Fraud: It’s Not Just for Insiders
In our ever-expanding digital world, many of us have had at least one of the following experiences:
– Unable to login to your online banking system
– Pop-ups or unexpected requests to change your password
– Computer slows, locks up, reboots or won’t shut down
– New toolbars or icons
– Requests for payment with no, different, or duplicate invoices
– Transaction requests with out-of-country banks
– Immediate or email payment requests
– Wire requests that say, “Strictly confidential financial operation”
– Emails or links with domain names that are similar to, but not the same as, current employees or vendors
– Requests that bypass normal procedures
If you have, these are all warning signs of potential fraud from outsiders. We’re currently seeing a growing number of schemes that target smaller organizations, such as nonprofits, governmental entities, and small businesses.
Here is information about some of the schemes we’re seeing and insight on how to protect yourself.
Small Donations on Stolen Credit Cards
By now, we’re all aware that we need to check our personal credit card statements for small charges we didn’t make. These charges are the work of fraudsters, who are testing the credit card number. If their charges go through, they sell the number to someone who then goes shopping with the credit card number.
The new twist on this scheme occurs when a fraudster tests a batch of stolen credit card numbers by using each card to donate a small amount to a charity.
Through using the method, the fraudster hopes that the cardholder will be less likely to challenge a donation, as it’s to a good cause, or perhaps because the cardholder believes their spouse made the donation. This increases the quantity of stolen card numbers the fraudster is able to sell.
Unfortunately, this scheme negatively affects both the cardholder and the charity. At first, the charity gets excited for the increase in donations. Once the scheme is exposed, however, the charity has to give the donations back and, for some credit card companies, pay a transaction fee on each refunded fraudulent donation.
To protect your organization, be alert for any spikes in small donations, especially if they are not from an area where you are targeting your fundraising efforts. If you see such a spike, contact your bank immediately.
Spear Phishing is another new take on an old scheme. Everyone who has ever gotten an unprompted email from Nigeria has experienced a phishing scheme. These emails are the result of fraudsters casting a broad net via email (SMiShing if they use texts), trying to get people to take the bait and respond.
Spear Phishing occurs when fraudsters send targeted emails trying to trick specific individuals into providing sensitive information, clicking on a link, or sending them money.
The fraudsters use personal websites; social media sites, like Facebook or LinkedIn; and Google searches to identify whom to target in an organization. The following are common examples of professionals who may be targeted in a Spear Phishing scam:
IT Director—Fraudsters spoof emails from the Executive Director requesting username and password information. This allows them to escalate their network access rights and gain access to sensitive data and systems.
Finance Director or CFO—Fraudsters spoof an email from the Executive Director requesting that money be wired to a certain account controlled by the fraudsters.
In a recent meeting poll, over half the CFOs in the room had received these requests. One organization was currently working with their CPA firm to improve their internal controls after falling victim to this scam and losing $80,000.
In that instance, the finance person wired the money out after receiving a spoofed email from the head of the organization, but then became suspicious when they received another spoofed email the following day instructing them to wire more money.
Another Spear Phishing method is to target the finance person to get them to click on a link, which downloads a key logger so they can monitor the key strokes on the finance person’s computer. This allows the fraudster to gain access to sensitive systems, including the online banking function, where they can directly send funds to themselves.
HR Director—Fraudsters spoof an email from the Executive Director instructing the HR Director to send a list of all employees and their W-2 forms or social security numbers to a specific email address or recipient.
How can your organization protect itself from these scams? The answer is, good IT practices. Staff need to know not to click on strange links, or pick up strange USB storage devices and plug them in. Your organization also needs good firewalls, anti-virus protection, and internal controls over your cash accounts and wire transfers.
Another scam takes the form of fraudsters sending false invoices to you from vendors with whom you currently do business. The fraudsters determine who you do business with from your website, google searches, and LinkedIn and other social media sites. They then create a phony invoice from that vendor, but with their address and payment information.
Often, these invoices look nothing like the legitimate invoices you receive from the vendor, but still may sail through the accounts payable process if not closely scrutinized.
To avoid falling victim to this scam, your organization needs to review all received invoices rigorously prior to payment. A purchase order system for larger organizations can also be a deterrent.
“Oops I Gave You Too Much” Scam
This fraud is becoming a real problem in Washington and Oregon, as we’re seeing it more and more each year.
In this scam, the fraudster sends a bogus check or money order to the organization under false pretenses, such as a donation or unsolicited grant. They then contact the organization a few days later, say they sent too much, and convince the organization to send a portion of the funds back.
Only after the funds have been returned does the organization realize that the original check or money order was fraudulent and rejected by the bank.
A recent example was a local nonprofit that, according to a Seattle Times article, received a check for $39,850 and returned $9,850. You’ll notice the amount returned was under $10,000. This was likely intentional by the fraudster, as it allowed them to avoid the government and banking scrutiny of all transactions over $10,000.
To prevent your organization from being the focus of the next Seattle Times article, be on the lookout for this “money from heaven” and be skeptical. One organization went so far as to ask their attorney if it was okay and the attorney gave them some bad advice saying “go for it.” Be aware that this scam is out there.
In this scam, fraudsters gain access to your network through an employee clicking on an infected link, or plugging in an infected USB drive.
Once inside the system, the fraudsters poke around to see how much access they can gain to the organization’s data, then lock portions or all of the organization’s data and hold it for ransom.
One organization hit by this scam paid the ransom. Another just had one laptop locked and decided to scrap the laptop rather than pay the ransom.
The way to prevent this scam is, again, through good IT practices. These good practices include training employees not to click on suspicious links or insert strange USB drives, having good intrusion protection procedures, and regularly backing up data so losses will be minimized if this occurs.
The FBI also suggests contacting them if this happens to you, as they may be familiar with the ransomware used and have the password to unlock your computer or network.
The goal of this article isn’t to make you lose sleep, though that may be an unintended consequence. Instead, the goal is to create awareness about the scams that seem to currently be in vogue.
It is worth noting, however, that this article does not provide a comprehensive list of all current schemes. Rather, we have excluded schemes that organizations have become familiar with and are typically already detecting and preventing through software or internal control procedures adjustments.
If your organization has not yet taken actions to address avoiding fraud, we recommend using this article as a means through which to think about your internal control system. What modifications could you make to strengthen your security and avoid falling prey to fraud?
Laura McKay, CPA is a senior manager and member of the Jones & Roth Nonprofit Team. She manages many of the firm’s largest and most complex audit engagements. Her experience includes performing compilation, review, and audit services for both nonprofit organizations and commercial entities. She is also an active member of the firm’s Assurance Services Department Management Team and Form 990 Task Force.