A Texas school district recently reported a resurgence in attempts to defraud school districts. Like well-executed counterfeit paper currency, the scheme starts with a carefully crafted communication to a school district containing a vendor’s logo that is familiar to the district’s staff along with an email address and web site URLs that are so close a vendor the district is doing business with that the communication appears authentic at first glance. Processing legitimate requests to modify a vendor’s record is a familiar business office task to many school districts’ business office staff, and if you’re not careful, it’s easy to miss red flags that you are about to be seriously scammed by fraudulent requests to setup or to change vendors’ ACH or wire payment account information.
Fortunately, the latest report from a Texas school district was that an accounts payable clerk exercised due diligence by picking up the phone to call the vendor to verify the vendor’s payment account information and thereby learned the emailed instructions were false. What was done apparently by chance in this instance should be a consistent practice in all school districts. In some instances, the fraud schemes appear to be targeting higher dollar volume accounts.
This topic is also a reminder that school district officials need to assess the status of segregation of duties relating to changes to vendor accounts. This is an essential internal control aspect related to the maintenance of the master vendor file. Segregation of duties in this area should ensure employees that create, authorize or process vendor payments are not also able to add, modify, and delete vendors. Some districts assign roles and responsibilities for creation, changes and maintenance of the vendor file records to select individuals in the purchasing department that are not primarily involved in the daily processing of vendor invoices. A small enrollment district with very few employees in central administration may assign the review and approval of proposed changes to vendor master file records to an executive management-level employee in the curriculum area.
It’s also important to review the district’s status related to use of positive pay. If your district has declined positive pay you may have released financial institutions, including the depository bank, from liability for any checking account- or ACH-related fraud that would have been discovered if the school district had accepted positive pay. Under positive pay, school districts send check and ACH transactions details to their bank to match-up to payment transactions being processed by the financial institution. Additionally, it’s recommended that only the exact amount for the current payment runs be deposited into the district’s payment clearing accounts. Segregation of duties and timely reconciliations of bank accounts and other accounts are essential; however, fraud prevention is most effective when positive pay processes apply real-time blocks to payment of fraudulent transactions.
What should you do next if your district is a victim? If funds are transferred to a fraudulent account, it is important to act quickly. You must contact your financial institution immediately and request they inform the corresponding financial institution that a fraudulent payment was sent. Also, you need to contact the Federal Bureau of Investigation as soon as possible. Some governmental entities have been successful in recovery of funds thanks to the coordinated efforts of the United States Treasury Financial Crimes Enforcement Network and the FBI. Regardless of the dollar loss, it is recommended that you report the crime to the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.
Remain vigilant in detecting red flags and consistently exercise due diligence.