Frauds are continuing to occur in the Queensland public sector. Over the last 18 months alone, successful frauds have resulted in the losses of over $2.2 million. These have been as a result of fraudulent changes to bank account details for both employees and suppliers. Fraudsters are targeting entities of all sizes and in all locations. While most losses may be recoverable through insurance, entities could prevent them occurring with strong ‘everyday’ controls. In addition to any financial loss, entities may also face reputation damage.

What did the fraud attempts look like?

• An email from a senior executive’s personal email address requesting a bank account change for the next pay cycle. We discussed this incidence in our blog article Beware fraudulent emails.
• An email from a supplier requesting a bank account change.
• An entity’s bank account change request form was submitted via email.
• An email for a supplier requesting a bank account change, which was supported by emails between the public sector entity and the supplier. This fraud may have resulted from use of spyware. In this instance, there was a minor change to the supplier’s email address that was almost undetectable.
• Changes made to the Australian Banking Association (ABA) file between the final payment check and transmission to the bank (this fraud is still being investigated).

As you can see, there is nothing extraordinary about these attempts—they involve business-as-usual activities that your entity would see every day. 

What fraud prevention measures can I put in place?

• Develop and implement mandatory cyber security awareness training for all staff, to be completed during induction and at regular periods during employment.
• Conduct campaigns to test the adequacy of staff vigilance to risks, such as phishing and tailgating (following a person into an office), so your entity can assess and improve its awareness programs.
• Changes to employee and supplier bank account details need to be verified through sources independent of the change request. This verification should not be done by replying to the email requesting the change.
• Implement controls where a person independent from processing of the change verifies all changes to bank account details (supplier and employee). 
• Ensure information systems are secure to prevent unauthorised access that may result in fraud or error. Security measures could include encryption of information, restriction of user access, regular monitoring by management, and appropriate segregation of duties.
• ‘If it does not look right then it probably isn’t’—ensure all staff are aware of this and that processes are in place to bring this to the attention of section supervisors.
• Do not get complacent with ‘everyday’ internal controls. Just because your entity has never had a fraud attempt does not mean it never will. Fraudsters do not discriminate on the size or location of their targets—every entity is a potential successful fraud to them.
• Look at flagging emails initiated from outside your organisation. This will alert the recipient to the fact that the email may not be from a trusted source.

All entities should include the risk of fraud in their strategic risk register to monitor the safeguards they have put in place to prevent fraudulent activities.

Where can I find further information and advice? 

We have reported frauds of this nature in our blog posts and reports to parliament.

Blog posts:

• Beware fraudulent emails
• Action items on the results of this year’s financial audits
• Learnings from our cyber security report to parliament

Reports to parliament:

• Local government entities: 2018–19 results of financial audits (Report 13: 2019–20)
• Queensland state government entities: 2018–19 results of financial audits (Report 8: 2019–20)
• Water: 2018–19 results of financial audits (Report 4: 2019–20)
• Managing cyber security risks (Report 3: 2019–20)
• Education: 2017–18 results of financial audits (Report 19: 2018–19)
• Local government entities: 2015–16 results of financial audits (Report 13: 2016–17)