Back to the May-June 2023 issue

How to Identify and Prevent Theft by Fraudulent Instruction

By Christian Torkelson

Trends in Minnesota and nationwide indicate that there are an increasing number of incidents of theft by fraudulent instruction. So, what does fraudulent instruction mean? Simply put, it means taking money under false pretenses. It occurs when a person pretends to be someone else in order to receive funds to which they are not entitled. The internet and electronic banking have made fraudulent instruction thefts more and more common. The following are three examples of how wrongdoers may use fraudulent instruction to scam cities.


The fraudster looks on the city website to find the name and email of a human resources or payroll employee. The fraudster sends an email to HR or payroll saying, “I need to change my direct deposit info on file before the next payroll is processed. Can you help me?”

The email looks legitimate and appears to be from an employee of the city. The city employee makes the change based on the information provided or sends the necessary change forms to the email address the fraudster provided. After the change is made, the payroll funds are diverted to the fraudster’s accounts.


The fraudster looks on the city website at the items in the city council packet and finds that a contract will be approved with ABC Consulting for upcoming design services. The contract is included online and shows that the terms of payment include an upfront payment of 25%.

The fraudster then creates a real looking invoice from ABC Consulting and sends it to the city for payment.


Through a successful phishing email, a fraudster gained access to your vendor’s email system. They became familiar with your city’s activity, such as outstanding invoices, contracts, and due dates. They were able to pose as that vendor sending several emails to the city requesting payment and change of banking information.

Fallout for cities

If these examples seem scary, it’s because they could happen to anyone — anyone with a busy day could make these mistakes. In addition, fraudsters are getting more and more sophisticated in their attempts to trap the unwary.

Unfortunately, funds are not always recoverable as fraudsters attempt to quickly move money offshore and/or into numerous other accounts. After 24-48 hours, it becomes significantly less likely that funds will be recovered. However, in some cases, law enforcement and banks have assisted cities with whole or partial funds recovery.

Fallout from a fraud can have a dramatic effect on city operations. Lost money must be pulled from current or future budgets, resulting in delayed investments, spending cuts, or tax increases. Faith in city governance is harmed when the public sees the city as a poor steward of public funds, and dissatisfaction with circumstances might make the issue a campaign topic and motivate challengers in future elections. Additionally, council or administration may seek to hold staff accountable through reprimand or dismissal.

Preventing fraud

There are several steps cities can take to make fraudulent instruction theft less likely.

First, investigate using ACH Positive Pay in your city. ACH Positive Pay is an automated fraud detection tool offered by most banks. Another tool to consider using is a vendor portal, where vendors provide critical information such as name, tax ID number, and bank account number.

Most importantly, you should adopt a written policy for electronic funds transfers. To start, consider using the League of Minnesota Cities model policy for safe electronic transfers and payments available at (doc). You can customize the policy for your city’s circumstances, in consultation with your city attorney. The policy should:

1. Require wire transfers to have dual approval or verbal authentication.
2. Require staff update and review vendor files annually and delete inactive vendors. Also look for duplicate vendors and unusual activity or fluctuation in payment amounts.
3. Instruct employees on steps to take if they suspect fraud.

Of course, a policy is only good if employees know and receive regular training on the policy. It’s a good idea to include information on fraudulent instruction during your regular annual training on employee internet security. MC

Christian Torkelson is cybersecurity loss control field consultant with the League of Minnesota Cities Insurance Trust. Contact: [email protected] or (651) 281-1296.