How to Protect Your Organization Against New Threats
Carolyn was happy to sit down with Carole Melvin from Your Part Time Controller (YPTC) and catch up on the current thinking on preventing financial fraud as scams seem to multiply all around us in our jobs at nonprofits.
Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Learn what new frauds and scams are evolving and how to protect yourself and your nonprofit. Some key takeaways:
Cultivate a healthy dose of skepticism and use common sense.
As Artificial Intelligence (AI) helps phishing hackers develop even more convincing social engineering scenarios to play on your emotional responses and mimic legitimate vendors and colleagues, use your own abilities to question if that colleague or vendor would really need your help in the way they are asking. Listen to the voice in your head that thinks it may be too good to be true.
Utilize analog and off-line verification best practices.
You may not have thought about it, but having financial procedures that include some old-fashioned standard practices of verification can help you thwart high-tech scammers. Requiring physical signatures, posting important phone numbers on paper on your desk that can be used to verify transfers (or report fraud), using a physical Multi-Factor Authentication key such a FIDO or Ubikey – measures like these protect you from online attacks that can trick you into verifying a transfer using a number provided by the scammer themselves. Above all, don’t use workarounds in a rush. Always use standard procedures to verify payments, and keep an eye on those online payments daily to be sure everything is as you expect.
Stay curious and aware of new threats.
No one can stay up to date on every new attack. But staying as current as you can by talking to peers and cybersecurity experts will alert you to the new kinds of threats AI and other tools are creating. Cultivate a culture of sharing tips and examples with your peers and network. Find resources from partners like Community IT and online cybersecurity resources for people in financial roles and make it a point to share tips with your colleagues. Don’t overlook resources from your cybersecurity insurance provider, financial advisors, and HR departments.
Don’t be ashamed if you fell for a fraud. Tell someone right away.
Recognize that the scammers wouldn’t be trying to trick us if the scams didn’t work a lot of the time. Fight the shame and stigma of falling for a fraud and keep working as a sector to share experiences and fight the scammers through better information and sector solidarity. And be sure to tell someone right away if you click on the wrong link (and make sure everyone has the training to know who they are supposed to tell!) Better to give your IT department 99 false positive reports than miss the one dangerous link that should have been reported quickly. Time is of the essence to minimize the risk and loss from the wrong click.
Learn these tips and more from Carole Melvin as she discusses recent examples that accountants, CFOs and other staff in financial roles like Development and anyone who deals with vendors should know.
Presenters
With over 20 years of work experience in accounting and nonprofit management, Carole Melvin is currently the Regional Director at Your Part-Time Controller, LLC (YPTC), a leading provider of high-quality accounting services for nonprofits. In this role, she oversee the operations, growth, and client satisfaction of the South and Southeast region, managing a talented team and partnering with nonprofit organizations.
Carole has a CPA license and an MBA degree from Boston University, and is passionate about helping nonprofits achieve their missions and improve their financial health. Carole is a strong believer in the power of collaboration, innovation, and diversity, and strives to create a positive and supportive work environment for her team and her clients.
Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.
She was happy to have this conversation with Carole Melvin on fighting financial fraud. You can review Carole’s previous webinars on how to protect your nonprofit from financial fraud here and here.
Ready to get strategic about your IT?
Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.
We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. And we don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about your email safety and spam, you shouldn’t have to worry about understanding your provider.
If you have questions about fighting financial fraud, or are unsatisfied with the way your current provider helped you recover from a cyber attack, you can learn more about our approach and client services and contact us here.
We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.
If you’re ready to gain peace of mind about your IT support, let’s talk.
Transcript
Carolyn Woodard: Welcome to the Community IT Innovators’ Podcast. My name is Carolyn Woodard, and I am the Outreach Director for Community IT. I’m very excited to be here today with my friend, Carole Melvin, from Your Part Time Controller.
Carole, would you like to introduce yourself and what you do?
Carole Melvin: Thank you so much, Carolyn. And I’m equally excited to be here talking with you. I’m Carole Melvin from Your Part Time Controller or YPTC, as it is known.
YPTC is a financial and accounting services organization. We serve nonprofits. That’s all we do.
We work with nonprofits to make stronger financial management teams. We have over 1,800 clients across the country in 11 different physical markets, but we’re serving nonprofit clients all across the country, everywhere, because we’re delivering our services remotely as well as in person.
I’ve been with YPTC for a little over five years. Currently, I’m the Regional Director for the Mid-Atlantic and Southeast Division, and I serve nonprofit clients as well. So happy to be here.
Carolyn Woodard: I wanted to follow up with you because we did a webinar together, maybe a couple of years ago, about financial fraud at nonprofits. And I know that there have been some changes, like there’s some new tools, there’s AI, of course, everyone’s talking about. I wanted to connect back with you.
Can you share with us, are there new scams that people are seeing and hopefully not falling for, but maybe are falling for?
New Scams
What are the new things that are happening in terms of financial fraud?
Carole Melvin: Yeah. Well, financial fraud, there’s no getting around it. We know that it’s increasing every year, there’s always new kinds of fraud.
Nonprofits are susceptible to fraud just like other organizations. Sometimes there’s a misconception that nonprofits are doing good in the world and who is going to take advantage and perpetrate fraudulent activity on nonprofits. But of course, they do and they’re particularly vulnerable because often nonprofits may perhaps not have as robust of internal controls because they have a lean staff.
They are susceptible and we are talking about this because controllers not only have to be responsible for accounting and finance, but being vigilant and understanding the looming threat of cyber fraud has become part of our job every day.
Some of the things that we are seeing, a lot of it is related to the accounts payable function in our clients.
We’re definitely seeing where a fraudster will compromise the email, the official business email, often the AP email, and then use that email to move funds. That’s something that has happened many times, unfortunately.
We’re also seeing vendor impersonation. We talked about a couple of these cases where a fraudster will pose as a legitimate vendor, because they are aware that the nonprofit is working with that vendor. And they will send fake invoices, create fake email addresses, and mimic that real vendor’s website and the way that they look.
And they’ll trick the nonprofit organizations into transferring funds into that account. We definitely see more and more of that. It’s not as uncommon as it used to be.
And then we just saw this recently again, where the bad actor hijacks and actually takes control of the email, often forwarding the email to their own email, intercepting and acting.
You think you’re communicating with your real vendor, but of course, you’re actually communicating with the fraudster. And we’ve seen that it has been very successful for the fraudster in sending funds.
So those are some of the things that we typically see. And I know you just mentioned this in your last podcast about one of the newest frauds that we’re seeing is the in-person event phishing, where they get you to click on a link and sign in, and then you’re compromising your information as well. And we’ve even seen where people have gone to the event, and there is no event.
There is no event.
But in that email, you’ve given them the sign-in information because you’re logging in and then your account is compromised.
Carolyn Woodard: Yeah, maybe we’re a victim of our success in training people to be very suspicious of phishing emails that have a link. You’re not supposed to click on a link. Also, a lot of automatic programs will keep those emails out of your inbox, so you won’t even see them.
But what we saw is that a way around that is a document. In the case that we saw, it also is social engineering. It’s more of a long con or a more in-depth scam. They’re trying to prey on your emotions.
This person had been invited by – I think it was a senator’s aid on a committee that wanted to talk about this nonprofit’s expertise in a policy area. They were inviting this person to a meeting at a restaurant and attached in the email they had a document that was the itinerary of how this aid from the senator was going to meet with the person for lunch.
The link to make the appointment was in the document, the itinerary. It was in a Word document that the person opened. And then that link was a fraudulent link, or a link to the scammers. But then to make the calendar event, she entered her credentials. So that was what they were trying to get is the ability to use those credentials. And then she showed up at the meeting and there wasn’t a reservation. That was a couple of days later, so the fraudsters had access for a couple of days at that point. It was really insidious.
Social Engineering Works
Carole Melvin: Yes, and the psychology of these wire fraud, it’s really quite sophisticated. I think that’s why nonprofits and I would say, anyone dealing with financial management in general, are even more susceptible because we’re so wired, pun intended, to be fast at answering these urgent requests.
We want to make sure we’re taking care of our clients, of our chief executives, of our constituents. Folks who are working in a nonprofit are thinking, if I don’t respond to this urgent email, then someone is not going to get the services that they need. So it’s that urgency that the fraudsters create in these emails.
It’s easy to understand why you could fall for that, especially if you’re in a high stress, high pressure, fast paced environment, your defenses might be down.
And it’s also when they’re giving you little pieces that check out, right? The email seems to be from the person it’s supposed to be from. And sometimes it is from that person because that person’s identity is compromised, and the fraudsters are in their system sending out emails actually from their server.
So it’s a real email, it’s just they’re not sending it. The fraudster is hacked into their system. Sometimes it tricks your brain into rationalizing it.
Yeah, okay, maybe they are asking me for this urgent payment to wire this payment because we have this contract coming up. And so you fill in the missing gaps of, yes, this makes sense. And that’s why it’s so easy to fall for.
Carolyn Woodard: I think we’re also seeing the rise of AI has given fraudsters more tools at their disposal. They can pull information about your staff from different areas of the internet.
We had one attack where it was the person’s personal Facebook that the fraudsters messaged through about something having to do with her position at the nonprofit. They knew that that Facebook account was the same person as on the org chart, at the nonprofit and they were able to be very convincing in that way, too.
Carole Melvin: Yeah, yeah, it’s really hard because nonprofits that are serving the community need to communicate with the community. They’re providing information about what their services are, what they’re doing, where they’re doing it. But yet you are setting yourself up for fraud because you give all that information.
We’re seeing a lot of our clients taking email addresses off the website and being really careful with the information they are sharing.
Carolyn Woodard: With that in mind, I want to pivot a little bit. We’ve talked about all the ways they can get you.
Do you have some advice on the ways that you can prevent these types of attacks?
I know some of them are analog, like having sophisticated IT tools that help keep your inbox as safe as possible and keep spam and unwanted emails and phishing emails out of your inbox, so you don’t even see them. But are there some other tips and tricks that you can take to stay safer?
Carole Melvin:
- Starting with fraud awareness in general and making sure that there is zero tolerance for risk, if that’s possible.
- And making sure that the tone at the top is clear, that everyone knows that this is important.
Sometimes, talking about psychology, someone might not want to ask someone to verify, right? But if you have that tone at the top, the understanding that this is how we’re going to operate. We are going to trust, but verify. I think that helps. People will be inclined to take those additional steps. I think that’s first and foremost.
- Having fraud awareness training, having regular trainings, little mini trainings. Gone are the days where we do it in the annual training, right?
It’s these frequent small trainings, where you’re keeping it top of mind for people. They will hopefully pause before they click on that link, because this is something that is being talked about, and everyone really understands.
- In addition to developing that tolerance, the tone at the top, the fraud awareness training, and all of the internal software applications that you can use, we’re also looking at just when you do get that urgent request, taking time to confirm that it is a real vendor. This is the simplest and most effective way is to pick up the phone and call, and don’t use the phone number that is in the email that is provided.
Use a phone number that you know to be correct. And that’s really the easiest way – verbal verification via phone. This prevents a lot of loss from happening.
We also were talking about setting up some sort of
- advanced verification protocols,
- having a certain code or password,
- making sure that there’s also really good internal control about the dollar amount threshold that’s going to require even more stringent confirmation.
That’s your best line of defense really against those fraud attacks. And like I said, really pausing before you click on anything, change bank accounts, all of that is just making people aware to fight that sense of urgency and verify.
Carolyn Woodard: That all makes sense. I think also one thing we talk a lot about with our cybersecurity training is encouraging that culture of and training around what are your next steps. It’s clearly the reason we get all of these emails and phishing links. People go to these efforts to trick us because it works a lot.
There shouldn’t be a stigma around having clicked on the wrong thing. But everyone needs to know, if you think you just did that, who you tell next and how quickly you need to tell someone.
Carole Melvin: That’s so true. It does happen and the key is knowing immediately, oh, no, I just clicked on that. Having that plan, you need to immediately drop everything and call your IT provider. Because often, they do have time to intercept, because a lot of times these bad actors, they’re doing a wide swath and then they’re coming back later to see what the hits are.
So sometimes if you know that you did something that maybe you shouldn’t have, even if you’re not sure, call your IT person, have them jump on and see if there’s been any compromise, and they can often address it right then and there.
Carolyn Woodard: Yeah. We have a staff person who says he’d rather have 99 false positives to catch that one that really was a hack. Try to encourage that internal culture of if you’re not sure, tell someone.
If it turns out to be nothing, fine, that’s great. You did the right thing. Don’t be worried about, oh, I’m going to bother them, or I’ve already turned in two today, so maybe I’ll just not do this one.
It’s really important for your IT staff and your supervisor to know what’s going on. And I think in general, they’d rather have 99 that were okay, instead of having the one that wasn’t okay get through.
Carole Melvin: Yeah, absolutely. That gets back to the culture because you could be embarrassed. I can’t believe that I did that. I know better. You feel awful, but it could be worse. It could get worse. You have to immediately own up to clicking on that or doing whatever it was. And chances are you do have time if you address it immediately.
Another very simple prevention technique that we recommend for all our clients, it’s just reviewing your bank activity every single day. Looking at that feed to make sure that all the transfers, all the EFTs and ACHs and all the transfers, wire transfers, in particular withdrawals, all of those are what you expected.
And it’s a very simple, easy way. We hear all the time that that’s a great way to catch things before it’s too late, when it’s still pending. Someone should be tasked with doing that every single day.
Carolyn Woodard: That makes so much sense. All right, so I have one last question for you. We’ve talked about a lot of the types of scams that we’re seeing, and you’ve given us lots of great tips.
Is there one thing that you would say to everyone? If you can’t do anything else, do this one thing. What would that advice be?
Carole Melvin: Oh, that’s a good question.
Having that professional skepticism, I would say. We always want to think the best of everyone, but knowing that it does happen every day, it can happen.
Understanding it could happen to us. It could happen to all of us. I think it is important to understand that we need to have good internal controls. You need to be reviewing those.
You need to have lots of training. It needs to be top of mind, really.
Carolyn Woodard: Those are all great, great suggestions. And thank you so much for sharing your experience and expertise in this area and the things that you’re seeing with us. I really appreciate your time today, Carole. Thank you.
Carole Melvin: Thank you so much. This is an important topic and it’s great to have another partner to work with serving our nonprofit clients. Thank you so much.
Photo of currencies by Jason Leung on Unsplash