Nonprofit Accounting Basics

Don’t Fall for a Social Engineering Scam


Even the most sophisticated organization can be the target of an online attack scheme known as spear phishing.

Spear phishing is an email that appears to be from top level management in your organization, typically the Chief Executive Officer (CEO); however, it is from a fraudster.  Under an attack process called Social Engineering, the fraudster relies heavily on human interaction and often attempts to trick people into breaking normal security procedures around disbursements. These schemes are becoming more widespread and can affect any organization, even those with the highest level of information technology security.

In these types of attacks, a fraudster will provide enough information in his email so that it appears to come from the CEO. As a result, the organization will bypass an element of its internal control structure in order to meet the CEO’s request to wire a key vendor a sum of money as quickly as possible.  While there’s no guaranteed way to prevent these emails from being received, recognizing the methodologies used in these types of attacks is key to increasing staff awareness around evolving fraud schemes and hopefully preventing your organization from becoming a victim.

To gain the employee’s trust and appear legitimate, the content of the email may include any of the following characteristics:

  1. It appears to come from the CEO, sometimes occurring when the CEO is out of the office or away traveling. The fraudster has spoofed the organization’s web domain name to make the message appear to originate from the organization’s computer network. This is accomplished by subtly altering characters in the e-mail address to resemble a legitimate email address.  Also, computer software and applications exist which allow one to mask the originating web domain address resulting in the appearance of an e-mail being sent by someone else.
  2. It discusses details about an upcoming meeting or conference including the location of the meeting, key speakers, and topics to be discussed. All of this is readily available on the organization’s website and serves to legitimize the request.
  3. It contains specific information about the organization that the fraudster has obtained from the internet, social media, or the IRS Form 990.
  4. It is addressed to a specific individual in the accounting department by name and title. The fraudster has researched the staff hierarchy and reaches out to the individual he thinks can best facilitate initiating and approving the wire transfer process.

The organization typically discovers the fraud once it is verbally confirmed with the CEO, however, in many instance this is too late and the funds have been lost.

Despite the increase in the numbers and sophistication of this type of fraud, the following simple steps, if consistently followed, can be effective in detecting and preventing this type of fraud from occurring:

  • Never pay a vendor that is not on your approved vendor list.
  • Never disburse funds without an approved invoice.
  • Never disburse funds solely through the request of anyone simply through an email, even the CEO.
  • Confirm wire transfer requests verbally with the employee who appears to be sending the request. Do not rely strictly on email requests for wire transfers.
  • Confirm wire transfer requests with the vendor using previously known contact information and not the information contained in the email.

In addition, we recommend that you inquire with your insurance carrier regarding your policy’s coverage should you become a victim. Some standard insurance policies will not cover losses resulting from this kind of fraud unless the policy is specifically defined to include “social engineering coverage.”

With the vast amount of information available on the internet, social engineering fraud is a serious and ongoing threat for organizations of all sizes and industries. Remaining cognizant of these types of attacks, educating your employees about how they occur, and having a plan in place to prevent a financial loss are all essential elements that need to be addressed in your overall risk assessment and monitoring of internal controls.