How public sector organizations mitigate fraud risks

How public sector organizations can mitigate fraud risk

By ATB Financial 5 May 2021 3 min read

Overview

Learn the approaches that many fraud actors are utilizing to capitalize on organizations’ vulnerabilities and how to mitigate this risk. Aisha Kitchlew, ATB’s senior manager of fraud investigations and cybercrime explores:

The most common and disruptive frauds
Cybersecurity basics and how to protect your organization with easy to implement tools and mitigation strategies
Current fraud statistics in Canada
What to do if you’ve been a victim of fraud

How are you protecting your organization and employees from external and internal fraud risks?

More and more banking transactions are conducted online or through mobile devices, with 76% of Canadians banking online or on their smartphone. In 2021 to date, Canadians have lost approximately $50 million due to fraud, according to the Canadian Anti-Fraud Centre.

“Especially during this pandemic, we are opening up more and more channels for cybercriminals to attack,” says Kitchlew.

Regular fraud risk evaluations—both external and internal—will help determine any vulnerabilities within your organization’s fraud management practices.

“Create a culture of cybersecurity awareness. Employees need to be empowered to deal with internal and external threats. With the right fraud awareness culture, fostered within your organization from the top down, you are significantly lowering your risk of a fraud attack.”

External fraud risks

For public sector organizations, including municipalities, universities, schools and hospitals, the most common entry point into a network is through phishing emails.

“That is your first line of defense,” Kitchlew says. “Your employees need to be on guard at all times to keep intruders out of your system.”

Mitigation strategies include:

Creating an internal home page for employees and posting regular updates on issues to look out for.
Never accepting electronic requests as the only form of confirmation. Confirm email addresses, and always pick up the phone to verify an emailed request. (Make sure the number you’re calling has been validated, too.)
Using two-factor authentication.
Updating your software on all devices.
Downloading verified and trusted apps.
Familiarizing yourself with the most common types of malware, and how they can impact your organization.
Always sweeping your devices. Make sure they are scanned at least once every six months or whenever an employee leaves your organization.
Creating an easy escalation process.
Communicating how to identify a phishing scam.
Using web applications, firewalls and intrusion detection prevention systems. Make sure you have the right IT people in the right place, whether it’s in-house or third-party IT security experts.
“Finally, and I can’t stress it enough, educate and train your employees to be human firewalls,” Kitchlew says. “It’s all about teaching employees to identify malware and detect malicious websites and links. Awareness training should be offered to everyone within your organization who has access to your devices or network.”

Internal fraud risks

Internal fraud occurs when employees have an opportunity, need and rationale. For example, an employee who has access to the company's bank account, has a financial need and believes that they are underpaid.

“While you can’t directly protect your organization against employee need and rationale, internal controls can focus on minimizing the opportunity for fraud to occur. Internal controls serve as your first line of defense.” This includes setting the tone at the top. “Senior management should send a message that internal fraud in any form will not be tolerated, and have clear written policies.”

Regular fraud risk evaluations—both external and internal—will help determine any vulnerabilities within your organization’s fraud management practices.

For more helpful advice, consider reading or watching: