Beware of spoofed web search results
Fraudsters often spoof websites, especially banks, shopping, and bill payment sites because they know users will search for these sites and open the top result. Many of these sites use what look like the official website address but redirect users to spoofed sites. Once a user is there, they input login credentials to the fake site, giving them to the fraudsters. The fraudsters can then log into your accounts to steal money or bank account numbers.
Users using chatbots for searches to save time will often have search returns to spoofed sites, since bots don’t always distinguish between official websites and spoofed sites. Spoofed sites often contain the word “official” to trick search engines and rank higher in search results.
Action Steps
- Pause – When performing work for your department always verify the correct website as part of your internal procedures, not through a web search. Bookmark the official site for use.
- Verify – Always use VPN for all department accounts and verify that you are on the correct website. When in doubt, contact your account representative listed in your internal procedures and verify.
- Report – If you believe you may have gone to a spoofed site, and entered your work credentials, report immediately to your IT/Security staff. Change your password immediately.
Given the importance of protecting department resources, Internal Control Officers, Chief Fiscal Officers and General Counsels should ensure that these internal controls are added to your procedures for daily operations for any staff logging in to third-party sites for department business. In addition, your internal controls should ensure that staff are properly trained on these procedures and that monitoring is in place to ensure compliance.