Phishing Scams

from Warwickshire County Council

Things to be aware of

We have been made aware of an increase in fraud and scamming attempts during Covid-19. We ask all staff to be aware of the risks both for themselves and also for members of our community, friends and family who may be more vulnerable, as well as the risks to the Council.  Some examples include:

  • Schools have reported parents and carers of children who get free school meals are being emailed scam messages such as “if your child is entitled to free school meals send your bank details to the school and they will help with funding while the school is closed”.
  • Vulnerable (particularly elderly) residents who are self-isolating have had people trying to come into their houses to extort money from them.
  • Fake charities have been set up asking for support of Coronavirus victims.  Only make donations to well-known charities and via secure websites.

Supplier Fraud – Several new websites have been created selling supplies such as face masks and hand gel. Be wary of placing orders with previously unknown businesses as there may be a risk they will not deliver.

Payment fraud – Even in normal circumstances councils are regularly targeted by so called bank mandate fraud where fraudsters pretend to be one of our suppliers and request their bank account details to be changed and payments made to an alternative bank account. In the current climate with potentially more urgent payments needing to be made and staff working remotely, this risk is greater. Where staff or managers are temporarily acting up or substituting this could increase the risk.

The “Chief Executive/Senior Management” Scam – A well-known scam involves a person impersonating a Chief Executive or Senior Management by phone or email requesting an urgent payment is made.  The employee contacted makes a payment as required, which is later found to be a fraudster’s bank account.

Corona virus disruption could present the opportunity for a fraudster to try to exploit people covering colleagues’ positions, or ‘acting up’ in order to request a payment. Please be aware that should you be requested to perform an unexpected, urgent payment, you should ensure that you verify the authenticity of the request before actioning it.

Ordering and approval of invoices - During periods of staff absence efforts should be made to maintain segregation of duty over key controls (ensuring at least two individuals are responsible for separate parts of the procurement task/process). Don’t share passwords to allow colleagues to approve transactions on your behalf.  Sharing passwords can expose us to an increased risk of fraud and theft. Be prepared - review who is authorised to place and approve orders and ensure there is adequate cover in the event of the absence of key members of staff.

Purchase cards - Sharing cards is not allowed and purchases must only be for business purposes. Accounts must be reviewed and authorised by the relevant manager.  In order to ensure business continuity, review current purchase card holders and reviewers. 

Phishing (Scam Email/Phone Calls) - Fraudsters have been emailing individuals, particularly in the healthcare sector using the Coronavirus as a way to get personal data.  For example, one was distributing a link to a COVID-19 eLearning package which required people to log in to a fake look-a-like Outlook 365 sign in page, allowing them to steal usernames and passwords. Other known phishing attacks may try and steal bank log in or HMRC / UKGOV sign in information by encouraging the recipient to visit fake websites – this has already been happening via text messages.

Remember to check callers and website addresses are genuine and if in doubt seek advice.  Don’t click on the email, if you have any doubts. 

For any further guidance, advice or support, or to report fraud issues email or contact the Internal Audit team.