New IT Security Threat Targeting Finance Departments On the Rise
Someone outside your nonprofit organization hacks your colleague’s email account. Once he has access, the perpetrator identifies your executive director and monitors her activity. He analyzes her email communication style, activities, travel, and even your organization’s culture.
The executive director leaves on a scheduled trip and the perpetrator emails the chief financial officer from her account. Posing as the executive director, the perpetrator requests that the CFO wire funds to a particular “ministry partner” for an urgent need or incredible ministry opportunity that has arisen and must be acted on immediately. According to the email, the executive director has the supporting documentation with her and will provide it when she returns. The email provides instructions for wiring the funds in the meantime. The CFO sends thousands of dollars to the fraudulent account, and the money is never recovered.
The Nature of the Threat
This may sound like a movie plot, but unfortunately, it is a reality we see playing out more and more. There is an increased incidence of white-collar financial crime through breaches in IT security made by individuals outside an organization, and we’re aware of several nonprofits that have experienced a financial loss this way.
Because the fraudulent email looks like it’s coming from a leader within the organization, many times the accounting department head is reluctant to question it or request additional information. And because many organizations do not have sufficient internal controls over electronic funds transfers, the transfer is initiated and completed before the leader returns and the breach is detected.
In one case, this fraudulent activity occurred more than once, and was only detected after the senior leader postponed a scheduled trip at the last minute and was in the office when the fake email was sent. This organization suffered significant financial loss.
In a case at a church, a security breach was uncovered when the perpetrator provided an incomplete wire transfer account number and the director of finance contacted the senior pastor directly for the correct number. This case had a happier ending, with financial loss averted.
Preventing Loss at Your Organization
Most, if not all, nonprofits use email and calendaring programs, and that’s just one example, albeit a common one, of how an IT security breach can occur. But there are steps you can take to reduce your organization’s risk.
Here are four recommendations for preventing this type of IT security breach at your organization:
- Conduct an IT security risk assessment for intrusion vulnerabilities. This can include user names and passwords, firewall protection, update and patch management, and security policies on encryption. It’s important to note that IT security is not just the responsibility of the IT staff — it’s the responsibility of all employees.
- Review and strengthen your organization’s electronic funds transfer policies and procedures to help reduce the risk of theft in this area. There are several options to consider, depending on the size of your organization. We recommend that you establish policies that allow you to maintain your fiduciary responsibilities but remain flexible and responsive to needs that arise. Your CPA and bank can help you assess the specific options that would be a good fit for your organization.
- Educate accounting and finance staff members about the risk. Make sure they understand how this fraud is being committed so they can be vigilant and flag suspicious activity.
- Build extra precautions into enhanced policies and procedures. One simple but effective control is to have employees double-check the actual email address used in any messages requesting a funds transfer. This is often masked because only the executive’s name is visible. We recommend that the email be printed and signed as part of the documentation process. Many times the fraudulent email address will print out, making it easier to detect. Even if it’s still not visible, however, the required step of printing out the email, inspecting it, and then authenticating the inspection with a signature is a great way to ensure that this simple step is completed. The few extra seconds this takes could save thousands of dollars in unrecoverable funds.
Another option is to consider implementing a policy that no wire transfers can be authorized or authenticated through a single means of communication. For example, an authentic initial email with instructions for an electronic funds transfer should be followed up with a phone call or text from the email recipient to the person requesting the funds transfer. This call or text message should be made to a known phone number, not one provided in the email.
You can also establish additional protocols such as including code words for transfers. If your organization makes frequent or large electronic funds transfers, you may want to use more advanced random number or confirmation code generators.
While these steps won’t completely eliminate your risk, they can help reduce it. We can also assist you through services such as an IT security risk and intrusion testing assessment or a fraud risk assessment. Please contact us to learn more.
Stan serves as Partner and Professional Practice Leader - Consulting. Stan’s professional experience includes over 35 years in ministry operations, public accounting, government accounting, and missions. He provides strategic leadership of the firm’s professional advisory and consulting services, including research of emerging issues in the faith-based nonprofit sector and the development and implementation of products and services in response to those needs.
This is very relevant information! We have had at least three email requests like this in the last several months. Thankfully, we have never been duped by the requests, but we will certainly take to heart the suggestions you make for fraud prevention. Thank you!
Thanks for the feedback, Linden! Glad you found the recommendations helpful.
Trinity College of Florida has been targeted at least twice on this scheme. Fortunately, the fraud was detected before any funds were transferred.
That’s very unfortunate — glad you were able to detect the fraud. It demonstrates the prevalence of this type of scam and the need for continual vigilance.
It is also important to have a protocol for having the bank obtain approval from authorized individuals on staff for all requests of interbank transfers. We were hacked when someone sent the bank an email with an attached letter that was pulled from archives and modified with where they wanted the money wired. The email and letter looked mostly authentic to the bank, but had a few identifiable mistakes. The bank called me to confirm per our protocol and I was able to identify that it was bogus. No one at the church would have known about it if the bank had not called.
That’s a good suggestion. Thanks for sharing!