Share this article on:
An audit of Victorian government departments has revealed that the bank details of its suppliers have been manipulated and changed four times by cyber criminals.
According to a June 2024 report from the Victorian Auditor-General’s Office (VAGO), cyber criminals accessed the master file of government departments on four occasions, changing the bank details of their suppliers.
It is unclear if the threat actors gained access to any other data within the master files, which also contain other agency supplier details, according to the VAGO report.
“A vendor master file is a central database that holds information about an agency’s supplier details, including their bank account details, Australian Business Number (ABN) and invoice records,” VAGO said.
Alongside the four instances of manipulated bank details, VAGO said that across all government departments and agencies, it received 212 mandatory fraud notifications from July 2022 and January 2024, five of which pertained to “unauthorised changes to a vendor master file”.
In one case, an employee removed the vendor bank details and replaced them with their own so that they would receive the suppliers’ payments.
In another case, a scammer posed as an existing supplier and provided the government department with their own bank details. They received payments from the government department.
VAGO said the solution is proper vendor master file monitoring and maintenance, of which it said eight departments have a “documented procedure” for. However, this largely refers to updating bank details.
“These departments require either their finance team or the business unit undertaking a procurement to verify changes to their vendor master file before making them,” the report said, adding that this involves gathering additional documents to confirm details and calling a supplier to confirm the change.
VAGO’s report also outlines the processes departments go through “when detecting and responding to fraud and corruption”, saying that while all departments have processes in place for reporting and investigating incidents of fraud and corruption, only two departments make use of data analytics tests, which are used for proactive detection.
“Most departments test their procurement data to look for procurement and financial errors. However, only two departments use data analytics tests that specifically focus on proactively detecting fraud and corruption risks,” it said, with the two departments being the Department of Jobs, Skills, Industry and Regions and the Department of Transport and Planning.
“Eight departments advise that they do not proactively use data analytics to detect fraud and corruption risks prior to awarding contracts.
“Of these eight departments, three aimed to set up a data analytics program to test their fraud and corruption vulnerabilities but have not yet set these up due to competing priorities and a lack of resources.”