Phishing Fraud

Responding to Rising Online Phishing Fraud

Security measures and fostering a vigilant digital culture are crucial steps in preventing and being alert on online phishing.

Read more on mitigating online phishing fraud.

In our digitally driven era, a surge in online phishing - the practice of sending fraudulent emails and text messages that appear to come from a legitimate and reputable source - represents an elevated threat to health programs. As these programs increasingly rely on digital systems for data management, communication and procurement, the risks associated with falling victim to online phishing attacks have grown substantially. 

The evolving landscape of online phishing, its methods, motivations, and the specific risks are dynamics that are crucial to understand in developing robust strategies to protect the integrity of health-related initiatives in an era where the digital and physical worlds are intricately intertwined. 

 

Phishing at the Ministry

CountrySENEGAL
Investigation Report
ENGLISH or FRENCH

A Ministry of Health and Social Action faced a significant challenge when individuals, pretending to be legitimate suppliers, tricked the Procurement Specialist. These individuals targeted the procurement of tuberculosis diagnostic equipment, a critical need for the country's health initiatives funded by the Global Fund. 

The Procurement Specialist, responsible for securing necessary equipment, was targeted by the individuals and fell victim to a hack of their personal email account, also used for work. This gave the individuals control over the Specialist's communications. Posing as known supplier staff, notably by using an email account that appeared to be the supplier's real email account, they tricked the Specialist into changing the supplier’s official bank account for payment of the equipment to an unauthorized account in Eastern Europe. The Ministry’s Finance Administration and Staff Division, unaware of the deceit, proceeded with the bank transfer. 

The sham activity only came to light when the Procurement Specialist unintentionally included a real supplier employee in an email to the fraudulent individuals. This discovery triggered an investigation into the unauthorized transaction and exposed broader vulnerabilities in MHSA's procurement processes. 

The success of this fraudulent scheme was due to inadequate vigilance, controls, and reporting mechanisms at the Ministry. Specifically, flaws were identified in the Ministry’s controls related to processing and verifying a request by the supplier to change its bank account details, providing an opening for the fraudsters. 

 

Mitigating Online Phishing Fraud 

Strengthening security measures and fostering a vigilant digital culture are crucial steps in preventing and being alert on fraudulent activities such as online phishing, ensuring the safe use of financial resources in global health programs. This requires IT-related safety measures on email-based communication and internal controls on bank accounts and payment processes: 

Information Technology: 

  • Training and raising awareness among staff on phishing and cybersecurity risks. 
  • Use of server email and network protection through firewalls. 
  • Frequent changes and use of strong passwords. 
  • Activate Multi Factor Authentication to protect your account from being compromised. 
  • Vigilance and extra caution when clicking on links in emails, even if they appear to be from known sources. 
  • Verify the sender's email address, as it can be spoofed. Hovering over it can help to verify its authenticity. 

Internal controls: 

  • Restrict access to master data sets including staff and supplier information such as bank accounts. 
  • Ensure proper internal controls and segregation of duties in payment approval and requests for changes in bank accounts. 
  • Independently verify requests for bank account changes with requester and seek bank confirmations- of new accounts. 

 

Identifying Online Phishing and Cyber Security Support

To empower individuals and organizations with the knowledge and skills needed to detect the signs of phishing fraud, we offer valuable resources.

Explore our e-lessons page, where you can access essential insights and guidance on identifying red flags.

The Global Fund can offer support in cyber security activities such as Cyber Security Training, security assessments and penetration testing. For more information on cyber security strengthening please contact the Global Fund’s cyber security team on InfoSecTrainingTeam@theglobalfund.org 

 

REPORT FRAUD AND ABUSE

Associated with:

Topics
Wrongdoing
Wrongdoing
Fraud

Associated with

You might be interested in