Keep Your Guard Up

Email Scams Continue to Snare Nonprofits

July 16, 2021

Steve Cardwell, CPA
Mike Lee, CPA
Mike Batts, CPA

BMWL is aware of multiple incidents in which nonprofit financial leaders and/or finance personnel receive fraudulent emails that genuinely appear to be from a vendor (such as a builder) requesting that the organization change the bank account routing information for future payments to the vendor. And in some cases, the organization’s staff truly believe the email request is legitimate. In at least two cases of which we are aware, payments totaling hundreds of thousands of dollars were made to fraudsters before the scam was detected.

How the Scam Works

In a nutshell, what happens is some version of the following:

First, the scammers gain access to an individual’s email account and possibly other computer activity through email spoofing or hacking (or other means). This can happen when an employee opens a file sent with what appears to be a legitimate email, not knowing that the file contains malware of some type that then allows a scammer to monitor the employee’s email and other activities. The same kind of thing can happen if an employee clicks on a link in what appears to be a legitimate email, not realizing that clicking the link allows such malware to be installed on the employee’s computer…again, giving the scammer the ability to monitor the employee’s computer activity.

Once the scammer has access and can monitor the employee’s activity, he begins to learn about the organization’s disbursement process and the individuals involved. A scammer can covertly monitor such activity for weeks or months before he pounces. While in covert mode, the scammer learns things such as employee nicknames, communication styles, email signatures, organization logos, and other attributes of regular email correspondence. The scammer may focus his efforts on the individual responsible for initiating disbursements (i.e., the person responsible for entering vendor information, setting up wire transfers and electronic disbursements, etc.).

Having successfully identified the best person(s) through which to run the scam, the scammer will then search for email communications with vendors that provide invoices and/or payment information through email. Using the information previously obtained (communication style, email signatures, logos, etc.), the scammer creates a bogus email using a spoofed email address for the vendor. The email may include a false (or recent) vendor invoice, and it may cite prior payment information. And, make no mistake…the email will look very much like it came from the vendor’s actual email address. The scammer will make a nearly imperceptible tweak to the email address – such as by simply switching two letters of the vendor’s email address or by changing the top-level domain at the end of the email address from .com to .org, .biz, etc. The email will contain instructions to change the routing information for future payments due to, for example, a recent change in banks. An email of this type may read something like this:


Good afternoon, Mildred –

Due to a recent change in banking institutions, please change the bank information for future construction draw payments beginning with the payment for the most current invoice for $110,584.58 as of June 16, 2021 (see attached invoice for additional information).

The new bank information is as follows:

Bank: XXXXXX
Routing Number: XXXXXX
Account Number: XXXXXX

Best regards,


Thinking that the email is legitimate (due to the care with which it was crafted), the organization makes the changes requested in the bogus email and sends significant funds to the scammer instead of its authentic vendor.

A variation on the theme is an email appearing to be from an employee of the organization requesting that his/her bank account information be changed for future payroll direct deposits. Other variants will certainly occur.

What to Do to Prevent Becoming a Victim of a Scam Like This

  1. Alert your entire management and leadership team to this type of scam.
  2. Educate your team on how to detect or screen for authentic-looking but illegitimate emails that may harbor malware.
  3. Ensure that your organization’s IT systems have current, reputable anti-malware software installed that is kept current and that regular scans are made for malware.
  4. Have your organization’s IT team advise you regarding how to detect or screen for spoofed or fake emails appearing to be from someone you know. Conduct regular “refresher” training/education.
  5. Maintain an agreement with your bank that requires two separate, appropriately high-level people in your organization to authorize any wire transfers or similar disbursements.
  6. Maintain a policy that forbids finance personnel from making or authorizing distributions of funds based on email or similar instructions alone. Require that finance personnel actually speak in person or by phone (by calling the vendor’s known number or otherwise independently verifying the change) with a known vendor representative.
  7. Maintain a policy that requires two separate people in your organization to work together to make changes to vendor payment (bank) information – after verifying such information directly with the vendor.
  8. Maintain a policy that forbids finance personnel from making or authorizing disbursements without proper and complete supporting documentation, regardless of who makes the request.
  9. Evaluate the organization’s level of insurance coverage in the areas of data security, cybersecurity liability, and theft.

Let Us Know If We Can Help

If you are a BMWL client and would like assistance addressing the information described in this Nonprofit Special Alert℠, we would be glad to help! Please email our team at [email protected]. It is our pleasure and privilege to serve you.

The contents of this publication do not constitute legal, financial, accounting, tax, or any other type of professional advice. For professional advice regarding the subject matter addressed herein, the services of a competent professional should be obtained.