Authorities' finance departments are a particular target of potential fraudsters. These departments occasionally transfer large sums of money, and this can be especially lucrative for cybercriminals. Payments can be manipulated and diverted to false recipients or the finance department can be instructed to pay for fictitious orders or purchases.
Finance department employees thus carry a particular responsibility. Raise awareness among your staff of online dangers, and define payment processes and responsibilities.
Awareness-raising
Raise awareness among your staff of online dangers. In particular, employees in the finance departments and in key roles must be informed of the possible methods used by fraudsters.
If in doubt, ask
Ignore unusual payment requests. In the case of unusual requests from within the company, check by telephone if the request is genuine. If in doubt, ask your superior whether the payment should be carried out.
Establish a corporate culture in which employees know that they can always contact the authority management.
Control protects you from damage
In the case of unusual transfer orders, always check whether the sender's address in the email is correct and whether the payment request really comes from the named source. It is best to enquire by telephone, even if the email states that the payment is urgent and the customer cannot be reached at the moment. Be particularly sceptical if the sender forbids you from consulting with anyone.
Define processes and enforce compliance
All payment-related processes must be clearly regulated. Enforce compliance with these processes consistently (e.g. dual control principle or joint signature). In addition, discuss possible security measures with your bank.
Internal information should stay internal
Do not disclose any internal information.
Be especially sceptical if a email sender claims to be a member of the company's management and asks unusual questions about internal procedures.
Check what information is available online about your authority. Establish rules of conduct on how employees should handle internal information of your authority when using social media privately.
Offline payment software and ebanking
For all payment orders transmitted digitally, use a dedicated computer on which you do not surf the internet or receive emails.
- In some cases, non-essential functions in your ebanking application can be disabled or restricted. Discuss the relevant options with your bank, e.g. possible country restrictions.
- Do also read the NCSC tips on e-banking and fraud.