Incidents of suspected crime and fraud associated with spear phishing emails are on the rise and more sophisticated than ever. (e.g. Hackers strike Ohio Catholic church, steal $1.75M in email scheme https://www.cleveland19.com/2019/04/29/brunswick-catholic-church-loses-m-after-email-hack/: ‘Red Flags’ Missed, Dayton Superintendent Victim of Paycheck Scam https://www.daytondailynews.com/news/red-flags-missed-dayton-superintendent-victim-paycheck-scam/X3sbc1cZicMhXURWwMiKPP/). 

Spear phishing is the act of sending emails to specific well-researched targets while purporting to be a trusted sender.  The common goal is to convince victims to hand over information or transfer money.  It’s important to note that once a transfer of direct deposit funds is complete to a fraudulent bank/financial institution’s account it can be difficult to get the funds back.  A quick response to an identified fraud is the best defense.

CORSA recently received claims of spear phishing emails that involve direct deposit of payroll.  CORSA member counties report that payroll clerks have received emails, supposedly from employees, requesting a change to the direct deposit of their paycheck.  The payroll clerks responded by sending a blank direct deposit forms, which was returned completed and signed by the supposed employee.  In one case, the form included the employee’s correct social security number. 

CORSA encourages members counties to be on alert and take preventative measures including, but not limited to:

  • Train Auditor’s staff to examine incoming email addresses.  Validate the domain of the sender as genuine.  Enabling display of email ID will show you the domain of the sender to validate whether the email ID (including domain) matches with display name;
  • Do not accept payroll changes solely by email.  Validate payroll change requests through an alternate source; by phone or in-person with the employee.  Call a known phone number for the employee, do not call an unknown phone number that may be listed in the potentially fraudulent email;
  • Do not click on links within suspected spear phishing emails or reveal confidential information;
  • Review internal controls and operational handbooks for how to report phishing schemes and alert appropriate IT professionals, local law enforcement, FBI, and CORSA; and
  • For wire transfers to vendors, CORSA strongly encourages members consider enrollment in the anti-fraud services Positive Pay and ACH Positive Pay, verify transfers by phone, do not to accept account number changes by email among other preventative anti-fraud measures.  The Ohio Auditor of State also recommends enrolling in the above anti-fraud services to guard against check fraud. (See: Auditor of State Best Practices https://ohioauditor.gov/publications/bestpractices/best%20practices%20sept%202016FINAL.pdf).