Batts Morrison Wales & Lee - News & Resources - Nonprofit Special Alert

New Email Scam Taking Nonprofit Leaders by Surprise – Even Those Who Normally Spot Fraudulent Emails

This is a very important Alert!

BMWL has become aware of multiple incidents in which nonprofit financial leaders receive fraudulent emails that genuinely appear to be from their superiors asking them to wire or transfer funds to a bank account in connection with the nonprofit organization’s activities.  And in some cases, the financial leaders truly believed the email request was legitimate.   Fortunately, for the cases of which we are aware, other procedures prevented the actual disbursement of funds.  But there have been close calls.

How the Scam Works

In a nutshell, what happens is some version of the following:

Scammers spend time on the organization’s website, learning who the leaders are.  Specifically, they will look for one of the top leaders with organization-wide authority (president, CEO, senior pastor, etc.) and will especially look for his/her email address and nickname (e.g., if the CEO’s real name is William, but he goes by “Bill,” that can often be discerned from the website).

Then, the scammers identify the top financial person (along with any nickname) and his/her email address.

Next, the scammers create an email in which they spoof the real email address of the top leader they have identified.  The email will look very much like it came from the top leader and may even appear as having come from his/her actual email address.  The email will be sent to the person the scammers have identified as the organization’s top financial leader.

The email will contain instructions, using nicknames if applicable, to wire or transfer money to a particular account in connection with a project or activity in which the top leader is allegedly involved.  For example, an email of this type might read something like this:

picture

 

What to Do to Prevent Becoming a Victim of a Scam Like This

  1. Alert your entire management and leadership team to this type of scam.
  2. Have your organization’s IT team advise you regarding how to detect or screen for spoofed email addresses.
  3. Maintain an agreement with your bank that requires two separate appropriately high-level people in your organization  to authorize any wire transfers or similar disbursements.
  4. Maintain a policy that forbids finance personnel from making or authorizing distributions of funds based on email or  similar instructions alone. Require that finance personnel actually speak in person or by phone (by calling the person’s  known number) with the party who is requesting the distribution.
  5. Maintain a policy that forbids finance personnel from making or authorizing disbursements without proper and complete  supporting documentation, regardless of who makes the request.

 

For clients of our firm who would like further assistance in addressing this issue, please contact us.