Happy Friday. Today the Auditor of State issued the attached Payment Security Checklist to support your efforts to reduce the risk of payment redirection scams. As you recall from the Ebroadcast below, payment redirections schemes are on the rise. From: Frank Hatfield <fhatfield@ccao.org> Sent: Wednesday, November 6, 2024 10:05 AM To: 'CORSA Broadcast Email' <corsa-broadcast@corsa.org> Subject: [CORSA-broadcast] Business Email Compromise: The $55 Billion Scam CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Incidents of local governments falling victim to fraudulent payment redirection and business compromise schemes are on the rise. Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets governmental entities, businesses and individuals who perform legitimate transfer-of-funds. These scams are frequently carried out when bad actors compromise legitimate government or business email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds. BCE scams typically involve bad actors who impersonate a trusted vendor, fellow officeholder/agency or employee in an email and request a change to a bank account, investment account, or a transfer of funds to a specified bank account unaffiliated with the legitimate business. Always verify and validate all such requests by independent means. Per the AOS "NEVER make a change to vendor, financial institution or employee's contact information or banking information without independent verification. Avoid taking re-direct requests by electronic means. In-person communication is always the best practice for verifying identity and contact information. Never use email or embedded phone numbers to verify change requests." Both the Ohio Auditor of State and the FBI report an increase in BCE scams every year which have totaled $55B from 2013 to 2023. The Auditor of State offers several BCE risk mitigation practices outlined in Bulletin 2024-003 which may be found at: https://ohioauditor.gov/publications/bulletins/2024/2024-003.pdf . It is critical that you implement and adhere to these practices if you have not already done so to reduce the risk of falling victim to BCE scams. Also, the AOS bolded in Bulletin 2024-003 "Failure to follow the guidance in this Bulletin may result in an AOS finding when a loss occurs, and the employee is considered liable as a result of negligence or performing duties without reasonable care." The FBI also provides several risk mitigation measures that may be found at: https://www.ic3.gov/PSA/2024/PSA240911. It is also critical that you make sure staff is aware of the current payment policies and practices and you train and test them on same. CORSA members may enhance awareness of this issue by taking advantage of CORSA University at www.corsa.org<http://www.corsa.org> that provides the course "Protection from Ransomware and Phishing Attacks." Most importantly, make sure you have implemented the risk mitigation measures contained in AOS Bulletin 2024-13 and train and test staff on same. As always, feel free to contact me or a loss control staff member with questions about CORSA loss control services and offerings. Frank Hatfield CORSA Assistant Director fhatfield@ccao.org<mailto:fhatfield@ccao.org> 614-560-1474 614-220-0209 Fax www.corsa.org<https://urldefense.com/v3/__http:/www.corsa.org/__;!!DmBz3jRBb_OP!9XuI_aEoMr...> [cid:image001.png@01DB4D53.00BC0CF0] " The leader in providing Ohio Counties with exceptional value, service, and protection of assets." CONFIDENTIALITY NOTICE: This e-mail message (including any attachments) is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy this message and all attachments.
