Listen to Podcast
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Join cybersecurity expert Community IT Innovators CTO Matt Eshleman and Carole Melvin, financial expert from Your Part-Time Controller, for a webinar discussion of the financial threats that face nonprofit organizations and the steps you can take to protect your nonprofit from financial fraud.
Community IT has developed many cybersecurity best practices resources and webinars that cover technology threats and risk assessment. We have seen a spike in the number of incidents involving financial fraud over the past year. In this webinar we provide nonprofits with tips to combat these evolving threats.
We were excited to hear from a financial expert on incorporating people and process protections that your accounting and development departments can take to prevent financial loss.
Carole and Matt provide an overview on wirefraud, share some specific examples that they have encountered, and then talk about the steps you can take to protect your organization.
They discuss the cybersecurity landscape of threats and risks, and minimum technology protections you must have in place to prevent spoofing, malware, and wire fraud. But an IT tool can’t protect your organization if your leadership doesn’t instill an attitude of healthy skepticism and ensure proper training to prevent fraud, and also put in place official policies and procedures for reporting suspicious activities or emails.
As with all our webinars, this presentation is appropriate for an audience of varied IT and security experience. Staff who are involved in processing financial transactions will find it particularly relevant, whether or not you have IT responsibilities. We also encourage IT staff charged with security to attend to learn more about additional protections in training and monitoring financial transactions that can add another line of defense against these sophisticated attacks.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
Carole Melvin is a Senior Manager/Market Leader for the Washington, DC office of Your Part‐Time Controller, LLC (YPTC). After earning her bachelor’s degree at University of Massachusetts at Amherst and her master’s degree at Boston University, she began her career as an auditor with Deloitte serving both for profit and nonprofit clients. She went on to pursue a career in Accounting and Finance at various nonprofit organizations.
Her combined experience includes more than 20 years of, accounting, auditing and audit management, budgeting, and best practices in nonprofit board administration.
At YPTC, Carole is responsible for generating and managing client relationships, hiring staff, and ensuring they have a rewarding and positive work environment, as well as providing accounting, reporting and management services to nonprofit clients herself. She covered financial topics in previous webinars at YPTC.
As the Chief Technology Officer at Community IT, Matthew Eshleman is responsible for shaping Community IT’s strategy in assessing and recommending technology solutions to clients. With a deep background in network infrastructure technology he fundamentally understands how secure technology works and interoperates both in the office and in the cloud.
Matt has dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University and received his MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference and Non-Profit Risk Management Summit. He is excited to cover ways to protect your nonprofit from financial fraud in this webinar.
This webinar moderator, Carolyn Woodard, has served many roles at Community IT Innovators, from client to project manager to marketing. With over twenty years of experience in the nonprofit world and marketing, including as a nonprofit technology project manager and Director of IT, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission, keep your IT infrastructure operating, and your website live.
Carolyn is excited to manage Marketing at Community IT Innovators and is always looking for new ways to tell stories and reach people. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College. She thinks the best thing about being with Community IT Innovators is the people.
View or share the slides here (1.7MB Pdf file)
Carolyn shared some links in the webinar chat: Matt will be presenting a webinar in April on our updated Cybersecurity Incident Report. Here is a link to the report we put together last year that shows the types and changes in attacks and hacks.
To learn more about our framework and best practices you can pursue, we have a free downloadable Cybersecurity Playbook.
If you like quizzes and want to learn more about your organization’s level of risk/protection, Community IT put together this Cybersecurity self-quiz. Takes about 10 minutes, and will automatically email you your results so you can share them internally with your organization.
Carolyn Woodard: Welcome everyone to the Community IT Innovators webinar series. We’re so happy you could join us for today’s webinar on Protecting Your Nonprofit from Financial Fraud.
We’re excited to partner with Your Part-Time Controller for this webinar to get some of the best financial processes advice from them on how to add another layer of protection on top of IT and technical preventative measures. We’re going to talk about wire fraud in particular today with some examples, but we’ll cover other scams and schemes, also.
[Wire fraud: financial fraud involving the use of telecommunications or information technology. (Department of Justice definition)
(the four essential elements of the crime of wire fraud are: (1) that the defendant voluntarily and intentionally devised or participated in a scheme to defraud another out of money; (2) that the defendant did so with the intent to defraud; (3) that it was reasonably foreseeable that interstate wire communications would be used; and (4) that interstate wire communications were in fact used)]
We’ll also be recording today’s webinar and the recording will be made available on our website. So don’t worry too much about taking notes.
After the webinar, you’ll receive an email with a link and it’ll also be posted to our YouTube channel, and the podcast episode will be posted in two parts within a week. If you happen to be watching on YouTube right now, we encourage you to subscribe to our YouTube channel so that you’ll get updates every time we post a new webinar.
And we also invite you to subscribe to our email list. We don’t send a lot of emails, we just send updates on webinars that are coming up that we offer, so you can attend in real time and ask your questions as you can today.
We have a lot of free resources and downloadable material on our website too. Before we begin, if you’re not familiar with Community IT just a little bit about us.
We are a 100% employee owned, managed services provider. We work exclusively with nonprofit organizations and our mission is to help nonprofits accomplish your missions through the effective use of technology.
We have about 40 staff and we started in the DC Metropolitan area over 20 years ago, and we now serve nonprofits across the US. We’re technology experts and are consistently named a top 500 managed services provider by Channel Futures, and that’s an honor that we received again in 2021.
So let’s get into the webinar today. [Our learning objectives are to discuss the cybersecurity landscape and vulnerabilities for nonprofit organizations, identify and define the types of cybersecurity incidents and discuss examples, and share tips and best practices for financial processes and IT tools to help prevent and detect fraudulent activity.]
I’d like to start by introducing myself. My name is Carolyn Woodard and I’m the Marketing Director at Community IT and also the moderator for today’s webinar. Before working in marketing, I was a Project Manager here and before that I was the IT Director at a large international nonprofit and a Program Director at a small national nonprofit, where I was the point of contact as a client of Community IT back in the day.
I have been on both sides of the table and I love how Community IT has a lot of staff here with experience working at nonprofits, and we really get the community and the constraints and opportunities and needs.
Many of you submitted questions at registration, which our panelists will do their best to answer. I’m joined today by Carole Melvin from Your Part-Time Controller, YPTC. Carole, do you want to introduce yourself?
Carole: Thank you, Carolyn. Good afternoon. My name is Carole Melvin, I’m a Senior Manager and Market Leader for YPTC’s Washington, DC office. I began my career as an auditor for Deloitte and I am a CPA, much like many of my colleagues at YPTC. We are ex auditors and many of us are CPAs.
My combined nonprofit experience includes 20 years of accounting, auditing and audit management, budgeting, and best practices in nonprofit board administration, including serving as CFO for several nonprofit organizations. Like Carolyn, there’s another parallel, I also was a client of YPTC before jumping over to the other side. In my current position at YPTC I serve as the Senior Manager Market Leader for the DC, Maryland, and Virginia region. I facilitate relationships with clients and staff, conduct practice development, and I also provide accounting, reporting and management services to nonprofit clients, myself.
I’m a member of the AICPA, the American Institute of CPAs, and the Greater Washington Society of CPAs. And I serve as a member of the GWSCPA, nonprofit section.
A little bit about YPTC. Your Part-Time Controller is a professional services firm that specializes in nonprofit financial management with nearly 30 years of nonprofit expertise. Next year, we will celebrate 30 years.
Our services include accounting, reporting, data visualization, and best practices to name just a few. We have over 1000 clients currently located throughout the US as well as clients in several other countries. We are a staff of over 300 and growing. Working in our eight regional offices and in our YPTC Anywhere nationwide virtual office, serving clients on site or remotely, providing nonprofits with accounting services nationwide. And we are very proud to be voted a best place to work for over a decade. And this past year we were named to Accounting Today’s list of best accounting firms to work for. And now I will turn it over to Matt to introduce himself.
Matthew Eshleman: Great. Thanks for the introduction, Carole. It’s really good to have you join me today to talk about combating wire fraud. My name is Matthew Eshleman, I’m the Chief Technology Officer at Community IT, and I’ve just celebrated 20 years with the company. I actually have a little bit of time before that as an intern and have now been in my current role for a while and really focus on helping our internal team manage the IT infrastructure for the 140 clients and 6,500 people that we support. Also, I am a resource for organizations to help them manage their cybersecurity.
I look forward to getting into lots of great content today. We’ve got a lot packed in here and I think it’s going to be a really valuable and engaging session. As Carolyn mentioned, feel free to chat in questions as they come along.
But first I actually do have a poll for you, I would love to get a sense of who’s attending the webinar today. So go ahead and just take a minute or so to quickly respond to what is your role at your organization? Are you in the IT department, finance, operations, other admin?
Just to get a sense of who is attending the webinar today. We’ve got a lot of content for all interested parties. It looks like we’re pretty evenly distributed here in terms of people playing lots of different roles at their organization. So that is fantastic.
- We’ll start with the cybersecurity landscape.
- We’ll talk a little bit specifically about wire fraud and what that means and how organizations can protect themselves.
- We’re going to show some specific examples. I think it’s particularly helpful to see how these types of attacks are perpetrated and perhaps you’ll see some techniques that seem very reflective of what you’ve experienced at your own organization.
- And then finally, we’re going to talk about how to protect your organization. I think it’s really important to move from understanding these concepts, to talking about the specific steps that you can take at your organization to help protect the data in your organization’s finances.
Jumping in and talking a little bit about the cybersecurity landscape. If you’ve been on our webinars, we like to start with laying this groundwork. What we see as an organization, as I said, that supports about 6,500 nonprofit staff, is that there are persistent and ongoing attacks against your online digital identity.
If you can log into something from the cloud, it means the bad guys can too. And so we see that happening all the time.
We also see that organizations are targeted with really sophisticated spear phishing. And we’ll go into that in more detail as part of the presentation.
We also see that organizations are targeted because of the work that they do. Mostly that applies to kind of think tank and policy groups. I think especially with some of the current political environment that we are seeing now with Russia and the Ukrainian threat. We’re seeing organizations that work on international issues specifically targeted.
And then we also see schemes targeting vendors such as ourselves, and I think vendors like YPTC as well, that have access and insight into a great number of organizations. So organizations like ourselves are targeted as well.
We also see that organizations are not always aware of all of the new security tools. There are lots of good products out there that can help organizations combat these increasing security threats.
And I think we also see that nonprofit organizations generally have fewer cybersecurity fraud controls in place.
We also know that a lot of nonprofit organizations have not taken those proactive steps to implement things such as an incident response plan. That data comes from an NTEN cybersecurity report from back in 2018. That is something that we see pretty commonly across the organizations that we’re working with.
We also know that there is a real financial impact of these threats to nonprofit organizations. Fraud is not just something that happens to somebody else or happens to only big organizations, but we see that data from Kaspersky’s small to midsize business impact shows that there are direct costs of about $149,000 associated with cyber incidents.
Carole, are there things that you see in the work that you do as well here?
Carole Melvin: Yeah. And that really mirrors what we are seeing Matt. So we know that nonprofits can be particularly attractive targets for fraudsters.
We know that often executive directors who are passionate about their missions are often naturally trusting of others who share their interest, or at least pretend to.
And board members who are dedicated and talented in their particular fields may not be as well versed in financial issues and internal controls, in some cases.
And we also know that nonprofits of all sizes may have limited resources available to address the internal controls.
So that $149,000 that you’ve mentioned could potentially be very devastating to some of these small nonprofits. And this makes them vulnerable to those who use it as an opportunity to commit fraud. And as you said, nonprofits are particularly vulnerable because they think it will never happen to them.
We had one case of a client and this was in the early days of the pandemic, which seems like a long time ago.
In the summer of 2020 one of our clients, and this was in the news, so I’m not breaking any confidentiality here, but one of our clients, Philabundance who provides food to people in need in Philadelphia, were scammed out of nearly $1 million in a cyberattack.
And this was at a time when they were serving far more people than ever before because of the pandemic. Here they are, serving this great need, and then were preyed upon, a social philanthropic organization. It’s almost unthinkable, but that’s why we’re talking about this, because we do have to think about it. We’ll discuss the details of this case a little bit later in our presentation, but as you said, Matt, the phishers who targeted Philabundance were sophisticated. And it can happen to everyone.
Matthew Eshleman: Yeah. So the data that we take a look at, this is provided from the FBI’s Internet Crime Complaint Center, shows the increase in the amount of cybercrime over time.
We can see starting in 2016, there was about $1.5 billion worth of cybercrime activity. If you take that all the way to 2020, and we’re now at $4.2 billion. Over 165% increase of direct total losses.
This is not something that just happens to somebody else. This is something that happens to organizations within the community that we serve. And that rate is only increasing. This is something that we also keep tabs on and is mirrored by our own data.
The number of cyberattacks that we see launched against our nonprofit clients is not going down over time, but in fact continues to go up.
I think it’s also important for organizations to understand that this is a cybercriminal enterprise. This is not just the genius hacker in somebody’s basement doing this for fun. But there are in fact organized cybercrime adversaries that are well funded and this is a business venture for them.
(14:23) I have some iconography from CrowdStrike, which is an endpoint detection response group. These adversaries represent Fancy Bear which is a Russian based hacking group that is a state sponsored actor that goes after international groups and businesses.
And then also we’ve got Cozy Bear, which is another Russian based group along with Pinchy Spider, which is responsible for a lot of ransomware attacks. Actually just today some reports came out that actors such as Evil Corp is responsible for over $100 million in earnings from cybercrime.
When we think about this as not being opportunistic hacking, but really focused criminal enterprises, I think it can help to change our perspective on the protections that we need to have in place to help combat these threats.
CIT’s Approach to Cybersecurity
And when we think about cybersecurity at Community IT, we talk about
- cybersecurity protections really being first rooted in policy and then
- training and awareness for staff. That’s really our first line of defense.
- Then once we have that out of the way or invested in, then we can focus on some of the other technical areas where there may be some specific technology solutions in place related to protecting your digital identity,
- the data that your organization has,
- the devices that you’re using,
- your network perimeter, that could be an office or now, perhaps that’s your home or just your personal office,
- the web protections.
And then after we have those things in place, then it may be appropriate to move on to NextGen tools, but we really want to root the protections that we put in place at our organizations with policy and training.
[You can download the free Community IT Cybersecurity Readiness for Nonprofits Playbook for this framework, graphic, and best practices to review for your organization]
Carole Melvin: Right. And that training is so important because the technology and the process controls are useless if we don’t have the humans who are involved employing those practices.
We know many nonprofits have sensitive data about the vulnerable people they serve in their missions, but are they doing a good job of securing it?
It’s really important to note that as nonprofits think about this, they need to think about this across the organization. Security is not solely the IT Department’s problem or the Finance Department’s concern. It includes beyond the development and the fundraising folks as well.
It’s the program folks, it’s everyone’s job to be aware and follow the policy. We know of one nonprofit that sent an email with an unencrypted file that included personal information about their constituents, sexual assault survivors.
What happens when a list of those child sex abuse survivors’ names gets leaked or domestic abuse survivors get posted on some list?
The results could be catastrophic, even deadly. So you need to ask yourself if you’re treating that data with the respect it deserves. Are we taking the necessary steps to prevent that?
We also know that often nonprofits will have either some homegrown or customized software systems that may also make them more likely to be vulnerable. And they don’t often have that dedicated IT person. Someone in the organization will be charged with putting together this security policy. There’s a lot of different pressures on the nonprofits.
Another pressure in the cybersecurity landscape is that donors want nonprofits to spend only a certain amount of money on overhead.
They don’t realize that their own contributions may be at risk as nonprofits may not have the ability to protect their data or the funds that they get from those donors.
We are starting to see that change. Especially in the last few years, we’ve seen some of the larger foundations actually establish cyber initiatives to respond to growing cyber threats. So we are seeing a response to this increase in cyber activity that Matt showed us.
Matthew Eshleman: Yeah, I think that is an encouraging trend to see. And then I think it’s also good that we’re having this joint webinar. This is one of those areas.
Responding to a wire fraud is not just a technology issue. It’s not just a finance issue, but it’s something that many different departments need to work on and collaborate together in order to have the best protection.
We’ll take another opportunity to ask a poll question here. Have you experienced any of the types of cyber attacks? Whether that be spam or spear phishing, or an account compromise, whenever somebody other than the intended person has had access to your account. Maybe your organization has been impacted by the standard malware or virus activity or maybe ransomware, or maybe you or your organization has been a victim of wire fraud.
It’d be good just to understand the landscape and see where it mirrors some of the broader trends that we see. This is multiple choice and it would not be unexpected if your organization had been victimized by some or all of these different controls.
We’ll share the results so you can see everybody’s experience. I would expect 100% of organizations to say that they’ve seen spam or spear phishing attacks. About 15% of organizations have had an account compromise, 20% virus, malware 33% up into that range. About 15% of the respondents have said their organization’s been a victim of wire fraud. A small percentage, 6% has experienced ransomware.
I would say that poll really does mirror our own experience of trends. One of the things that we’ll be talking about and I’ll be doing a presentation on in two months, is the continuing trend of our nonprofit incident report.
And so here we can see there are two scalings of the data here, but we can see that most organizations see a lot of attacks that are email based. Spam and spear phishing with a significant number of account compromises occurring. And that number has been increasing over time. And that number will, as I was looking at the data from 2021, continue to increase. So that’s something that we’re really attentive to.
Overall, the number of wire fraud attacks or successful wire fraud cases, where an organization has suffered some financial loss is low overall. But as Carole mentioned, that amount or that loss can really be significant.
If an organization sends $1 million out the door, that’s a tremendous financial loss. We are seeing increasing sophistication in the number and near misses of those wire fraud attacks that our organizations experience. Let’s have Carole talk a little bit about asking some of those questions to help better understand your organization’s risk profile.
Does Your Nonprofit Do Any of the Following?
Carole Melvin: Thanks, Matt.
- So if you are a nonprofit, it’s very likely that you are processing donations.
- You may have online event registrations.
- You are most likely storing some sort of personal information for program participants,
- collecting information on donors or membership subscribers,
- initiating online vendor payments.
If so your entity is at risk for cybersecurity threats.
We know two main reasons that nonprofits are ideal targets for hackers and cyber criminals. We mentioned that
- one, they don’t see themselves as a target and therefore don’t often prepare adequately.
- And two, cyber criminals, as Matt said, are very sophisticated. Cybercriminals view nonprofits as easy prey sitting on a wealth of personal information about their support staff, donors, volunteers, and the communities that they serve. Donor records, sensitive client data, confidential details about employees are all at risk of threat.
We know that if nonprofits weren’t paying attention before, or they weren’t prioritizing it in their budget due to limited resources, that complacency may have ended after the 2020 ransomware attack on Blackbaud, which many of our nonprofit clients use as a financial system.
Blackbaud and Raiser’s Edge, this affected many organizations and charities in the United States. It may have been nice to have for some nonprofit organizations, but now cybersecurity policies and protection is a must have because we know that for nonprofits, reputation is everything.
If an organization suffers a breach, because it was careless with data, they’re going to lose donors and that nonprofit’s reputation and the ability to raise money may be forever jeopardized.
So it really is critical, and that brings to the forefront a lot of data protection laws. If you are doing any of the above, you do need to become aware and make sure you’re following data protection laws.
In general, these laws require businesses who maintain personal information to
- have safeguards in place to protect that personal information.
- have protocols in place to notify individuals if a data breach does occur.
There’s not really one all-encompassing federal data privacy law. There are some like HIPAA that covers health care, but every state will have different data breach legislation. Maryland, Virginia, New York have all broadened their cybersecurity legislation.
Even if your nonprofit doesn’t have a physical presence in a particular state, if it’s collecting personal information about a resident of that state, it typically must comply with that state’s laws.
So you may need to research other individual state laws, as well.
Types of Cybersecurity Incidents
Matthew Eshleman: We’ll talk a little bit now about some specific examples so that we can start putting these top level concepts into practice.
And so the first thing that we will talk about is what the FBI calls, Business Email Compromise.
Many nonprofit organizations do a great job on their website of highlighting the great staff that work there and the different roles that they play, which is a great thing to do. However, it’s also used by cyber threat actors to find out who the accounts payable person is, who are the finance people and then use that information to craft specially tailored emails that are designed to elicit a response and to get people to take action. If they can establish that communication, establish that conversational engagement, then they’re able to leverage that into getting somebody to take an action that they’re coerced or tricked into taking.
Carole Melvin: Right. And we’ve seen in our organization that thieves and scammers will always try to capitalize on a crisis and certainly, the COVID 19 pandemic has been no exception.
Antifraud experts have seen a rise in these phishing scams and we’ve seen that play out in a number of our clients as well. So getting back to that example of Philabundance, as Matt just explained, the scammers made their request appear legitimate using real details and information that was specific to the business. It’s not always clear where they obtain that information, but in this case Philabundance was going through a construction project. They were nearing completion of a $12 million community kitchen, a project that was visible to the public.
So the thieves infiltrated the Philabundance computer system and then put in controls that blocked the legitimate emails from the contractors. They blocked those from getting through, and then the final step was the spoofing email that mimicked the invoice from the construction company.
So it was very clever and sophisticated. Philabundance was expecting a real invoice. So when that invoice for $923,000 came in, they paid it. And of course, it’s often impossible to get that money back.
We’ve seen a number of other incidents, very similar to this, where the cyber thieves infiltrate an organization’s email server then create fake invoices that mimic the real vendors.We saw another case this past year where the scammers posed as a large consulting firm who was actually doing work for the organization. They sent the invoice with instructions to wire the money to the thieves’ account. And the folks in accounts payable did that. They sent the money to the thieves’ account.
We’ve also seen another case where thieves again, using email to gain access, pretended to be a valid current employee asking for a change in direct deposit, of course going to the scammer’s account.
We tell our clients never send money via wire transfer, money order or prepaid debit card, like Green Dot, MoneyPak, without first verbal or visual verification because these methods of payment provide little or no recourse for scam victims, and they present real obstacles for law enforcement in identifying the thief.
Of course we can never fully prevent fraud from happening, but we do have some helpful tips later on.
I’ll just mention other creative examples. We’ve seen thieves posing as Health and Human Service employees offering to put people on vaccine waiting lists last year for a fee or offering to sell or ship back vaccine doses and falsifying invoices of sales of COVID 19 medical equipment.
In 2020, we saw a lot of scams about the misuse of the PPP loan monies. So they get really clever. They’re constantly upping their game and changing. There’s a lot of incidents that you need to keep up with.
Matthew Eshleman: Yeah. Let’s take a look at some of those specific examples that we see on a fairly regular basis.
Phishing Scheme Example
Carole Melvin: Sure. So for example, an email or text message may look like it’s from a company that you know, or trust. It might be from a vendor, a bank, a credit card company, a social networking site, an online payment website or app. And they often will tell you a story to trick you into clicking on a link or opening an attachment.
They may say that they’ve noticed some suspicious activity or login attempts, or claim that there’s some problem with your account. They include a fake invoice as we’ve talked about and they want you to click on a link to make a payment.
We’ve just begun seeing text messages, this is becoming even more frequent than the emails, it seems like.
It’s also hard to tell whether that is real or fake.
And then in all of this, we’re trying to help you prevent and detect.
- So as we said before, there is the element — the human element. We always want to talk about not just wire fraud or cybersecurity, but the greater fraud landscape. We always want to promote an environment of healthy skepticism. So if you get that email from the Executive Director asking you to wire transfer money immediately, you need to have that moment where you think about the training that you’ve learned, would my Executive Director really just email me and ask me to do that? Or would they most likely call, or Zoom, or text?
- We need to train people to look for some of those phishing schemes such as the misspellings, the grammatical errors, and Matt’s going to talk a little bit more about that.
- There’s ways you can help detect a spoofed email address by hovering over it.
- We tell clients to use forward instead of reply. So you are forced to type in a known email address.
- Never return calls to an unfamiliar phone number. Make sure you look up the company phone number from a reliable source.
Matthew Eshleman: Yeah. I think those are all good tips. And now we’re going to actually take a look at an incident that we responded to at Community IT with a sponsored organization for one of our clients.
Here’s the gotcha. Names have been updated to obfuscate who is targeted here. I’m sure many of you have seen similar things that look like this from the Executive Assistant at what we now know is a compromised domain to the Executive Assistant at a foundation that was providing grant funding.
They CC the Managing Director and the Executive Director at the compromised organization. So, “Hi, we’ve made some changes to our payment information. Disregard previous payment, and let’s see if we can proceed with getting you the updated information.”
(37:05) From there, we’ll take a look at the actual email thread that occurred in this case. We can see that original email thread, so we can see that it starts off from the Executive Director to the Managing Director.
Then the Managing Director at the foundation is replying. They follow up “Any news? Let’s make sure that we can get the payment information. We need to schedule some time.” So this is on Wednesday in August.
The executive assistant then responds, “Hey, sorry about that, we’ve had a delay in processing. We’ve got a glitch in our system. First invoice is approved, second invoice has been uploaded.”
Then we can see obviously people are busy. “We can’t talk to the executive director. Let’s find some time to talk.”
We get a nice response. “Sure, we understand, let’s figure things out. When can we get together?” And we know around this time basically is the Executive Director at the organization, along with the Executive Assistant, all had compromised accounts.
And so the hacker, or the fraudster, is engaging with the Foundation.
Now we have the ask. We know that account has been compromised. They’ve been watching all the communications, and now they’re inserting themselves into the conversation to direct the foundation to update the payment information so that the funds could be directed into the fraudster’s account and not the nonprofit’s account.
The Executive Assistant follows up, followed by the Executive Director following up on the same email. So the Executive Director account is also compromised and is following up. Now the foundation has received communications from two people at the organization asking to change the payment information.
The foundation replies, “We can do that. We need to have a name, email and phone number. We’re going to DocuSign it.” It’s clear that they’re following some established procedures to update payment information.
Now, the Executive Director says, “Due to time difference, this is a UK based organization, here’s our new account person. Her name is Angela Bergdorf. They can only be contacted by email because of time differences.”
If you’re paying attention, there’s a misspelling there. They do provide a new email address. So in this case, it was actually accounts payable @ the organization. The hacker created a new account to use, and then also provided a phone number so that they could confirm the payment information.
So then the Executive Assistant at the foundation replied, “All right, we’ve passed that information along to the Executive Assistant. We need to confirm and so we’re going to call, can you give us that phone number again?”
The hacker is replying. “Here’s the bank information. It’s ACH, here’s my contact information.” They’re instructing the Foundation to contact them.
We can see the Executive Director is following up again, “We’ve requested these changes. Is it updated yet?”
The hacker is reaching out saying, “I can’t get in touch with you, can you help me figure out what’s going on?” As technology goes, the Executive Assistant at the foundation is having tech problems. Her carrier has been down, so they don’t have access to the laptop. They’re now just getting access to it.
There’s some back and forth, the hacker is following up saying, “Give me a call. Here’s my number to validate the change.” We can see the Executive Assistant is having some problems getting in touch with the hacker.
Again, “Can you give me a call back? We have bad reception.” You can just see this happening over the course of time. Here’s the updated phone number.
The hackers now provide them an office and a mobile number for the accounts receivable being very helpful to provide contact information. You can almost see the person; they know they’re getting paid really soon.
So there’s some urgency, they follow up again. So it looks like Angela Bergdorf has now gotten confirmation. So they went through a validation process. They updated the ACH payment information. They deleted the prior information as instructed.
Now we see the hackers following up saying, “Hey, thanks. When can we expect out — when can we expect the payment?
And then the Executive Director, also compromised, is also following up “When can we expect payment?”
The Executive Assistant is looping in the grant accountant at the Foundation, along with the controller and the Managing Director. “Hey, when are we going to be able to provide funding?”
Grant accountant replies, “We still need to do verification.”
All right, we’re all good. We have averted a crisis. We can see that the Managing Director or the finance lead was able to follow their established controls. And they identified that this was not right, there’s a mismatch, and we’re not going to be able to make the payment.
You can see they looped in a whole bunch of extra people in this conversation. You can see how the thread goes from the hacker taking over a couple of accounts at an organization, then using that to target the foundation in an effort to divert funds into their account.
When you look at this Carole, what do you see?
Carole Melvin: Well, a couple of things. This looks so familiar to the case that I was referring to earlier.
The finance folks, they’re already many times overloaded. They’re working hard. They’re trying to get things done, so they’re trying to be responsive. And they often are falling prey to this because they’re trying to check something off and get it paid, and be helpful.
We’ve seen this and it was interesting. A lot of the string that you showed was on a Friday in August. I think those frauds, in the case that I had, were right around a major holiday. They used that time. They know that people want to get things done and want to get things crossed off. So they could fall for it. In this case they’re lucky that somebody was paying attention.
Matthew Eshleman: Yeah. Really scary stuff and we can see why it’s really important to have those protections on the account. If you have a compromised account, it’s your organization that represents a liability and can be used to exploit relationships that your organization has with other partners.
(45:15) Let’s talk about one more type of attack. And actually, I have a quiz for all of you. I want you to pick out the legitimate domain names. There are three legitimate domain names here. I’m wondering if you can pick out the right ones. We’re talking about typosquatting. It’s also called URL hijacking. That’s where you’ve got a number of different domains, which ones are legitimate?
Idfcfirstbank. That’s right. Let’s see what else? Phoenixlegal.in. The Grameen it’s K-O-O-T-A, that’s the legitimate domain. K-O-T-A is not. idfcfirstbank has an I; frstbank is missing an I.
And then phoenixlegal, we see the same domain prefix, but different suffix there. We have phoenixlegal registered in the Netherlands versus registered in India. In this case we’re talking about an organization that was actually working in India. We can see amongst the audience we got some folks that would’ve gotten taken.
In this example we’re going to talk about how fraudsters had a really well planned and well executed attack that would’ve been an eight figure financial loss had it been successful. In this case, it’s likely that there were multiple exploits in use, compromises at multiple different organizations, that gave these fraudsters insight into how and when to attack. They registered domain names and were launching a very sophisticated multi-threaded attack.
Previous bank account is unavailable due to technical error here, so the bank itself is providing the updated alternative Trust bank details, and the attached, “sorry for the inconvenience.”
We’ve got typosquatting accounts where the hackers created and registered domain names that were very similar to banking and funding organizations. If you were just looking at this, you clicked on the website, you went to the right website. But if you clicked on and replied to the email, it went to a domain that was under the control of the hackers.
We actually have this from Grameen Koota, this is confirmed and approved. They went through the whole process and multiple parties reviewed and approved this before it was stopped at our client who had more sophisticated financial controls that required significant process changes if a wire address was changed.
So it was stopped at the last minute when somebody was getting ready to do the final checks.
So, I’m curious, Carole, what do you see in these cases?
Carole Melvin: Well, I think you really covered it all really well, Matt. I loved the interactive way. I just want to be mindful of the time, so we probably want to jump to the tips, the financial processes and IT Tools.
Financial Processes and IT Tools
So we know fraud happens, right? And we know we’ve already talked about the best defense is heightened awareness,and this covers the entire fraud landscape.
When it comes to cybersecurity, there are two policies that I want to mention.
Data Breach Response Plan
- The other policy that I want to mention is a data breach response plan. Matt has brought that up. Of course, the only thing worse than a data breach is multiple data breaches. So you need to have a data breach response plan.
- This should include reporting protocols, who do you tell and when?
- What are the response team roles and responsibilities?
- You want to assemble that team of experts, legal, insurance and accounting and IT.
- You want to make sure you come up with your communications strategy.
- Reach out to the cyber breach insurance, reach out to your insurance broker.
- And of course, notify law enforcement. The FBI, the attorney general, whoever is appropriate.
And then next we’re going to just talk about the Zero Tolerance Policy.
There was a report released earlier in 2021 by Verizon, it looked at cyberattacks on businesses and found that 85% of the breaches resulted from somebody making a mistake such as falling for a phishing email.
So again, that training is really critical because we know that either they’re busy or they’re naive. That’s why that training is really important.
And I will say here, if fraud occurs and your staff does not tell you in a timely manner, that’s a problem. We did have some cases where the employee was ultimately terminated, not necessarily for falling for the phishing scam, but for not communicating it in a timely manner.
If fraud happens, it should be drop everything and communicate it immediately, even if you don’t have the whole story yet.
Once that trust is broken and someone doesn’t report it because they’re trying to not come clean about it, that’s probably a cause for termination.
Understand High-Risk Areas
This gets into payroll and high risk areas which I will just mention. We have seen fraud that technically is wire fraud. Wire fraud being financial fraud involving the use of telecommunications or information technology.
We had a nonprofit in Boston where the COO was able to steal money through wire transfers. It’s not just external.
We used to always be focused on helping prevent and detect fraud internally. Now, with all these scams, we’re looking externally, but don’t forget to look internally as well.
This is again, technically a case of wire fraud. Look at all those high risk areas where cash is involved and payroll is involved.
- Cash disbursements ie credit card transactions, online bill payments, checks.
- Cash receipts
Establish and Enforce Policies and Procedures
When fraud does occur, you need to have that policy and procedure to guide employees on the proper steps to take. Work with your IT and your accounting folks to come up with a fraud work plan.
In the case of one of our clients, we came up with some steps:
- Right away, hold the emergency board meeting,
- Investigate further. Fraudsters really rarely restrict their activities to only one method, so you need to block access, and so forth.
Data Breach Policy and cyberinsurance is really important here.
Best Practices – Finance
Again, always be skeptical. A lot of times, it’s just common sense.
- Avoid using public WiFi.
- Don’t use the same password for multiple sites.
We always tell people that, but again, these things still keep happening.
And I will just mention, in one of the cases of our clients, we had recommended that they look at their Cyber Enterprise Risk Management Policy because a lot of times insurance companies are now carving that out. [Cyber Security Risks: Does Your Nonprofit Need Insurance?]
They did take our recommendation. Then unfortunately, in the next year, did fall victim. So the insurance was there to protect them. That’s also something that if you haven’t looked at it, we recommend that you consult specifically with an insurance broker familiar with the nonprofit sector.
I think in the interest of time, we can probably skip ahead Matt, to talking about some of the technology training of best practices.
Matthew Eshleman: We have a number of different resources available and we will make those available.
I’ll just go over these quickly and get to the finalized best practice checklist that I think combines the IT Security Controls.
Really the best defense is to have a trained and aware and engaged staff. Security awareness training is really the best way to do that. We like online programs that allow you to test and measure progress around people’s ability to identify phishing messages and then get tips and tricks and keep it front of mind.
Along with that we see that multifactor authentication is absolutely critical to preventing those compromised accounts from happening in the first place.
In 2020, when we did our incident report, we saw that about 97% of the account compromises that we responded to were with clients that had not implemented multifactor authentication. And I think that’s a number that continues. If you have not implemented multifactor authentication already that’s a great next step to take. Carole can talk a little bit about those finance processes to help keep your organization secure.
Carole Melvin: When we talk about a fraud prevention toolkit and the tools that you should have, we always talk about three important buckets.
- One is that “tone at the top.” That’s making sure that you are deterring any sort of fraud from happening, conducting complete background investigations, making sure that people understand ethical behavior. That would get to someone if they do fall victim to one of these cybercrimes, maybe they would be more apt to report it right away because they have that tone at the top. It’s understood that there is zero tolerance and they would come forward. So that’s an important piece.
- And then we always talk about segregation of duties and making sure there’s checks and balances and reconciliations.
- And of course, the last part, the policies and procedures is that third bucket. And that’s the insurance and the governance policies, but also that cybersecurity training for staff is one of our most important tools in the toolkit.
Matthew Eshleman: Great. Yeah. Once you have those policies and procedures and training education, I think then you can move on to investing in more technology solutions.
I will say none of these are foolproof. It’s very rare that you’re going to get an email protection solution to block every bad thing from coming in. We can help block some, and maybe even a lot, but a certain amount of that stuff is going to go through. That’s why that initial investment in your staff and training and process is really so important.
I know we’re at time, so I want to hand it back over to Carolyn to wrap us up and talk about how you can continue to stay engaged with us.
Carolyn Woodard: Thanks, Matt. Yes, thank you so much everyone who has stuck with us and I see many of you have. This was such a great topic and I’m sorry that we only had an hour for it. I feel like we could have talked a lot longer.
For people who were asking in the chat, we will be posting this recording. And I also put it out as a podcast episode and we’ll have a transcript as well.
Because we had to skip a couple of the slides there, we will also put up a PDF with all of the slides, so you can see the best practices and tips that we had to speed through a little bit there.
Our next webinar for Community IT is Wednesday, March 16th. We’re super excited. It’s a webinar on diverse perspectives on thriving in nonprofit tech careers.
It’s going to be a panel of three amazing women of color in different tech roles talking about creating inclusive workplaces. It’ll be at 3:00 p.m. Eastern, noon Pacific. You can register on our site.
I want to thank everyone for the great questions today, and thank you so much, Carole and Matt for sharing your experiences with us and helping us put together these tips and best practices to prevent financial fraud at nonprofits.
I could definitely see myself and organizations I’ve been at that could easily fall for a lot of these different situations. It just shows you how easy it is and how vital, as you said, Carole, to cultivate that skepticism. [think to yourself:] Would the Executive Director really email me about this, if it’s that important?
So I just feel like you gave us a lot of great stuff to think about and talk about.
I’m just going to quickly recap our learning objectives and the takeaways.
We talked about
- specific types of financial fraud that use technology, including wire fraud, sending money to a different bank account than you meant to.
- The financial processes you can use to prevent that fraud,
- to add that extra layer onto your regular IT tools that you use for cybersecurity, such as multifactor authentication,
- having regular training with your staff, so that they know how to spot those phishing emails or the spoofed domain names that we went through.
- We talked about the importance of creating a strong internal culture around financial precautions,
- and also about training your staff, not just on steps to take to avoid that fraud, but also when you detect fraud to have established procedures to report it immediately. That includes if you’re the one who clicked on the fake account!
- and that workforce and workplace environment is something that has to come from leadership. Your executives need to own it as a part of their fraud prevention efforts.
So I think I got out of this, that you can’t just turn on an IT tool and have that protect you. It really starts with your people.
You can have all the IT tools in the world, and we have a lot of IT tools available to us, but if you don’t have that training and that skepticism and that leadership, the tools themselves aren’t going to be able to help you.
We talked at the beginning about how it’s financially so important to be able to prioritize taking the time now to have those procedures and that training and that attitude because you WILL be paying for it later if you don’t do it now.
And finally, we provided a very rapid informal wrap up of these tips and best practices.
If you need further advice or consulting, you can always follow up with us.
I want to just make sure I give a disclaimer that we at Community IT, and YPTC are not offering specific financial or legal advice in this webinar. This is for a general audience. You should talk directly to your organization’s accountants or your counsel about any specific questions you have about anything that might relate to financial fraud.
If you see it, if you need to say something, that’s something you need to take up with your organization directly. In fact, that’s one of the messages in this webinar is that you need to know who to report to and how to report it when you see something that’s suspicious.
So I want to thank you all again for joining us. Thanks for going over a couple minutes. Thanks again, Carole and Matt.
Carole Melvin: Great. Thank you so much. Thanks for having me.
Matthew Eshleman: Thank you. I appreciate it. Looking forward to continuing our conversation.