effectively hold a user or organisation's computer/systems hostage. Ransomware often infiltrates as a computer worm or Trojan horse (forms of computer malware) that takes advantage of open security vulnerabilities. The attacker usually demands a payment in order to release the system from the effects of the relevant malware.

Forewarned is forearmed, so below are some examples of what is occurring and some recommendations on measures you can implement to limit the chance of loss.

Scenario 1

A metropolitan local government received an email from a regular supplier, advising of changes to their bank account details. The email address was checked for authenticity with the current email address on file. Once confirmed, the bank account details of the supplier were updated.

The local government then received genuine invoices from the supplier for work carried out, and made payment in accordance with the changed details. A few days later the supplier contacted the local government advising that payment had not been received. Upon investigation, the most likely cause was that supplier's system had been hacked by a third party and the perpetrator had sent the initial email advising the local government of the changes to bank account details.

Scenario 2

A rural local government received an email from an employee who requested a change to their bank account details. The requisite form was supplied for the 'employee' to fill out. Once the completed form was submitted, it was sent to the payroll team for the employee's bank account details to be updated.

A few weeks later, the employee advised that their wages had not been received. Upon investigation, the initial request to change bank account details had been fraudulent.

Scenario 3

A large metropolitan local government was targeted in a high impact ransomware attack. Hackers gained access to their network and completely took over administrative privileges. The impact to the local government was several days of near-total IT services shutdown including limited/no access to phones, a complete server outage, limited end user computing capacity and a near inability for staff to work using technology at all.

Council had an IT partner and had invested in data-protection, firewalls, anti-malware, anti-spam, and anti-virus products, however due to the targeted nature of the attack, these were all unable to protect from this type of complex incident.

The outcome

Aside from the financial losses suffered by all parties involved, the above scenarios also caused reputational damage and conflict with members' business partners, particularly around determining responsibility for the loss and who would therefore bear the financial consequences.

Red flags (what should I look for)

It's critical to remember that with social engineering fraud, things are never what they seem. A message can look and even sound legitimate, but still set off a warning bell if you know what to look for. Here are some common warning signs:

 

  • Unfamiliar email address. The email address doesn't appear to be correct.
  • Generic salutation. The email doesn't address the specific person it is sent to.
  • Signature. There is no name or contact number provided within the email.
  • Spelling/grammatical errors. There are clear spelling and grammatical errors within the email.

 

How to reduce your risk

While social engineering and ransomware attacks only require a few users to take the bait, keep the following in mind to reduce your risk of becoming a victim:

 

  • Pick up the phone. Always verify the email by calling the sender and confirming the request.
  • Slow down. Perpetrators count on their targets to act quickly. If the request conveys a sense of urgency, be sceptical and never act impulsive.
  • Consider the source. No matter how legitimate the email may appear to be, take extra steps to do your research using a search engine before clicking on a link or downloading a file.
  • Review IT security arrangements and seek expert advice to ensure you are protected against targeted attacks.