Protect Vendor Payments: Pause, Verify, Report
Recent scams have targeted Commonwealth vendors with phishing emails and fake DocuSign documents designed to trick them into “confirming” banking information. Fraudsters are attaching outdated Electronic Funds Transfer (EFT) Authorization Forms and posing as Commonwealth entities.
Because financial account updates are a high-risk activity, this information is a frequent target for theft of funds and login credentials. Phishing and social engineering attempts are becoming increasingly sophisticated and may appear to come from a trusted state employee or vendor contact.
Departments should remind vendors and staff to stay alert: the Commonwealth will never ask vendors to update or confirm banking information by email or DocuSign. Pause, Verify and Report internal controls can protect you and your vendors from fraudsters attempting to steal Commonwealth funds.
Action Steps
-
Remind staff and vendors to Pause and be cautious with any message that asks to confirm or change financial information, even if it looks routine.
-
Always personally Verify in person or by phone the requester’s identity (not electronically) to ensure they are not a fraudster.
-
Report any suspicious communications or fraud attempts to your supervisor and use the Phish Alert Button.
Your Internal Control Officer and Chief Fiscal Officer can review and assist with verifying your written system of internal controls are up-to-date to support compliance goals and ensure your department head is accurately certifying compliance in the annual Internal Control Certification.
Bookmark our CTR Compliance Corner as your one-stop shop for alerts and success factors that you can integrate into your daily operations to keep you safe on your mission.