Queensland Audit Office

Do you have internal controls in place to protect your entity or council against fraudulent email attempts?

Queensland public sector entities recently received emails where fraud was attempted by requesting changes to the bank account details of employees.

In all cases, the perpetrator pretended to be the entity’s Chief Executive Officer (CEO) and sent an email to the entity’s payroll section/manager’s work email address asking them to change the bank account details into which his/her pay is transferred.

Key features of these attempts include:

  • The fraudulent email was from a personal email account with the nickname matching the Chief Executive Officer’s actual name, for example, From: John Smith [].
  • The location of the bank account was unusual (for example Mt Gambier, South Australia). It was from a location different from the CEO’s existing bank account location.
  • The footer of the fraudulent email was marked as ‘sent from my iPhone’ so the email did not have the CEO’s organisational signature block as the footer of the email.

Here’s what you can do

Conduct a risk assessment, and verify the legitimacy of any changes in employee bank account details that have been recently processed.

To help prevent successful fraudulent attempts, and to improve internal controls, we recommend all entities take the following actions: 

  • All employee bank account change requests should be treated with suspicion and effective verification controls should be put in place and tested for effectiveness from time to time.
  • Requests for changes to employee bank accounts received by email should be authenticated directly with the employee and not by return email. Caution should be taken when the email is from a private email address.
  • Where employees do not use Employee Self Service functions (ESS) to change their own bank account details:
    • all change requests for bank details should be made using an internal form that is signed by the employee
    • the officer making the bank account change must check email addresses, or other missing components within the email, to verify that it is a legitimate work email address
    • after processing bank account changes, inform the employee that the change is completed and, if emailing, use the recipient’s business email address and not reply to any private email addresses.
  • Wherever practicable, access privileges to change bank details should not be assigned to members of the payroll team (either the employee changes it themselves through ESS or the human resources team can change it).

To the extent that these controls have not been part of normal payroll bank account change processes, including contacting the employees physically or by phone, we recommend they are introduced immediately.

More information

You can contact us at for further advice on improving your entity’s internal controls.