Businesses and governmental organizations in all 50 states and 100 foreign countries have been targeted, since January 2015, by "business email compromise" scams that have diverted over $3 billion in payments to accounts controlled by scammers or organized crime rings, according to a Federal Bureau of Investigation public service announcement. The criminals study the payment methods followed by their victims to target future payments that will be made under various awarded contracts. It’s time for school officials to review their processes for vendor payments to ensure they are following best practices that will help protect your school district from these types of scams.
In November 2016, a Texas municipality’s payment for $2.9 million to a construction contractor was diverted to a scammer in addition to a $300 thousand payment to another vendor. In both cases the criminals had convinced city officials to change vendors’ bank account information to accounts controlled by the criminals.
In December 2016, a college in North Carolina was scammed for $1.95 million in construction project payments. The college transferred funds electronically using the Automated Clearing House network after receiving instructions in an email with a deceptively similar email address as the construction company. The scammer even sent a follow-up message that the ACH transfer was successful.
In April 2017, a university in Oregon lost $1.9 million in funds that should have gone to the contractor on a construction project. The loss happened after someone sent an email that directed school officials to send future payments to a bank account the contractor did not control. It’s not uncommon for vendors to periodically change bank account numbers and the school believed they had appropriately followed their organization's processes in handling the fraudulent request.
In June 2017, a school district disclosed that it recently experienced a targeted attack for the purposes of gaining invoice information that could be used to re-direct funds
Financial institutions and school officials are recommending various best practices to strengthen internal controls to protect against the increasing number of "business email compromise" scams including:
- Conduct due diligence before sending a wire. Consider the following:
- Did the wire instructions arrive in the form of an email, fax or letter?
- Does the industry type and location of the receiving party seem logical?
- Does my company normally do business with this party?
- Did I personally speak with an official at my company who is knowledgeable about our relationship with the receiver?
- Always VERIFY the payment requests submitted to your business.
- Verify with a second individual or with the requestor, but through a different channel than the one used to submit the request.
- Verify requests by phone that are received via email or fax; always use a phone number on file, not a phone number contained in the request.
- Never feel pressured to initiate a payment without verification. It is safer to take a little longer and be sure the payment is legitimate, than to be quick and lose thousands of dollars to fraud.
- Verify any change to vendor payment instructions (i.e., bank name or account number) or vendor contact information with a second individual at the vendor’s business phone.
- Use fraud protection tools offered by your school district’s financial institution.
- Dual Control: Establish a dual control requirement for all outgoing ACH or Wire payments
- Check Positive Pay: Prevent check fraud involving forgeries, counterfeits and alterations of the check number or dollar amount.
- ACH Positive Pay: Create a trusted trading partner list and control the decision of exception items with ACH Alert. Receive alerts of exception item by email or mobile device text message.
- ACH Fraud Filters: Automatically return ACH items that fail predefined criteria. Options include: block all ACH; allow credits only; and allow Specific Company IDs only.
- Verify whether email accounts have been compromised.
- Run reports on any Business Office and Capital Projects staff mailboxes that have mail rules sending mail to external accounts. Look for keyword that may be used in this attack, including:
- Payment, payments
- Invoice, invoices
- Process a wire, wire funds, wire detail
- Scan outgoing mail gateways for the keywords above.
- Follow password security procedures, including periodically changing passwords especially for all Business Office and Capital Projects staff.
WHAT TO DO IF YOU ARE A VICTIM
If funds are transferred to a fraudulent account, it is important to act quickly:
- Contact your financial institution immediately upon discovering the fraudulent transfer
- Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent
- Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds
- File a complaint, regardless of dollar loss, at IC3.gov