Presented with Nonprofit Learning Lab
Community IT CTO Matt Eshleman and Carole Melvin, Senior Manager at Your Part Time Controller (YPTC) presented a new free webinar on preventing financial fraud at your nonprofit hosted by the Nonprofit Learning Lab
Join us for a free video covering the financial threats that face nonprofit organizations and the steps you can take to protect your nonprofit from financial fraud. Matt and Carole gave an overview on wire fraud, shared examples that they have encountered, and talked about the steps you can take to protect your organization. Staff who are involved in processing financial transactions will find it relevant, whether or not you have IT responsibilities.
Community IT Innovators is pleased to partner with Nonprofit Learning Lab to present this webinar on how to prevent financial fraud at your nonprofit. Cultivate a culture of healthy skepticism and put financial safeguards in place to prevent falling victim to ever growing scammers and cons.
As with all our webinars, this presentation is appropriate for an audience of varied IT experience.
Community IT and Nonprofit Learning Lab are proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Carole Melvin is a Senior Manager/Market Leader for the Washington, DC office of Your Part‐Time Controller, LLC (YPTC). After earning her bachelor’s degree at University of Massachusetts at Amherst and her master’s degree at Boston University, she began her career as an auditor with Deloitte serving both for profit and nonprofit clients. She went on to pursue a career in Accounting and Finance at various nonprofit organizations.
Her combined experience includes more than 20 years of, accounting, auditing and audit management, budgeting, and best practices in nonprofit board administration.
At YPTC, Carole is responsible for generating and managing client relationships, hiring staff, and ensuring they have a rewarding and positive work environment, as well as providing accounting, reporting and management services to nonprofit clients herself. She covered financial topics in previous webinars at YPTC.
As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how secure technology works and interoperates both in the office and in the cloud.
Matt has dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University and received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit. He is excited to cover preventing financial fraud at your nonprofit in this webinar.
Monica: Hello, everyone. Thank you for joining the Nonprofit Learning Lab for today’s workshop. Without further ado, I will now hand it over to Carole and Matt.
Carole Melvin: Thank you, Monica. Well, good morning or good afternoon since we are broadcasting across many time zones, and welcome to Protect your Nonprofit from Financial Fraud.
Matt and I will be co-presenting. I will be presenting from the financial perspective and Matt will be giving the IT perspective, on everything that you need to know to protect your nonprofit from financial fraud.
Our learning objectives for today are as follows.
- We’re going to discuss the cybersecurity landscape and the particular vulnerabilities for nonprofit organizations.
- We will then share tips and best practices for financial processes and IT tools to help prevent and detect fraudulent activity.
- And lastly, we’ll identify and define the types of cybersecurity incidents and give examples of the different types.
Matt, I’ll turn it over to you.
Matthew Eshleman: Great. Glad to be joining you to talk about this topic today. My name is Matthew Eshleman and I’m the Chief Technology Officer at Community IT. In my role as the Chief Technology Officer, I’m really focused on shaping the technology strategy and platforms that we use to support our 6,000 nonprofit staff clients across 150 different organizations and with a special focus on the cybersecurity controls that we use to keep our organizations safe.
If you’re not familiar with Community IT, just a little bit more about us. Community IT is a 100% employee owned, managed services provider. We provide outsourced IT support, and we work exclusively with nonprofit organizations and our mission is really to help nonprofits accomplish their mission through the effective use of technology. We serve nonprofits throughout the U.S. and have been doing this for over 20 years. We’re technology experts and have consistently been named a top 501 MSP. And that’s a recognition that we’ve received again last year. So it’s great to join you and share the lessons learned that we’ve developed over time, Carole.
Carole Melvin: Thanks Matt. I’m a senior manager and market leader for Your Part-Time Controller’s (YPTC) Washington DC office. I began my career as an auditor for Deloitte and my combined nonprofit experience includes more than 20 years of accounting, auditing and audit management, budgeting, and best practices in nonprofits as well as board administration, including serving as a CFO for several nonprofit organizations, one of which as a client of YPTC.
Now I’m on the other side and in my current position at YPTC, I’m the manager and market leader for DC, Maryland, and Virginia. I facilitate relationships with clients and staff, conduct practice development. I also provide accounting, reporting and management services to nonprofit clients myself. I’m a member of the AICPA and the greater Washington society of CPAs. And I serve as a member of the GWSCPA Nonprofit Section.
And a little bit about YPTC, Your Part-Time Controller is a professional services firm that specializes in nonprofit financial management with nearly 30 years of nonprofit expertise. In 2023, we’ll be celebrating 30 years. Our services include accounting, financial reporting, data visualization, and best practices to name just a few. We have over 1200 clients currently located throughout the U.S. as well as clients in several other countries. We are a staff of over 400 and growing, working in our eight regional offices and in our YPTC Anywhere nationwide virtual office, serving clients both onsite and remotely and providing services nationwide. We’re very proud to be voted a best place to work for over a decade. And in 2021, we were named on Accounting Today’s list of best accounting firms to work for.
YPTC is often hired by nonprofits for a variety of reasons. A nonprofit may not be large enough or have a budget sufficient to support a full-time in house controller or CFO, so they engage us. It’s in our name.
Alternatively, a nonprofit may have a staffing vacancy and they’ll hire YPTC to fill in that gap until a new controller or CFO is hired. Thirdly, we may be hired because a board member or executive director is being proactive about having third party oversight over their financial reporting.
Lastly, we may also be brought in after a fraud to help clean up a mess and help implement better accounting policies and procedures, including fraud prevention and good internal controls, which brings us to this topic today, Matt.
Matthew: Great. Well, we’ve told you all a lot about us and now we’d like to get a little bit better sense of who is joining us here today. So we’ll pop up a poll here. If you can, just fill in your check box here of your role at the organization.
- Are you part of the IT department,
- admin, maybe others?
So just take a minute to respond to that poll. We’ll reflect that back out here after it’s open for a few minutes.
All right. We’ve got a good number of respondents, we can share those results here. Let’s see, a little operations. It looks like a lot of operations folks and finance folks.
I think you’ll be well served by the content that we have today. This area of financial fraud is interesting as it intersects both finance and IT. It’s not owned by one or the other, but is a shared responsibility. You’ll find something to take away here. Great.
Well, let’s go back and start moving into the bulk of the presentation. I always like to start these sessions with a little bit of background, just to help us gain an understanding of the cybersecurity landscape that we find ourselves operating in today.
As a managed service provider, MSP, we support about 6,000 users and we have a unique perspective on the cyber-attacks that are facing nonprofit organizations today.
- What we are seeing is that there are persistent and ongoing what are called brute force attacks against your digital identity.
The move to the cloud has been a really great thing for organizations to do. And it’s made it easy for you to log into your systems no matter where you’re at, but it also means that bad guys can do that too. And so whenever we look at the systems that we monitor and manage, we can just see that there’s kind of a constant door knocking where bad guys are looking to break into accounts that maybe have weak or using stolen credentials.
- We also see that there’s sophisticated spear phishing, where these threat actors will use unique knowledge about you or your organization in order to try to get you to click on a link or take some sort of action.
- We also see organizations that are targeted because of the work that they do. This applies particularly to policy organizations or organizations that are adjacent to the government. They tend to attract a higher degree of attention than others.
- And then there’s also schemes that are targeting vendors such as managed service providers and as a way to get into other targets.
We also know that organizations are not always aware of all the security tools that are available to them.
We’ve been on a campaign to deploy more sophisticated tools to protect organizations against all of these threats.And we can see from our metrics that they are effective and make an impact.
We recognize that nonprofit organizations have a lot of work to do related to the policies that they need to develop such as an incident response plan. NTEN, which is an organization that does a lot of work around tech, did a survey a few years ago and they identified that about 68% of nonprofit organizations didn’t have an incident response plan. And that incident response plan really helps an organization define what they’re going to do when something happens. Breaches can be a significant expense.
In fact, we see that the average breach for a small business is about $149,000. So again, it doesn’t grab the headlines, maybe like a million dollar breach, like we see in the news, but that’s still a significant impact. I know, Carole, you have some additional perspective on those attacks hat are targeting nonprofit organizations.
Carole: Thanks, Matt. We know that nonprofits can be particularly attractive targets for fraudsters for a number of reasons.
The executive directors that we work with, they’re very passionate folks. They’re passionate about their missions.
- They’re often naturally trusting of others.
- We see board members and executives who are dedicated and talented in their particular fields, but they may not necessarily be well versed in financial issues and internal controls.
- So nonprofits are particularly vulnerable because they think it will never happen to them.
- And with often limited budget and staffing resources available, cybersecurity may be low on a list of a long list of competing priorities. And they may not be investing in that latest cybersecurity tool or fraud controls.
- Another key vulnerability is that many nonprofits handle sensitive information. As you said, which may include donor information. We see most recently refugee registration data, health data information on human rights investigations and other highly confidential matters.
These fraudsters know that many nonprofits lack the resources to modernize their technology making them easy targets for attack and cyber criminals, they don’t give immunity to an organization because of its charitable mission. It’s all about opportunity.
If the opportunity is there, they will exploit the organization and often the nonprofit, it may take them less time and effort and result in a quicker payout than a larger corporation.
We also understand that cyber criminals often use these chaotic times to find vulnerabilities in systems, which is why understanding the current cybersecurity landscape that we’re talking about today is really crucial. Early on in the pandemic, we did see one case with one of our clients, a large nonprofit that was scammed out of nearly a million dollars in a cyber-attack, at a time when they were serving more people than ever because of the pandemic. But we know that, even $149,000 could potentially be devastating to many nonprofits as Matt said.
Matthew: That financial information that Carol referred to is a primary driver of these cyber-crime statistics. The FBI maintains the Internet Crime Complaint Center, IC3; you may see that referenced elsewhere. If you or an organization that you know of has been a victim of cyber-crime, they may have filled out a form to submit that information to the IC3 complaint center.
And we can see here that the amount of financial loss, and this is direct loss. This doesn’t even count lost productivity or lost opportunity. Direct financial loss associated with cyber-crime has risen dramatically from $1.5 billion when they first started capturing these metrics back in 2016, all the way up to $4.2 billion in 2020.
The pace and the volume of cyber-attacks and the financial impact of those cyber-crimes is really significant. And it’s only growing over time, unfortunately.
As part of understanding the cyber landscape, it is important to understand that it’s no longer, some kid in the basement or a Nigerian prince prone to misspelled names, or just this faceless army, but cyber-crime is a job. It’s a living.
There are people on the other end of the computers that are launching these phishing campaigns, handling these spear phishing engagements, interacting with people once they’ve started a relationship and they’re doing it because there’s a financial incentive, as we can see from the FBI data. There are billions of dollars that are being lost to these cyber criminals.
From the cyber-crime perspective, it’s a lot easier to try to scam somebody out of $1000 or get them to buy gift cards than it is to write a sophisticated virus to wreck a network. So there is a financial motivation that doesn’t really take into account an organization’s mission or how much good they’re doing in the world.
Having an understanding of cyber-crime and the fact that these are financially motivated attacks, I think can help provide some additional perspective of how we need to respond and prepare our organizations to defend against these threats.
Again, to get a little bit of a better sense of the audience and what you have all experienced, I’d like to take this time to do another poll and get a sense if your organization has experienced any of the following:
- phishing or account compromise,
- any type of malware or virus,
- wire fraud? So that would be when an organization has actually had a financial loss that occurred over electronic means. You could have bought a gift card or even had a wire transfer gone to a different bank account.
- Ransomware gets a lot of press and it does happen, and it happens with unfortunate regularity. That’s when your data becomes encrypted and the hacker wants you to pay some sort of ransom often in a cryptocurrency in order to get it back.
- And then you might be in an organization that is targeted by one of these advanced persistent threat actors. Those are entities that are often sponsored by a state: Russia, China, North Korea; and they’re really interested in maintaining access and persistence into a network, particularly those organizations that are working on policy.
So take a minute to respond and we’ll see what folks’ experience has been related to that.
Almost a 100% phishing and account compromise. I think that echoes what we’ve seen as well.
We can move on in seeing the internet crime complaint stats. And in fact, phishing and pharming, those are all email and text message based attacks. That is the number that’s increasing. So 2020 data is on the left in the light blue line and because there’s cyber-crime, there’s a real financial motivation behind these attacks. And we even see that in our own data.
At Community IT, we support about 150 different organizations and we’ve seen an increase of almost 300% in security incidents from 2018 when we first started categorizing data to 2021. It’s also seen in larger industry reports. This is from the Verizon data breach incident report where they are looking at the likelihood that an organization is going to receive a malicious email, which is in that green line.
So we can see that basically if you’re an organization of any size, you’re almost guaranteed to receive malicious email and then, larger organizations, somebody’s going to install a malicious app on their phone. That’s the blue line. So we can see that almost every organization is going to be targeted and will continue to be targeted by these email based attacks over time. I’d like to turn it over to Carole to talk a little bit more specifically about the risks associated with processing and managing financial transactions.
Carole: Right. As we discussed earlier, the two main reasons that nonprofits are ideal targets for hackers and cyber criminals is
- they don’t see themselves as targets and prepare adequately and
- cyber criminals view nonprofits as easy prey sitting on a wealth of personal information about their support staff donors and the communities that they serve.
So if your nonprofit does any of the following:
- process donations,
- online event registrations,
- storing personal information for program participants,
- collecting information on donors or newsletter subscribers,
- or initiating online vendor payments
then you are at risk for cyber security threats.
We know that one of the biggest cyber security risks are online donations and while technology has made it much easier for nonprofits and charitable organizations to accept donations online, it’s also as Matt said, made it that much simpler for fraudsters to steal from the organization. The payment is easy for the donor as well, but it could leave you open.
Donor records, confidential details about employees are all at risk. And we know that for many years, most nonprofits have spent very little on cybersecurity and we are definitely seeing that change. Part of that was due to a lack of funds, also out of a sense that businesses would be more likely targets. In 2020, one of the largest non-profit third party vendors was affected.
Before, a lot of nonprofits said, it’s nice to have cybersecurity, but really now it’s a must have. For most nonprofits, reputation is everything. If an organization suffers a breach because it was careless with data, you may lose donors and put at risk your ability to continue to raise money and fulfill your mission.
So it’s very, very important to understand the data protection laws that you must adhere to.
In general, these laws require the businesses who maintain this kind of personal information to have proper safeguards in place to protect personal information, and then also have protocols in place to notify individuals if a data breach occurs.
There is no one, all-encompassing, federal data privacy law like there is for health information with HIPAA, but every state has different data breach legislation. And so you need to understand what that is that applies to personal information for residents of the state that you are in.
And then, even if a business does not have a physical presence in a particular state, if it is collecting personal information about a resident, and we know a lot of our nonprofits have donors all across the country, it has to comply with state laws where that individual resides.
So you may need to do more research about other states, as well.
Using encryption and a secure website is definitely going to help protect information during these online financial transactions. I’ll turn it back to you, Matt.
Matthew: Great. Thank you for that.
Let’s just talk a little bit more specifically about the types of cybersecurity incidents that you may encounter. We’ve got
- phishing emails,
- compromised emails,
- typo squatting and
- long con or business email compromise attacks.
Again, this is some resources provided by the FBI. The FBI is actively involved as a law enforcement agency in cyber-crime. This is a graphic that they have put out. It is a little bit hard to see (23:06), but essentially they’re describing the process that these fraudsters or threat actors are using in engaging with users as a way to facilitate wire fraud or other financial fraud.
What we see is that they
- identify a target.
- They will establish an engagement or an email thread that may be supplemented by phone calls. We’ll actually see some examples of that later on.
- And then they may go through a process to exchange “updated banking information” due to some problem,
- and then initiate that financial transaction.
That is typically the flow of how these things go in terms of financial fraud that has been initiated over email. And we’ll take a look at a couple of examples here a little bit later on in the presentation.
Carole: In our practice we’ve seen a couple of these phishing scams. We know 75% from the poll have experienced this. So we’re going to walk through what we have seen happen.
We know that these scammers try to capitalize on a crisis and the global pandemic is no exception. What we are seeing are these phishing scams where they’re reaching out to you and trying to trick you into giving your personal information, such as bank account numbers, passwords and credit card numbers.
We see nonprofits are communicating with their donors and partner organizations all of the time. And it’s so much easier now there are all of these automated emails and newsletters that keep all the interested parties aware of what’s going on in the nonprofit organization. But of course, as you’re responding to emails, you could be putting the organization at risk.
Clicking a bad link, downloading what seems to be a safe Word or PDF document, could put your hard earned fundraising dollars at risk.
What these scammers do to make their request appear legitimate is they use details and information specific to the non-profit from information that they may have obtained from your email or newsletter or elsewhere.
In the case that I mentioned earlier, with this large nonprofit, this particular organization was nearing completion of its $12 million construction project. It was very visible to the public in an urban setting. And the thieves knew that was going on, infiltrated their computer systems through a phishing scam, and then they put in controls. They blocked legitimate emails from the construction vendor and prevented those from getting through. And then the final step was the spoofing email that mimicked an invoice from that construction company which the nonprofit was expecting. It looked real and they paid it to the tune of almost $1 million.
In other organizations, we’ve seen cyber thieves infiltrate the email server and create fake invoices .
We also have seen them impersonate a current valid employee and ask for a change in direct deposit to the scammer’s bank account.
Without sufficient training, employees fall for these schemes. And of course we have to remember, it’s not just employees but also think about your volunteers. Of course, most of them have good intentions, but there may be someone who’s a bad guy, who is using that volunteer opportunity to infiltrate. You may be leaving your organization at risk for cyber-attack with that.
We always want to advise that you never send money or a wire transfer (those are just impossible to get back) without some sort of verbal or visual verification: picking up the phone, visually talking to someone on Zoom that is a known person.
We’ve seen a lot of other creative examples. We’ve seen these posing as Health and Human Services employees and offering to put people on a vaccine waiting list, offering to ship and sell different vaccine doses, falsifying invoices of sales of COVID-19 equipment. Previous to that, all the stories that we heard over the last few years about misuse of PPP loan money, so all kinds of opportunities there.
Here is an example of a phishing scheme message. It may look like it comes from a company that you know or trust. It may come from a vendor or a bank or a credit card company, a social networking site, or some sort of online payment website or app, or an online store that you know or trust. And it looks very real.
They’ve gotten quite sophisticated. Often there is some sort of story that they tell to trick you into clicking on the link or opening the attachment, saying they’ve noticed some suspicious activity or claiming there’s some sort of problem with the payment information or client, saying that they needed to change the banking information. And there was a whole story that went why they needed to do that. It might include the fake invoice as was in the example that I talked about, or offer you something free.
One of the things we’ve been doing a lot to help our clients with this is using a bill pay process, which has a lot of built in internal controls that can help catch this type of con.
A lot of our clients use bill.com. That’s just one of the many bill pay options that offer extra internal control protection.
We know that to help prevent and detect, we have to understand that first of all, we’re dealing with people. Humans are involved.
One of the first ways that we can prevent and detect is right from the top,
- promote an environment of healthy skepticism.
- Make sure that you’re empowering employees to ask questions and not feel rushed or pressured to process payments.
- You know make sure they’re taking their time to hover over links and look closely at the sender’s email address for misspellings.
- We often suggest use forward instead of just reply. So you’re forced to type in a known email address.
- Don’t click on the links.
- Don’t return calls to an unfamiliar phone number. Make sure that you look at a trusted outside, reliable source for that company phone number.
- And definitely before you’re transferring funds or making a change to banking information, make a phone call and confirm with someone that you know. The client that I talked about earlier, we implemented bill.com after that incident.
Some of the other steps that we put in place:
- We use payment instructions included in an original contract to set up vendor payment and any change from bank information in that original contract needed to be independently verified and approved by both the CFO and the program manager.
- We verify using that pre-established phone call or a video chat.
- We also have seen some of our clients using a small test deposit, for $1 for new vendors to verify that it is that known vendor contact.
- If you’re doing a wire, create a wire template for vendors with recurring invoices and again, any change to that wire template needs to be reviewed and verified by the CFO. And of course, limit the use of domestic wires anyway.
- If you process all of the payments through a bill pay system you’re going to have that extra prevention and also detection.
Matthew: I think that’s great to have all of those controls in place for any changes. That’s what we’ll take a look at here is the example of how these email threads get carried out.
Carole: Matt, you know attacks where global businesses are affected through the contractors has definitely become a clear trend. We know that business data is typically distributed across multiple third parties including service providers, partners, suppliers and subsidiaries. So organizations need to consider not only the cybersecurity risks affecting their IT infrastructure, but those that come from outside as well.
Matthew: We can just take a minute for an incident that we investigated. Here we have a screen capture from an organization that emailed their funder about updates to payment information and let’s see how we got here and what happened.
We will take a look at the actual email thread. Some of these things may seem familiar to you. Originally, we have some information from the executive director that their domain was compromised, so they had a compromised account or accounts. And so the bad guys were there.
And so the organization was following up with their foundation and the foundation assistant to get some additional information about the invoice for their funding. We see some back and forth from the foundation back to the organization that was compromised from the executive assistant at the compromised domain. Some communication apologizing for the delay in processing. That’s often a tip off that we see, right?
“There’s a problem with our bank account. We’ve had some suspicious activity. We need to provide you with some new information.” That often is a clue that something is happening. Again some back and forth apologizing for the delay, trying to find time on the schedule. That’s always a key issue for many organizations.
Some tells here: “We have recently made some changes to our payment information, kindly disregard the previous information.”
Pointing to some of those controls that Carole mentioned before of how you establish a flow to approve changes to payment information Both the executive assistant account and executive director account are compromised and they’re both interacting with their foundation in order to perpetrate this fraud. So again, the foundation has some controls in place. They need a name and contact information to send the new DocuSign information.
The hacker actually created a new account on the compromised domain and assigned it, gave it a name, “Angela Bergdorf.” That’s the person who is now controlled by the hacker completely. So now the hacker’s moved off the staff account into an account that they control solely.
The foundation has some controls where they need to do some calls. The hacker replies back with the ACH information, provides a phone number to verify.
Again, there’s problems with the phone. And as Carole mentioned, having pre-established controls in place so that you have a number on file to call instead of just calling a number that an account provides you is a good practice. You have a good verified phone number to have communication on instead of relying on what could be a fraudster providing you a number that’s controlled by them.
And here we even have problems with the foundation; they were having tech issues, too. And here we go, the hacker gives them an updated number. They go back and forth. They’re trying to negotiate these terms.
The hacker is feeling like they almost have a big score. They can almost taste it because they are providing both an office landline and a mobile phone in the U.S. This is an organization I think was based in London. The foundation received confirmation of the updated information. We see the hackers following up to ask when they’re going to get paid. When are they going to get paid? When are they going to get paid? There’s some, some urgency there.
Finally, we can see the managing director at the foundation. It ran into some of their financial controls to say this is a fraudulent account that was provided. We have recalled the payment. They basically suspended it at that time and the ruse was up.
But you can see that there was a long conversation. There was an email provided for the accounts payable person. There was phone number verification that was provided by the hacker. And so all of these different steps were a relatively well constructed ruse for this fraudster to take over an account at a legitimate organization and then try to perpetrate fraud against the foundation that was expecting to make a payment to that organization.
That was one example where we have a compromised account of an existing organization. And then this is an example of what is called typo squatting.
I’d love for you all to chat in and let me know which of these three domain names are illegitimate. There are three valid domain names, and there are three domain names here that were established by some hackers.
I’d love to see if anybody can identify the fake domains.
We’ve got Grameen Koota, we’ve got ID First Bank, we’ve got Phoenix Legal. This one is very interesting and very tricky to uncover.
In this case, the fraudsters really planned out their attack in great detail.This was actually an attack that would’ve been an eight figure haul if they had been successful.
In this example there’s multiple exploits, a compromise of some internal accounts which gave the hacker insight into when and how to attack. We can see that they set up domains that were very similar. So Grameen Koota, there’s an extra O. ID First Bank, we’re missing an I in that second one. And then Phoenix Legal, they simply registered a domain name in India instead of the Netherlands.
There’s lots of care and attention that was put into this and we can see the payoff would’ve been eight figures. So again, we’ve got those examples of a very sophisticated attack. We can see from IDFC first bank, which is the fake account that was setup to Grameen Kota, mixed in with Grameen Koota. Grameen Koota is the legitimate one.
So you can see it’s very, very tricky to determine. There’s lots of different elements here. The same pattern where we see the previous bank account information is unavailable. “We need to provide some updated information so that you can update your payment information, so we can complete the transaction.” So again, a very sophisticated attack in order to achieve financial gain here.
So let’s talk a little bit more specifically about those tools and techniques that organizations can put in place to help prevent this type of fraud from being successful.
- The tone needs to come from the top. Executive leadership needs to say that this is important.
- The staff training involved needs to also be advocated from the very top levels of the organization
- Internal controls need to be well communicated so that the staff know what to do and how to do it.
- implementing technical controls, such as multifactor authentication, advanced email protection tools, and even basic things like making sure that your computer is up-to-date, so that you aren’t susceptible to viruses are all good steps in place at your organization.
Carole will talk a little bit more in detail about some of the financial practices to put in place.
Carole: Thanks, Matt. And that first one, the IT tool is the same as the financial tool. We know fraud happens.
What are some things that we can do the best way to protect against cyber-crime?
As Matt just said, is that heightened awareness. And it’s really establishing that awareness at every level of the organization. It has to come from the top and it has to infiltrate at every level. It’s not just the job of IT or finance or a combination. Everyone needs to be involved in trying to protect the organization from fraud. It’s an ever evolving cybersecurity landscape.
We know your people are the best defense against a cyber incident, but you also need to understand that there will be conflict between the ease of use and the cybersecurity.
For instance, multifactor authentication (MFA) that Matt mentioned adds steps, right? So educate your team on why we are doing this and help them overcome that hurdle and embrace the cybersecurity efforts to ensure the mission’s continuity and security. Then explain that in turn to donors and funders.
You want to understand the high risk areas, assess, and test, audit your current IT infrastructure. Where are you currently? What do you have to protect? Where are weaknesses? What can you do about them? That will help you gain visibility over what’s happening, so you can design a roadmap for where you want to be and how to get there.
And then lastly, you need to have policies and procedures and not just have them, but enforce them.
We’re going to talk a little bit more about 2 issues of cybersecurity preparedness or two things that you need to have.
- The other thing you want to have is a data breach response plan.
Typical things that you might see in a data breach response plan are:
- reporting protocols,
- response team roles and responsibility, who is that team of experts that you’re going to assemble?
- How are you going to secure physical areas?
- What’s your communication strategy to all the different stakeholders?
- Do you have legal support in place should a breach occur?
- What is your cyber breach insurance? Make sure that you understand that you have the proper coverage you need.
- What is the plan to notify law enforcement?
We recommend that you develop a policy and procedure to guide employees on the proper steps to take.
You should have the development of a fraud work plan for investigating, for communication, for limiting access to assets.
- The first thing you want to do is hold that emergency board meeting and investigate further to collect all the pertinent info.
- We know that fraudsters rarely, rarely restrict activities to just one method. There may be other things that they’re doing. So you want to block access to accounts to prevent further loss. Close the bank accounts, submit the claim to recover lost money.
- As a nonprofit, public relations is really important. You may want to show integrity and come clean. If there has been a significant breach, don’t wait to report it on the form 990. That nonprofit that I mentioned before with the million dollar construction issue, they issued a statement on their website about it, and they posted the information in their 990, their annual tax return. And so you want to make sure that you have a plan and fully understand that.
- Also training for employees. It’s not just training, but then it’s also retraining. You want to change those behaviors to reduce vulnerabilities and build that resistance to fraud. We know that the only thing worse than a data breach is multiple data breaches.
So here we have a fraud prevention toolkit for you. This is not just cybersecurity, but all of fraud prevention. These are the 3 areas that you can focus on to reduce risk.
So as we said, one of the most important tools in your toolkit is that healthy dose of professional skepticism, make sure you are asking questions and demanding accountability. If something doesn’t seem right, keep asking questions until you really understand
Oversight starts with the board. And that tone at the top that we’ve talked about. If it is understood that it is important at the top, that message that we are paying attention is going to come through.
We always say, make sure that you hire the right people, right from the beginning. People that are put in positions of trust and authority, there may be extra steps that you want to go through when you’re hiring those folks, doing a complete background investigation and go that added step and ask for individual’s consent, if you need that enhanced background check for personal financial situations, as well as the criminal records.
In any kind of fraud case, whether it’s cybersecurity or the good old fashion financial fraud, making sure that policies and procedures are well documented and that everyone is aware of what those internal controls are and that they’re enforced.
And the other thing you need to do is make sure that you’re constantly reviewing them for changes in situations with the switch to remote work. If you haven’t already, make sure that you are going back and reviewing all those policies and procedures and updating them for the different ways that we are handling payments. That’s all the tone at the top.
This first one, the daily review of online bank balances and monthly reconciliations. We make that recommendation for all of our clients. You should always be doing this to make sure that there aren’t any bank errors, but especially in this time of cybersecurity. We have clients who actually were able to, with this daily review of the online bank balances, identify and find fraud and stop it before it was too late. That is a critical step or a critical tool in your toolkit. It’s easy and doesn’t cost anything. So have the executive director or maybe it’s the COO reviewing that.
Of course, having all the checks and balances, having the board look at things that the executive director is approving.
And then, in terms of policies and procedures again, make sure that you have cybersecurity insurance also the DnO, the directors and officers liability insurance.
Cybersecurity training, it’s not just an annual thing. It’s ongoing and constant and keeps everyone on their toes.
And of course, just having good practices where there is a 990 review and an annual audit will also help with fraud protection.
No organizational credit cards; we know that’s an area that is very rife for fraud. If you can eliminate those, you’re eliminating a big risk of fraud.
Matthew: I think it’s really a comprehensive list and, the no organizational credit cards is an interesting note to see there.
I know we’re getting near the end of our time, so I wanted to quickly add some IT security best practices.
Carole has already talked about the importance of training. And I think, training covers a wide variety of things from security awareness to making sure those emails are not being clicked to some of those financial practices and making sure staff are educated in how that needs to be executed.
We know that security awareness training is effective. We’re a KnowBe4 partner. And this is some of the statistics that they share.
So for organizations SMB nonprofits, they see baseline phishing tests where almost 40% of people are clicking on those links that come through in messages. But after about a year of training time, that number falls down into the low single digits.
And that does mirror our experience whenever we are deploying security awareness training to new organizations.
Our approach is to have that main annual training that everybody goes through, but also supplement that with quarterly micro trainings. Security awareness training is something that really should be built into the culture of the organization and be done throughout and not something that you just do once a year because you have to.
Along with security awareness training, there are some important technical things that your organization should be doing. The number one thing would be multifactor authentication. MFA combines something that you know, which is your password, along with something you have, which is often a token or an app on your phone. MFA really has a dramatic impact on the security of your online digital accounts.
Last year Community IT responded to a number of compromised accounts, but none of them had actually implemented multifactor authentications. We see it in the data from the organizations that we serve.
Google has what they call Project Zero, which is their security research team. They identify that in the most common attacks that nonprofits are going to face, which are automated bot or bulk phishing attacks, multifactor authentication is very effective in preventing those attacks from being successful. It prevents your password being disclosed and then used to log in and target other users from your account.
So multifactor authentication, if you have not already implemented it on all systems that you can log into from the internet, is something that should be high on your to-do list after coming out of this webinar.
There’s also some advanced email security protection that is available. Those phishing messages are very hard for traditional spam solutions to protect against. There’s not much text in them. They’re very short. They often don’t even have malicious links in them. So it is hard to block those with regular spam prevention tools, but there are some next generation tools that are able to combat those types of threats.
It’s important from the IT perspective to make sure that you’ve got those
- security controls in place,
- make sure that you’re doing training and
- implementing multifactor authentication on your systems.
You’ll be able to really provide some protection against accounts being compromised which then often can then be pivoted into the more sophisticated financial attacks that Carole has talked about.
Carole: I think we can review our learning objectives. I just will wrap up by saying that we
- discussed the cybersecurity landscape and the reasons why nonprofits are particularly vulnerable and why now.
- We gave you some types of cybersecurity incidents. I loved that example that Matt walked through. It’s very clear to see how easily it happens.
- Lastly we gave you some great takeaways, some toolkits, IT tools and financial tools to help prevent and detect fraudulent activity.
Monica: Yep. Thank you, Carole and Matt. It looks like we have time for just one question. Do you consider the Google Workspace to be secure?
Matthew: I think the response is, any platform can be used securely or any platform can be used insecurely.
Google Workspace is a great platform. From a technical perspective, we’re not concerned about Google getting hacked on the back end or anything like that. But it’s important to use the Google Workspace securely. That would mean turning on multifactor authentication. Any account that logs in should have multifactor authentication. And then your organization should also have clear policies and practices around how you are saving and sharing data.
Being clear that data for the finance department is only available to organizational users and cannot be shared outside the organization. Maybe the same thing with HR data.
It’s also important to incorporate your organization’s backup and disaster recovery plan as part of it.
Understand your data retention requirements and make sure that you are able to meet them in the platform. So again, any platform can be used securely and any platform can be used insecurely as well.
As long as you are taking that deliberate planning approach, turning on multifactor authentication, regularly getting rid of departed staff accounts, making sure the data can’t be shared unintentionally then you can feel confident in that platform and know that it’ll be secure.
Monica: Great. Thank you, Matt and Carole.