Financial Crime World

Global Fund Loses $481,541 to Phishing Fraud in Senegal

A Shocking Case of Internet Phishing Fraud

In a recent report, the Global Fund Secretariat revealed that an Eastern European bank account received grant funds meant for a medical equipment supplier in Senegal. The Office of the Inspector General (OIG) investigation found that $481,541 was unwittingly transferred to fraudsters posing as the genuine supplier.

Investigation Reveals Email Hacking and Identity Theft

The OIG investigation revealed that email hacking of the procurement specialist’s Yahoo account led to the fraud. Hackers assumed the identities of the supplier’s staff and obtained a copy of the approved quote for GeneXpert machines and microscopes. Payment was authorized without any evidence of collusion between the procurement specialist and the fraudsters.

Key Findings and Agreed Management Actions

The report highlights two main findings and their associated Agreed Management Actions (AMAs):

Finding 1: Unintentional Transfer of Grant Funds

$481,541 of grant funds were unwittingly transferred to fraudsters posing as the PR’s supplier.

  • AMA 1: The Secretariat will finalize and pursue an appropriate recoverable amount by October 31, 2020.
  • AMA 2: The Secretariat will ensure that the PR provides an action plan to secure its IT systems and raise awareness among staff and sub-recipients about this fraud by March 31, 2020.

Finding 2: Control Lapses at Ministry of Health and Social Action (MHSA)

Multiple control lapses at MHSA combined to allow the fraud to succeed.

  • AMA 3: The Secretariat will ensure that the PR formalizes its manual of procedures and international procurement guidelines by March 31, 2020.
  • AMA 4: The Secretariat will send a letter to all Global Fund Principal Recipients drawing their attention to this report’s findings and recommending formalization of their guidelines on procedures and controls.

Conclusion

The OIG concluded that the fraud was only possible due to a series of control lapses within MHSA. These lapses included the phishing attack itself, lack of controls related to changing beneficiaries’ bank account details, procurement specialist’s lack of vigilance, and lack of timely notification of the hacking.

Impact on Senegal

Senegal has received a total commitment of $350 million from the Global Fund, with $332 million already disbursed. The country currently has four active grants: two for HIV, one for malaria, and one for TB/RSSH affected by this phishing fraud.

Full Report Available

The full report is available on the Global Fund website.