Nonprofit financial leaders are receiving fraudulent emails that genuinely appear to be from their superiors, and these emails ask them to wire or transfer funds to a bank account in connection with the nonprofit organization’s activities. In some cases, the financial leaders truly believed the email request was legitimate. Fortunately, for the cases of which we are aware, other procedures prevented the actual disbursement of funds. But there have been close calls.
How the Scam Works
In a nutshell, what happens is some version of the following:
Scammers spend time on the organization’s website, learning who the leaders are. Specifically, they will look for one of the top leaders with organization-wide authority (president, CEO, senior pastor, etc.) and will especially look for his or her email address and nickname (e.g., if the CEO’s real name is William, but he goes by “Bill,” that can often be discerned from the website).
Then, the scammers identify the top financial person (along with any nickname) and his or her email address.
Next, the scammers create an email in which they spoof the real email address of the top leader they have identified. The email will look very much like it came from the top leader and may even appear as having come from his or her actual email address. The email will be sent to the person the scammers have identified as the organization’s top financial leader.
The email will contain instructions, using nicknames if applicable, to wire or transfer money to a particular account in connection with a project or activity in which the top leader is allegedly involved. For example, an email of this type might read something like this:
How to Prevent Becoming a Victim of This Scam
- Alert your entire management and leadership team to this type of scam.
- Have your organization’s IT team advise you regarding how to detect or screen for spoofed email addresses.
- Maintain an agreement with your bank that requires two separate appropriately high-level people in your organization to authorize any wire transfers or similar disbursements.
- Maintain a policy that forbids finance personnel from making or authorizing distributions of funds based on email or similar instructions alone. Require that finance personnel actually speak in person or by phone (by calling the person’s known number) with the party who is requesting the distribution.
- Maintain a policy that forbids finance personnel from making or authorizing disbursements without proper and complete supporting documentation, regardless of who makes the request.
Michael E. Batts is an Editorial Advisor for Christianity Today's Church Law & Tax Team, and he is a CPA and the managing partner of Batts Morrison Wales & Lee, P.A.,an accounting firm dedicated exclusively to serving nonprofit organizations across the United States. He is also the coauthor of Church Finance.
This guest post first appeared in Nonprofit Special Alerts, published by Batts Morrison Wales & Lee, P.A., that covers significant state and federal developments for churches, nonprofits, and their leaders. Reprinted with permission.
This content is designed to provide accurate and authoritative information in regard to the subject matter covered. It is published with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. "From a Declaration of Principles jointly adopted by a Committee of the American Bar Association and a Committee of Publishers and Associations."
Due to the nature of the U.S. legal system, laws and regulations constantly change. The editors encourage readers to carefully search the site for all content related to the topic of interest and consult qualified local counsel to verify the status of specific statutes, laws, regulations, and precedential court holdings.