Tim Samuel nearly fell for an email scam that has cost victims billions of dollars.
Samuel, chief financial officer for Bridgeway Community Church in Columbia, Maryland, received a message that appeared to come from the church’s information technology director.
“I was blown away because … I almost got tricked,” Samuel said. Not only did it look like it was from a fellow staff member, but the email had an “invoice” for a security training awareness program, and the church had been installing a new security system.
But when the CFO hit reply, Samuel noticed that the email address didn’t match the one normally used by the sender (see “Actual Fraudulent Email” illustration). Something wasn’t right.
The extent of the problem
The scheme that targeted Samuel’s church is an example of what the Federal Bureau of Investigation calls a business email compromise scam—dubbed “BEC.” According to an FBI review of domestic and international data, the growing problem resulted in 15,668 reported victims and more than $1 billion in losses from October 2013 through May 2016. Other estimates put the total monetary loss at more than $3 billion.
These fraudulent emails are often well-worded, appear to come from someone in the organization, and deal specifically with the organization being victimized—and thus do not raise suspicions about the legitimacy of the request, according to the FBI.
Victims range from large corporations to tech companies to small businesses to nonprofit organizations—and churches have become a frequent target.
“It’s frightening because, for whatever reason, people are … clicking on these bogus emails, and wiring out money as a result,” said Lisa Traina, a CPA and cybersecurity expert who heads the CapinCrouse subsidiary organization Traina & Associates. “It’s pretty widespread.”
For example, a Tennessee church lost $20,000 in the spring of 2016 when a staff member received what appeared to be an email from the pastor directing that a wire transfer be made in that amount.
In North Carolina last year, the state’s attorney general issued a warning after scammers used authentic-looking emails to try to steal thousands of dollars from churches.
Targeting personal information
“There is a wide range of sophistication as far as the different kinds of scam messages I’ve seen,” said Douglas Ward, director of information technology for the North Carolina Conference of the United Methodist Church. “I’ve seen messages that are laughably easy to catch, that have a lot of horribly written grammar, really bad typos, incomplete sentences—things that stand out as pretty obvious forgeries.”
He’s also seen the other kind.
“I’ve seen a lot that are very complex and difficult to catch,” Ward said. “So, for example, if I wanted to pull off one of these kinds of scams, I would go to the company’s website and download a couple of profile pictures of the company’s executives. And then from that, you could create an email address and use that person’s profile picture for that account.”
Alerts by the FBI and others have made many church treasurers aware of the schemes, but criminals constantly adapt, leading to different iterations of the same scam, warned Michael E. Batts, a CPA and managing partner of Batts Morrison Wales & Lee, P.A., an accounting firm that serves nonprofit organizations. Batts also is an editorial advisor for Church Finance Today.
“For example, now they are spoofing a superior in the organization to ask for a copy of employees’ W-2 forms from last year,” Batts said. “So we’re seeing some variations on the theme, but the core element is that these crooks are spending time on an organization’s website long enough to learn what the email addresses of the superiors are, what sort of nicknames they go by, and then they use that information to create a spoof email that looks like it came from that person to ask for whatever, whether it’s money to be transferred or internal information.”
Six action steps
We asked experts and church financial leaders how church leaders can counter such scams. Here are six tips gleaned from their comments:
1. Don’t make financial payments based on email alone.
Call to verify that the individual actually requested the money, require a hand-submitted invoice or a second signature, or take other steps to reduce the possibility of fraud.
The North Carolina Conference of the United Methodist Church, for instance, doesn’t allow requests for wire transfers or money to be made by email or telephone.
“You have to fill out a piece of paper, walk it over, drop it off,” Ward said of this policy. “With some kind of physical control, you greatly decrease the possibility [of a scam], if not completely preventing somebody from tricking you into wiring away $100,000 or whatever the dollar amount may be.”
Regarding his own church, Samuel has implemented a system prohibiting staff members from requesting emergency funds by email.
“At the end of the day, if you need emergency funds, there has got to be a better way,” he said.
2. Don’t make or authorize disbursements without documentation.
Traina stressed that the scammers have become more sophisticated than the elementary-level con artists once known for sending mass emails purporting, for instance, to have a $100 million inheritance in the bank if someone can just transfer $17,000 in fees.
“They are very sophisticated,” she said. “Oftentimes, the executive that these emails [allegedly] come from is, in fact, traveling. So they’re taking their time and learning who the players are, and that makes it scary.”
Regardless of who’s asking for money, every financial request should come with proper and complete supporting documentation, said the experts.
3. Allow church staff members to question any financial request.
In Louisiana last year, someone in the East Baton Rouge Parish school system was conned into wiring $46,500 to someone who claimed to be the superintendent, the Baton Rouge Advocate reported. The staffer retired after reports that she never sought verbal confirmation of the request, despite the superintendent being in a nearby office the whole time.
The bottom line: When a financial request looks like it is from the senior pastor or another person in a position of authority, paid staff members and volunteers should feel free to—and should even be encouraged to—find out if the request is legitimate, Samuel said. And they should be able to do so without fear of criticism or reprisal.
4. Create secure systems.
Secure IT systems that are regularly updated can greatly reduce the risks of bogus emails reaching staff members in the first place, Traina said.
While it sounds like something parents do to combat stranger danger, Traina said she heard of an organization using an internal code word for financial transactions that no one on the outside would know. She likes that idea.
Traina also encourages church leaders to determine what kind of information should not be shared online.
“Do you want people to be able to figure out that executives are halfway around the world?” she said. “You might want to be posting something cool that you’re doing [such as a mission trip], but by doing so, you open yourself up to more people tricking you.”
For further insights on developing security measures, see the sidebar on page 2, “More Insights on Preventing Cybercrime.”
5. Provide carefully targeted training.
Batts recommends educating a congregation’s team members about possible schemes and developing processes and policies to avoid falling victim to them.
Traina concurs, stating that members need to know how to detect schemes and should be armed with best practices that can help prevent breaches.
Specifically, training should include warnings about the dangers of clicking links from unknown email senders or opening attachments that could spread malware and steal sensitive data and financial records. Staff member should also know how to skim an email for clues that a request for money or sensitive information is bogus—such as spotting an email address that an employee wouldn’t normally use. And an entire training session or series of short workshops could be based on the Public Service Announcements on the FBI’s Internet Crime Complaint site (ic3.gov/media).
6. Take immediate action if scammed.
If your church falls victim to a scam, the FBI recommends contacting your financial institution immediately upon learning of the fraudulent transfer. Some banks have started waiting longer than normal to process such transfers because of concerns about scams.
The church also should ask that its financial institution contact the corresponding financial institution where the transfer was sent. And the church should contact the FBI and make a report via ic3.gov.
Moving beyond a close call
Looking back at his own close call, Samuel chuckles about one small sign of fraud that stood out: The sender’s address line said, “Sent from my iPad.”
The staff member whose name was spoofed doesn’t have an iPad.
Still, it was scary to think how easy it would have been for even a seasoned CFO to fall for a very costly scam. That makes it all the more important, he said, to double down on policies and procedures that protect the church from this type of cybercrime.