What a difference a year made for the City of Fort Wayne
- Rachel Raymond
- Success Stories
- minute(s)The City of Fort Wayne cuts budget book preparation time by 75%. That's 300 hours! Project: Budget Book Automation Organization: City of Fort Wayne, IN Population: 265,752 (2019) Solutions: Workiva Wdesk & Wdata Budget Book: Operating Budget Book The Challenge The City of Fort Wayne was using multiple disjointed systems to prepare the budget book. The budget department would bring balances from Excel into Munis, their ERP system. Any required changes would be manually keyed into the ERP system. The team would then run "really clunky" Crystal Reports and open them in Excel. They then pivoted the data by inputting appropriate parameters by fund and department. If a department like Police, had sub-departments (police admin, radio shop, and records) any changes to a sub-department would require a report to be run at the sub-department level before being rolled up for a department level report. They then needed to review for accuracy before going back to Excel for any updates. "Every time we made one little number change, it caused at least another 30-45 minutes worth of work" Kathleen Smith Finance Manager at the City of Fort Wayne The Solution Having had great success with the reporting automation solution used to prepare the city's ACFR, the team opted for more of the same: Workiva's Wdata & Wdesk, customized and implemented with F.H. Black & Company Incorporated. What does the process look like now? Data is pulled from the City's ERP system and imported into Workiva. The budget book is then automatically populated with balances. All participants have the ability to access the system and provide their contributions. Any required changes are updated in a single location in Workiva, and the book and all other applicable materials are automatically updated. Reports that would have taken hours to prepare before now take moments, and data can be pivoted in an instant. "I just can't say enough about how much efficiency and accuracy improved" The Implementation After carefully considering the implementation service levels offered, the city contracted FHB to automate the budget book on a "guided-self" basis with onboarding support. This meant that while costs were kept low, Kathleen and her team would do the majority of the work under the guidance of FHB's experts once they had completed the initial setup and customization. FHB assigned a team to work on the city's project and the work began. As with all FHB led implementations, the initial kick-off meeting defined scope, assigned tasks/deadlines, and trained the city's team on using their project management tool. Next, FHB implemented a pre-built data model designed for public sector organizations, and built a connection from the city's ERP system, Munis. FHB recreated the prior year budget book template in Workiva, set up basic sections and ten pages of linking to train the city's team. We then assisted the city with the tasks assigned to their team, which included loading, tagging, and grouping imported data by object and function, building and linking schedules, notes, and statements, before reconciling, reviewing, and testing. "We had the budget book done probably a week earlier than we normally do and that was while learning and implementing a whole new system" The Result The city achieved a 75% time savings while improving its budget book preparation process. Kathleen and her team now have robust, documented, and repeatable processes making onboarding new team members a breeze. Having automated the ACFR and the expenditure budgets, the city is planning another project to automate the revenue side. "I was here a lot of evenings making sure everything looked right and tied together correctly. We didn't have that this year, I didn't find myself working any evenings or weekends."
The city of Fort Wayne reduced their budget book preparation time by 300 hours, that's 75%! This is how they did it.READ MORE
Frederick County, MD Unifies and Automates the Budget Book
- Rachel Raymond
- Success Stories
- minute(s)Frederick County Unifies All The Pieces Of The Budget Book Under A Comprehensive Solution Project: Budget Book Automation Organization: Frederick County, MD Population: 271,717 (2020 Census) Total Budgeted Revenues: $905 million Solution: Questica Budget Book powered by CaseWare Budget Book: Adopted Operating & Capital Budgets Success Story: Frederick County The Challenge Frederick County's, Budget Department faced a challenge common to Public Sector organizations when preparing the Budget Book. They spent countless hours gathering and reconciling pieces of their Budget Book across multiple applications. They had pieces in Questica Budget, pieces in Excel, pieces in Word, and they presented it in Adobe. To ensure confidence in the data, every change or update would require a time-consuming review. "Budget Book pieces were coming from every direction, that's what we had to solve" Tanya Kauffman, Budget Analyst III at Frederick County Government The Solution Replace Microsoft & Adobe with CaseWare and integrate it with Questica Budget. CaseWare hosts the Budget Book template and pulls balances and narratives directly from Questica. Any changes applied to the budget are made in Questica and flow straight through to all applicable locations in the book, facilitating greater confidence in the data and reducing the requirement for constant review and reconciliation. In addition, CaseWare's document management functionality allowed contributions from all parties to be stored and managed in a single location. The Project F.H. Black & Company Inc. assisted the team at Frederick County to implement the solution with the FHB method. Discovery - What are the County's wants and needs. Scope - Defining the parameters of the project. Planning - Working backward from the project goal to define a timeline and assign tasks. Configuration - Configure the selected solution to meet the County's needs. Training - Provide training to the County's budget team in the use of their new tools. Management - Weekly meetings and communication to ensure the project stays on track. Completion - Mutual agreement that the scope of the project has been completed. Ongoing Support - FHB continues to support and work with the County to improve and refine their processes. The Result The County has unified its piecemeal budget book under a single comprehensive solution resulting in increased confidence in the data and an estimated 25% reduction in the time it takes to complete budget book preparation processes. We asked Tanya if she has anything to add about the project. Here's what she had to say... For more on this project, read the full story.
Frederick County unifies and automates the budget book with a comprehensive solution for outstanding results.READ MORE
City of Garland Modernizes its Budget Processes
- Rachel Raymond
- Success Stories
- minute(s)The Forward-Thinking City of Garland Overcomes 3 Budget Challenges With 1 Project Project: Budget & Budget Book Preparation Organization: City of Garland, Texas Population: 239,928 (2019 Census) Annual Budget: $1.1 billion (Operating + CIP) Solution: CaseWare Operating & CIP Budget Books Budget Book: Annual Operating Budget CIP: Capital Improvement Program Success Story: City of Garland The Challenge The city of Garland's Budget Department faced a trio of challenges that shared the same root cause: antiquated software solutions, and the business processes required to make them work. The city relied on legacy budget software to prepare the budget and a combination of Word, Excel, and Adobe to prepare the Capital & Operating Budget Books. The processes were slow, disjointed, and error-prone. The Solution After extensive research, the city's Budget Director, Allyson Bell Steadman decided on Questica Budget to prepare the budget, CaseWare to prepare the budget book, and F.H. Black & Company Inc. to integrate the two and ensure the budget book solution was optimally implemented to maximize their benefits and guarantee project success. The Project The implementation process was managed and guided by consultants from FHB. It started with a planning meeting, introduction to FHB's online project management tool, allocation of deliverables, and scheduling of software training. Once trained in the use of their new tools, the FHB team built the Capital Improvement Program budget book template based on the City's specifications. Once complete, a similar process was carried out for the Operating Budget Book. The Result By the end of the sixteen week implementation, the City was able to produce and publish both the proposed and adopted 2020-21 CIP & Operating Budget Books. The City now has a robust, documented, repeatable, and largely automated process for preparing their budget book. "The Budget & Research Department is in a much better position to produce and distribute budget documents. Our most recent success was having our 2021 Adopted CIP document finalized for publication on the City’s website and distribution to City Council two weeks after adoption". For more on this project, read the full success story here.
The City of Garland modernizes its Budget, Capital Improvement Program, and Annual Operating Budget Book preparation processes with a single project.READ MORE
City of Greensboro Budget Book Automation Project
- Jamie Black
- Success Stories
- minute(s)With a population of nearly 300,000 and growing, the City of Greensboro is the third-most populous in North Carolina. The City's 2020-21 adopted budget of $602 million spans 169 pages and was awarded the GFOA Distinguished Budget Presentation Award. Long-time Questica Budget users, the City is extremely happy with their processes for preparing the budget. The Budget Book however was another story. Like many finance departments, the City used Microsoft Excel, Word, and Publisher to prepare the book. The process was time-consuming, repetitive, resource-heavy, and disjointed; it was time to make a change. The team at Greensboro had heard about F.H. Black & Company Incorporated at a Questica conference and reached out for help to improve their budget book. Once the project was complete, we gave the City a little time to bask in their achievement before interviewing them about their journey. Here are the highlights of that interview with the City's Budget Database Specialist, Leah Price. The Old Way "We used a combination of Microsoft Excel, Word, and Publisher, and it was very time consuming for all staff members. The Budget Analysts had to manually enter all of their departments’ numbers line by line twice: once for the Manager Recommended version and again for the Final Adopted version. The Budget Database Specialist also had to make sure all of the formatting was correct in Publisher, and finally work with our internal print shop to make sure every page had the perfect amount of space between the text and the hole punches. When we heard there was a software that we could use to import the numbers from Questica directly into the budget document, we jumped on it." The Project "We sent our FHB consultants a copy of our former budget document and a copy of our budget data from Questica. The consultants built a template for us that was similar to the old format, and then worked closely with our staff to make sure that the budget data was going to the right places in the document. We have over 25 operating funds and many tricky aspects to our budget rules overall, so assigning the budget numbers and FTEs where they needed to go was the biggest struggle. However, it all came together in the end." The Benefits "The process is more streamlined and controlled. It probably saves the analysts a couple of weeks’ worth of time because they no longer have to do any manual data entry." "The budget analysts are an important resource to our departments, and their new found availability during the budget development process allows them to help out more with current year concerns." The Relationship "Our (FHB) consultants have always helped us meet our deadlines and make sure to work us into their schedule if we have last minute issues." "I have mainly worked with Joy, and I am so grateful to her for all of her help and expertise! I really appreciated that she wanted to make sure that I was learning how to do (almost) everything we needed her help with. It was my first year being responsible for the budget book and I had very little knowledge of CaseWare. I truly could not have done it without her." Considering a reporting automation project? Schedule a meeting with one of our experts to explore your options.
The City of Greensboro implemented an automated budget book solution that pulled data directly from their Questica Budget software resulting in a better book in less time.READ MORE
Engaging residents to address the impact of COVID-19 on the Budget
- Jamie Black
- Budget Book
- minute(s)Public sector organizations across North America are facing considerable budget pressures as a result of the COVID-19 pandemic. This may necessitate slashing funding to programs and/or increasing tax rates. That is likely to be very unpopular with your stakeholders (council, board, and/or residents). Working through these options will require careful planning, making trade-offs, and effectively communicating new realities to stakeholders to get their buy-in and earn/maintain their trust. If you've read our Style & Substance blog articles before or attended our webinar series on best practices for communicating financial information, you know we have strong opinions on effective communication. In a time of massive budget challenges, your team's ability to communicate your message clearly and effectively is more important than ever. Over and above what we have laid out in our articles and presentations, what can your finance or budget department do to help stakeholders understand the complex issues you are facing? Too Much or Too Little Detail Stakeholder engagement is nothing new. Publication of large budget documents, public meetings to discuss these documents, focus groups, and advisory committees have been utilized for decades to engage with residents to educate them and receive their feedback. These approaches are often challenged by the complexity of the topic and the time investment required to execute them. Who wants to read even a 200+ page budget book? If they do read it, the result may not be what you expect: An implication for government transparency is that transparency initiatives that expect citizens to make sense of technical and abstract information, especially in large amounts, (such as the many line items and millions of dollars described in a typical public budget) probably face a much greater hurdle to increasing trust than their well-meaning originators thought. In fact, at worst, too much information could actually decrease trust. Transparency: A Means to Improving Citizen Trust in Government - Government Finance Officers Association As an alternative, local governments can utilize surveys or online budget tools to broaden the public meeting's reach. A classic example of this approach is the "digital budget book." These tend to be more approachable and, therefore, attractive to a typical stakeholder. This comes at the cost of the depth of detail and nuance necessary to truly educate the audience about the organization's constraints. Further, the act of merely putting a budget book online does not tackle the underlying barrier presented by large volumes of complex technical information noted by the GFOA. What you need then is: the ability to reach as many stakeholders as possible, in a way that encourages their participation, focuses on educating them on the context, constraints, and challenges we face and solicits their feedback. Engage Stakeholders with Budget Simulations This is where simulations come in. As technology has evolved, simulations have proven themselves to be the best of both worlds: broad reach and accessibility to maximize participation combined with the right amount of detail and nuance. Participants are invited to investigate the budget initially at a highly summarized level. This has the advantage of minimizing initial complexity and enabling understanding of the budget's overall state (e.g., surplus, deficit). They can drill down into more and more detail to understand the composition of the budget. Finally and most importantly, stakeholders are asked to increase or decrease budgeted amounts by department, service area, or program based on their own priorities and preferences. You can present them with a series of options to choose between that will impact the budget. Participants attempt to craft the budget they would like to see but will regularly bump into problems. Want to triple the budget on policing? Sure! But that puts us into a major deficit. How will you fund this increase? Participants can add comments explaining their rationale. All this data is collected for the hosting finance/budget department to analyze and leverage in refining the budget. Not having learned it is not as good as having learned it; having learned it is not as good as having seen it carried out; having seen it is not as good as understanding it; understanding it is not as good as doing it. ..He who carries it out, knows it thoroughly. The Works of Hsüntze Bringing your stakeholders into the budget process with simulations will allow them to understand the challenges you are facing and provide the feedback necessary to ensure you are optimally meeting their expectations.
COVID-19 has hit some public sector budgets hard! See why some organizations are choosing to educate and engage residents with budget simulations for stakeholder buy-in.READ MORE
Career Opportunity: Technical Consultant
- Elaine Kolenosky
- Job Opening
- minute(s)We need a TECHNICAL CONSULTANT to join our REMOTE TEAM We are looking for a motivated, creative, highly technically skilled individual with excellent time management skills. The successful candidate will be capable of working as a technical consultant with minimal supervision and must be excited about challenges and working remotely. About Us: For over 25 years, our firm has implemented, integrated, and optimized industry-leading tools and best practices to improve our clients' finance function. Our mission is to enable finance to do more with less, do it better than it was done before, and do it faster. Our clients are governments, universities, corporations, and public practice accounting firms across Canada and the United States. We are proud to be an Equal Opportunity Employer. About You: Do you: Thrive on challenges? Like to work outside your comfort zone, doing difficult & interesting things? Often find yourself saying, "There has to be a better way of doing this"? Need to be continuously learning and evolving? Achieve great satisfaction in helping others and providing creative solutions to difficult problems? Want to be led, not micro-managed? Value flexibility? Flexibility to live anywhere in the world and the freedom to relocate whenever it suits you? Loath commuting and being stuck in traffic, wasting your time? If you answered yes to all the above, you are an excellent fit for our firm's culture and should read on. Still here? Now, how about your technical attributes? You possess: 3 to 5 years of experience working in public practice accounting, or public sector or corporate finance, A minimum of 3 years of work experience with CaseWare Working Papers, 2+ years experience building custom CaseView documents, A proven ability to learn and master technology, The capacity to solve complex challenges within a defined framework and timeline, Outstanding verbal, written, and presentation skills. You are a regular, clear, concise, and professional communicator, The ability to effectively use the entire MS Office Suite including Outlook, Excel, Word & PowerPoint, A knack for building solid relationships; people want to work with you, Impeccable attention to detail and high standards for quality and creativity, Solid time management skills: we don’t believe in micro-managing our people, Sensitivity to confidential matters. The perfect candidate will also possess: Significant experience with: CaseWare’s Financial & Audit templates, CaseWare Connector, Workiva Wdesk & Wdata Experience programming with Jscript, Experience with HTML & CSS, Familiarity with other finance department tools such as PowerBi, Blackline, Gravity, etc, Bonus Points: Fluency in French – written and oral. Job Duties: As a technical consultant, you will work on a team to improve our clients’ financial reporting. Specifically, you will be responsible for implementation and support for industry-leading tools: Caseware Working Papers, Financials, Connector, Idea, Monitor, and certain add-ons. Development and delivery of standard and customized training. Diverse, ongoing technical consulting services. Benefits: Competitive salary Work remotely - from home or with a laptop and Wi-Fi from wherever you can take a VOIP call! Generous Vacation Policy Comprehensive benefits package including medical, dental and vision care coverage Fitness and professional development reimbursement Contact Us Please submit a cover letter stating salary range requirements and resume to: email@example.com
We are looking for a motivated, creative, highly technically skilled individual with excellent time management skills to join our growing team.READ MORE
Career Opportunity: Principal Consultant
- Jamie Black
- Job Opening
- minute(s)We need another world-class professional to join our team We are looking for a motivated, creative, highly technically-skilled individual with excellent time-management skills capable of working in a principal consultant role with minimal supervision who is excited about a challenge and wants to work remotely. About Us: For over 25 years, our firm has implemented, integrated, and optimized industry-leading tools and best practices to improve our clients' finance function. Our mission is to enable finance to do more with less, do it better than it was done before, and do it faster. Our clients are governments, universities, corporations, and public practice accounting firms across Canada and the United States. About You: Do you: Thrive on challenges? Dislike "the same-old-same-old"? Like to work outside your comfort zone, doing interesting and difficult things? Often find yourself saying, "There has to be a better way of doing this"? Need to be continuously learning and evolving? Achieve great satisfaction in helping others and providing creative solutions to challenging problems? Want to be led, not micro-managed? Value flexibility? Flexibility to live anywhere in the world and the freedom to relocate whenever it suits you? Loath commuting and being stuck in traffic, wasting your time? If you answered yes to all the above, you are a great fit for our firm's culture and should read on. Still here? Now, how about your technical attributes? You possess: A CPA designation, 3 to 5 years of experience working in public sector or corporate finance, A proven ability to learn and master technology, A minimum of 3 years of work experience with one or more of the following: CaseWare Working Papers, Financials & Connector Workiva Wdesk & Wdata IGM Gravity Project management experience, The capacity to solve complex challenges, within a defined framework and timeline, Outstanding verbal, written and presentation skills. You are a regular, clear, concise and professional communicator, The ability to effectively use the entire MS Office Suite including Outlook, Excel, Word & PowerPoint, A knack for building solid relationships; people want to work with you, Impeccable attention to detail and high standards for quality and creativity, Solid time management skills, we don’t believe in micro-managing our people, Sensitivity to confidential matters. The perfect candidate will also possess: Significant experience with one or more of the following: CaseWare Idea, Blackline's Continuous Accounting platform, Balancing Act budget simulations platform, Questica Budget, Accreditation as a Project Management Professional (PMP) Experience programming Job Duties: As a principal consultant, you will work on a team to improve our client's finance and budget office business processes. Specifically, you will be responsible for: Implementation and support respecting industry-leading tools from CaseWare, Workiva, IGM, Blackline & BalancingAct. Development and delivery of standard and customized training Diverse, ongoing consulting services Benefits: Competitive salary Work remotely - from home or with a laptop & WiFi from wherever you can take a VOIP call! Comprehensive benefits package including medical, dental and vision care coverage Fitness and professional development reimbursement
To meet increased demand, we are adding another principal consultant to our team to help deliver massive improvements to finance & budget departments.READ MORE
City of Iqaluit keeps calm and carries on
- Jamie Black
- Success Stories
- minute(s)The City of Iqaluit is the capital of the Canadian Territory of Nunavut and is an ecological wonderland. Famed for an abundance of natural landscapes and wildlife, it attracts visitors from around the globe. The Challenge Located on beautiful Baffin Island in the Canadian Arctic with a population of just 7,740 (2016 census), the City's finance department has experienced some difficulty attracting qualified staff due to a remote location, housing shortage, high cost of living, and limited infrastructure to facilitate travel. When the City required urgent Payroll support, CAO Amy Elgersma was certain that employing an experienced, qualified Payroll Administrator could not happen before the next payroll run. Elgersma needed a quick, temporary solution so the organization's 150 employees would continue to be paid on time. With time of the essence, the City turned to F.H. Black & Company Incorporated to fill the gap until a suitable replacement could be on-boarded. She knew of FHB from a presentation they provided at a recent conference, and the work they had done with the Government of Nunavut previously. The Response After a few brief conversations, FHB assigned several members of their team to support the City: Michael Switzer, CPA, CA, was formerly the Town of Collingwood’s Deputy Treasurer with responsibilities including preparation of both the year-end financial statements and the annual Town budget as well as managing the town's receivables, payables, and payroll. Joy Richardson, CPA, was formerly the Chief Financial Officer of Thomasville, Georgia where her primary responsibilities included managing both the budget and year-end financial reporting processes as well as overseeing receivables, payables, payroll and all the other day to day activities of the finance department. Tina Steliga rounded out the team. Utilizing 16 years of experience managing the receivables, payables, and payroll processes for numerous clients of all sizes. Michael, Joy & Tina's decades of experience working in government finance made them an ideal addition to immediately and completely meet the City's needs. Within a week of the request, consultants Michael & Joy were onsite working with the team to transfer responsibilities and document processes. They were followed shortly thereafter by Tina, who assisted in administering payroll onsite before commencing remote support. FHB’s response time was exceptional. Their CPA's had the knowledge, skills, and experience needed to learn, document, and process the payroll system efficiently. They also had excellent interpersonal skills and were able to understand processes quickly. Once FHB was on board and started working with us, we were confident that payroll would be completed by the deadline. Disaster Averted The first step in the project was developing complete process documentation. Extensive interviews with City staff allowed FHB to build extremely detailed process documentation. The decision was made to put the documentation into a project management software to allow for the ongoing assignment of tasks and monitoring of the process by both FHB management and the City. This ensured FHB would not miss any steps and resulted in the proper execution of payroll each and every time. As the City's search for a Payroll Administrator was underway, FHB continued to process the payroll remotely. From mid-October to the end of February. We were able to arrange to have the payroll done via distance, this saved us time and money. The entire process was documented using a project management software tool. Ultimately the City successfully recruited a Payroll Administrator to take on the role. FHB transitioned to provide assistance getting the new Payroll Administrator up to speed and support them through the first few payroll runs. I would absolutely recommend FHB to other finance departments. They were able to process payroll with very little notice and continued via distance. They had a strong knowledge of the payroll and finance systems and could adapt to our processes easily.
The City of Iqaluit required urgent support to keep its payroll on track. They turned to FHB's team of experienced CPAs for assistance.READ MORE
Postponed effective dates of certain GASB Pronouncements
- Jamie Black
- What's New
- minute(s)The Governmental Accounting Standards Board (GASB) is taking steps to reduce the stress on government finance departments imposed by the COVID-19 pandemic. On April 15th, the Organization proposed to postpone the effective dates of some Pronouncements by one year. The Exposure Draft has a comment deadline of April 30th and is slated for a final statement of issuance on May 8th. The proposal will affect the following Pronouncements: Statement No. 83, Certain Asset Retirement Obligations Statement No. 84, Fiduciary Activities Statement No. 87, Leases Statement No. 88, Certain Disclosures Related to Debt, including Direct Borrowings and Direct Placements Statement No. 89, Accounting for Interest Cost Incurred before the End of a Construction Period Statement No. 90, Majority Equity Interests Statement No. 91, Conduit Debt Obligations Statement No. 92, Omnibus 2020, paragraphs 6–10 and 12 Statement No. 93, Replacement of Interbank Offered Rates, paragraphs 13 and 14 Implementation Guide No. 2017-3, Accounting and Financial Reporting for Postemployment Benefits Other Than Pensions (and Certain Issues Related to OPEB Plan Reporting), Questions 4.85, 4.103, 4.108, 4.109, 4.225, 4.239, 4.244, 4.245, 4.484, 4.491, and 5.1–5.4 Implementation Guide No. 2018-1, Implementation Guidance Update—2018 Implementation Guide No. 2019-1, Implementation Guidance Update—2019 Implementation Guide No. 2019-2, Fiduciary Activities Implementation Guide No. 2019-3, Leases. GASB has also posted several resources for Stakeholders to a dedicated GASB Response to COVID-19 web page, including a GASB Emergency Toolbox. Subscribe to our blog for the latest developments impacting government finance departments.
Some good news! The Government Accounting Standards Board (GASB) is working to relieve some of the additional workload imposed by the COVID-19 pandemic.READ MORE
How to avoid phishing scams while working from home
- Waldo Nell
- Tech for Execs
- minute(s)Working from home, especially for the first time, may seem a bit like leaving home as a young adult. You enter a brave new world, free of the protections your parents' home provided to discover yourself. In this case, the office is the secure home you are leaving, at least from an IT security perspective. One of the security issues to consider when working remotely is phishing. This article defines the problem, provides a real-world example and eight steps to avoid phishing attempts. Phishing The definition of a phishing attack: A fraudulent attempt by an adversary posing as a legitimate entity to steal sensitive information from someone. The problem Chances are you have seen emails from someone familiar asking you to click on a link or download an attached file. With some review, you realized the person who sent it is not the person they claimed to be. The idea behind this attack is to gain your trust by posing as someone you know. The basic process is shown below: The adversary's phishing email causes the user to connect to the malicious site (red connection) controlled by the adversary, instead of the legitimate web site (green connection). This allows the adversary to intercept the login credentials of the user. Below is a real-world scenario that we will be analyzing. All the suspicious elements visible to a non-technical user have been highlighted in green. It purports to be from our phone system, informing me that I have a new voicemail. We analyze it below. The email has a file attached. Carefully reviewing that attachment shows it to be an HTML file. If this were a real voicemail attachment, it would be a WAV or Mp3 file. Another approach, not used in this message, includes a link the user is asked to click to perform some action. This link might look like the one below: If the user hovers their mouse cursor over the link "Release Message", the actual URL that would be opened is displayed (as highlighted above). Often it is clear that this URL points to a domain that is not related to the sender of the email. The FROM address is not from any known domain and does not match the name of the sender. The subject is suspicious. What does a "protected recording" mean? Misuse of the Importance flag. Identifying an email as High Importance is a common tactic among phishing attacks. Font substitution is also a common technique used to try and bypass spam filters. It works by randomizing some letters to look like valid English letters. Since the Greek ε is not the same as the Latin e, it could fool anti-spam algorithms. What happens if the user doesn't notice any of the above warning signs? In this example, the following occurs: If the user double clicks on the attachment named _NewAudioMessageFile_000.htm. their browser loads the contents of that HTML file locally. A page is loaded that redirects to a new website (owned by Mary Jean Suarez in the Philippines) that looks like this: Note this is not a Microsoft URL but was made to looks like a Microsoft page to appear even more legitimate. If the user stops here, the adversary knows the email address that received the email is active and that the link was clicked. No compromise of any account has occurred yet. If the user enters their password (correct or incorrect) and clicks Sign In, the password, together with the email address, is sent to the adversary's server (called credential harvesting). The following page is displayed: As the adversary does not know if the supplied password is valid or not, the best they can do is to forward the user to the real portal. The page then redirects to this legitimate Microsoft web page: Most users would not think twice about having to log in again, assuming perhaps they mistyped something. This time, the user is logging in to the real Microsoft web site. The scam is completed. If the user entered their correct password in step 4 above, their account has been compromised, and the adversary now has full access to the account. You should immediately change your password and monitor your account for suspicious activity. The mitigation Phishing attacks are nothing new. But they have increased 350% during the pandemic and are now more dangerous than ever because: Your computer is no longer offered all the protections of the office network, You have no direct access to IT to question suspicious emails/activities, If you are using your home computer, it is likely un-patched, making it easier for phishing attempts to work successfully, Because we are working in unprecedented times and are likely working remotely, requests that would have stood out as unusual two months ago might slip by unnoticed today. What can you do to protect yourselves? Below are eight recommended steps to take to increase your protection: Realize that it is inevitable that you will receive many phishing attempts, and you have a responsibility to be vigilant. Know how to spot a phishing attempt. This can be very complex and technical; however, there are several markers you can watch out for to identify most phishing attempts: Email FROM addresses can be easily faked. Just like in our example above, phishing attempts will get the name in the FROM field of an email to reflect someone you know but not the email address. This is not universally true, but it is a good first warning sign. If the email asks you to click on a link, pause for 10 seconds, and carefully consider whether the email was expected. If not, contact your IT department to verify the validity before clicking any links. An additional safety measure you can take is to hover your mouse over the link in the email. Make sure the domain in the link (i.e. the site it is pointing to) seems familiar. If the email asks you to perform any sensitive operations like releasing payment etc., it is best to call the sender via a known number and verify the request. Disable automatic loading of images. Most email applications allow you to turn off automatic loading of images in emails. This is recommended as many phishing attempts work by including a link to an image that lets the attacker know your email is legitimate. Another useful trick is not to click the link given in the email, but rather open a new browser window and go to the site in question yourself. For instance, if you get an email about a Microsoft Office 365 account needing updated payment details, don't click the link in the email. Instead, open a new browser window and type in https://portal.office.com and go to the billing section yourself. This will thwart the phishing attempt. Sometimes this is not possible, such as when the email contains a link to a file you need to view. Enable Two Factor Authentication (2FA) on all critical systems. If this was enabled in our example above, the adversary would only have your password but would be unable to log in. Be sure your computer is set to download and apply patches automatically. Applications are often adding features to detect and warn users about suspect emails automatically. Finally, never allow someone to connect remotely to your computer unless you know them. While there is no single thing you can do to prevent a phishing attempt from succeeding, these basic guidelines can greatly mitigate the risk of falling prey to a phishing attempt.
Working remotely exposes us to increased security risks and the pandemic has seen a 350% increase in phishing attempts. These eight steps can protect you.READ MORE