Is Your Government Organization Safe from Tax Scams?
In March 2021, seven people were indicted on 33 counts of money laundering and wire fraud after allegedly misusing $7.2 million from the municipality of Mayagüez, Puerto Rico. The funds, which they were supposed to invest, were intended for "... creating jobs, supporting infrastructure projects, and improving the quality of life for citizens ...". Instead, it allegedly went to shell corporations and to pay for the defendants' personal purchases, including jewelry, real estate, and tuition.1
All cases of fraud against governments aren’t as extreme. Unfortunately, the result is the same: fraud committed against governments reduces available funds to provide necessary services to the victim communities and citizens.
Lack of proper controls, training and resources contributes to fraud against governments.
Many local and municipal governments lack the financial and human resources necessary to provide oversight or effectively combat fraud.2 Lack of financial literacy among elected officials, frequent staff turnover as the result of regular elections, and a culture of blind trust as a result of familiarity also contribute to the organizations’ vulnerability to fraud.
When it comes to internal fraud against municipal and local governments, there's no shortage of schemes to drain taxpayer accounts. Most theft involves some form of asset misappropriation, corruption or financial statement fraud.3 While most perpetrators are employees or managers (79%), the median loss at the executive level is more than five times greater ($264,000). In most internal fraud cases, the stolen funds are never recovered, leaving taxpayers holding the empty bag.4
Some real-life cases of municipal and local government internal fraud:
A lack of oversight and financial controls opened the door for a payroll specialist to steal $67,799 from Grove City, Ohio. The employee oversaw the entire payroll process, from beginning to end, making it all too easy for her to write unauthorized checks to herself without anyone else's knowledge.5
Credit cards can be an especially easy tool for fraudsters. In one case, the former city clerk of Casey, Iowa, not only admitted to using city credit cards for thousands of dollars in personal expenses, she also confessed to committing arson in an attempt to cover her tracks.
Accounts payable disbursement fraud involves an employer issuing a payment based on fraudulent invoices for fake purchases. An example is an employee creating a shell company to pay, as was the case when a Washington County public works employee misappropriated more than $1.7 million over 10 years through payments made to two fake vendors.6
At first glance, the potential monetary damage caused by financial statement fraud might not be obvious, but in the high-profile case of the town of Ramapo, New York, it resulted in one of the worst things that could happen to a municipality. The town's bond rating was downgraded after the fraud was discovered.
A Colorado town was conned into wiring $1 million to a bank account intended to pay for construction services when a person claiming to be an employee of the contractor submitted a form requesting payment by wire rather than by check. Staff reviewed the form but did not call the contractor to verify the change. The contractor later confirmed that he had not requested a change in the method of payment.
A fraudster managed to set up and successfully execute $3.6 million in automatic payments to several different bank accounts from the bank account that the City of Miami Beach used to collect permit and water fees from residents. In addition, penalties resulting from financial statement fraud caused the City of Miami to raise taxes and cut employee pay.
Cyberattacks and associated costs are escalating.
As the private sector continues to invest heavily in its cybersecurity efforts, fraudsters are driven to easier, less secure public sector systems. External fraud via cyberattacks costs taxpayers more than one billion dollars each year — and it's growing.7
Some cyberattacks go undetected for a length of time, with criminals stealing or manipulating data unbeknownst to the government entity until it's too late. Other cyberattacks like ransomware, depend on the victim’s awareness of the crime because criminals take control of an entity's data systems via malware, then demand a ransom to release the systems.
Between 2018 and 2019, known ransomware attacks on local governments rose 58.5%.8 Municipalities who pay the ransom pay an estimated $125,697 per event, although the additional costs related to a Denial of Service (DoS), downtime, data loss, and possible intellectual property theft can be even greater.9
In 2019, at least 22 municipalities in Texas were infected with ransomware and held captive, the work of a coordinated cybercrime operation. The same year, a single ransomware attack struck Baltimore and cost the city more than $18 million in technological upgrades and lost revenue.
What are government organizations doing about fraud?
The short answer: not enough.
Some governments are supporting their municipalities with training programs to increase financial literacy and fraud detection, or enacting after-the-fact safeguards.10 A number of states have even mandated some level of cybersecurity readiness to protect sensitive data and conduct audits.11 Unfortunately, reforms and upgrades are being outpaced by criminal sophistication. What's more, the risk continues to increase as more government business is conducted digitally.
Seven steps will reduce fraud risk in municipal and local governments.
It’s clear governments must do more to protect taxpayer funds. Seven steps will help to mitigate the effects of internal and external fraud.
1. Set the proper "tone at the top." Ensure senior management and elected officials promote a culture of ethics and accountability. Insist on annual training for all staff.
2. Be proactive. Commission a fraud-prevention checkup or a fraud risk assessment by a licensed Certified Financial Examiner. Coordinate your payment and approval process with your financial institution to ensure maximum security.
3. Get your systems in line. Upgrade your security software. Implement password hygiene and two-factor authentication. Review remote desktop protocols, including ensuring that ports are closed after employees finish using them.
4. Divide and conquer. Split accounting functions among multiple staffers and ensure everyone uses their vacation days. Restrict the number of people with access to credit cards. Require multiple signatures for banking transactions.
5. Secure payment and reconciliation methods. Be sure you know who you’re paying. Keep up-to-date records on vendors and other payees. Enlist services that provide validation of payees, as well as flag and/or block payment requests that don’t match information on file. Track and frequently review debits and credits against your electronic file.
6. Don't rely on Google® for background checks. A paid service or software product is better for employee or vendor background research because it targets information related to fraud, money laundering, civil complaints, criminal judgments, or other criminal activity, whereas Google promotes "popular" websites.
7. Pay attention to red flags. Unexpected changes, higher-than-usual costs, large changes in employee lifestyle or behavior, and new or unusual vendors should all trigger further inspection.
Tight budgets, staff attrition, inadequate training and overwhelming workloads can make it challenging for even the most dedicated civil servants to properly execute their job functions. Still, municipal and local entities must protect taxpayer funds against internal and external threats, while maintaining the public's trust.
For more information on how you can protect your organization from fraud, contact Synovus Government Banking Solutions.
What You Should Know About Employee Theft
Companies of all sizes experience fraud. But it’s not always an external attack.
Automated Payroll Benefits
Managing payroll can be time-consuming and full of inefficiencies. Here’s why automation makes sense.