Are you doing everything you can to protect your district against spoofing and phishing schemes?
With check registers that must be posted online, school districts are uniquely vulnerable to so-called “spoofing” schemes. Online check registers include all the information anyone would need to spoof a vendor: names, typical invoicing cycles, and invoice amounts. Someone could easily send an email that looks like it’s from a district vendor — just one tiny revision to the email address, such as a change in punctuation, and they can submit a request saying, “We have changed our banks; please wire payment to this new account.”
Protecting Against Vendor-Related Scams
Your district can protect itself by implementing simple validation procedures such as calling the vendor contact for confirmation. Replying by email won’t work, since the email has been altered by the attempted fraudster.
Restricting who can perform vendor changes is a good way to ensure that processes are followed consistently. IT can provide the finance office with a list of personnel who have access to modify vendor information; finance leaders should review that list to ensure it’s restricted to the appropriate people. For processing payments, the primary risk may be segregation of duties, but to minimize phishing and spoofing risks, the primary issue is making sure that people with the ability to change vendor data know the processes for reviewing, performing and validating changes.
In addition to restricting who can process changes, finance managers should regularly review the vendor master file and recent changes. Particularly look for small edits to names (A1 Exterminators vs. A-1 Exterminators), changes to payment instructions, and atypical payment increases. If the list of active vendors is long, one risk-based approach to culling it is to include only those have been paid in the fiscal period under review. IT can provide the data and, depending on the tools available to them, perform a preliminary analysis so that A/P need only review the outliers. Finally, implement processes to disable old vendors who are no longer utilized.
As employees are both the first defense and the weakest link, IT and A/P staff need to be diligent when it comes to spoofing and phishing campaigns. It’s helpful to add an “external” tag for all outside emails, not just so that malicious emails are easier to spot, but also to help flag spoofing immediately. It’s a best practice, if you have the resources, to send fake phishing emails or make calls to identify which employees might need additional education and security awareness.
The Bottom Line
There will always be people who try to defraud your district, and those people will continue to find new ways into your checking account. To protect your funds, IT and finance managers need to be aware and proactive in managing changing risks, not only through strong prevention but also through regular monitoring to detect threats early.
Partner Reema Parappilly, CISA, provides IT audit services for many of Weaver’s 50 ISD audit clients; she also advises state and local government agencies across Texas to improve their IT organizations, controls and processes.
Elisa Gilbertson, CPA, has worked both as a public accountant and a finance leader for a large Texas public school district. She currently leads Weaver’s firmwide data analytics function, as well as providing analysis and training to organizations’ management and internal audit teams.
See https://weaver.com/industries/government for more information.
