Internet scams targeting nonprofits is on the rise throughout the United States. In fact, Wired magazine reported that one cyber criminal operation hit 3,483 nonprofits. This criminal syndicate, known as “Scarlet Widow,” also targeted 5,581 individuals affiliated with those organizations. And that’s just one criminal operation. The total number of nonprofits harmed by scams is likely in the tens-of-thousands.
As with most types of danger, knowledge is the best way to protect your organization and mitigate risk. For this reason, we’re sharing some of the most common criminal scams that impact nonprofits of all sizes.
Phony Credit Card Donor Scams
While this scam may seem new, it’s actually based on the age-old bad check scam. It may look like this: Your organization receives notification of a $5,500 gift made on your website. Within minutes of the gift, your phony donor emails to explain an embarrassing situation. The phony donor shares that they only intended to give $500 but typed “5” twice. They politely ask your organization to refund the $5,000, and give a plausible reason for refunded it to a different credit card number (or wired to an account).
Wanting to meet the needs of your new major donor, your Development Director and finance office refund the $5,000 the same day. Two weeks later, the credit card processing company notifies you that the original $5,500 fraudulently used a stolen credit card number. Of course, the company also withdraws the $5,500 from your nonprofit’s bank account!
The best way to protect your nonprofit from this rising type of fraud is to
(a) offer to make the refund after the transaction has fully processed and
(b) only make refunds to the same credit card number that made the gift.
In 2014, the Oregon Attorney Genera provided additional guidance to avoid this type of fraud: Oregon Attorney General Scam Alert.
Gift Card Scam
I once stepped into an organization in the midst of a leadership and financial crisis. In addition to the significant issues they faced, the nonprofit’s problems were compounded by a very common gift card scam.
A few months earlier, the Development Director received an email from the Executive Director. The chief executive’s email stated that he was giving an important presentation in 90 minutes and needed 40 Target gift cards with a value of $50. The email asked the Development Director to purchase the cards, scratch the back to reveal the codes and email a photo of each.
The Development Director found the request unusual but wanted to help her boss in a pinch. So, she followed the email instructions. Of course, the email was from a scammer and not the Executive Director. Even so, the Development Director asked for a $2,000 reimbursement for an “honest mistake” on her part.
Your nonprofit’s leadership should make sure every employee, board member and volunteer understands they will never be asked to buy gift cards and send the codes. Also, inform your staff that some scammers mask fake email addresses to appear as if they are from senior staff.
As an executive director and employer in my own consulting practice, I’ve always wanted folks to know that I would never ask them to purchase gift cards and send the codes. I have also made it clear that they should text me on my cell phone and ask for a video call to discuss the request.
Phishing Scams
The gift card scam outlined above is an example of a phishing scam, but this type of scam can take many forms. The criminals will review your website, harvest the names of senior staff, and send an email asking for an emergency electronic payment to a vendor or individual. They will provide a good reason why it’s a pressing need that should be addressed within the hour. Additionally, the request will likely not be consistent with the basic internal controls of an organization.
Like the Gift Card. Scam, the email may even appear to come from the CEO’s email address. You can best protect your nonprofit by insisting internal controls be followed and requiring personal face-to-face verification of any request.
Spear Phishing Scams
Spear phishing scams will seem to come from a reputable source – like your organization’s bank, a software provider (like Microsoft or Dropbox), or even the IRS. The email will typically seek to harvest your login credentials by requesting that you click a link to:
- Unlock your account
- Verify your identity
- Validate your information (address, EIN, credentials etc.)
Clicking this link directs you to a fake website that may even look like your vendor’s brand. The link may ask for your username and password, and the scammer now has information necessary to control of your account. Sometimes the link may also download a virus onto your computer.
Some effective ways to avoid spear phishing scams include:
- Never click on a link in an email. Instead open a new browser and manually type the URL for your vendor.
- Use two factor authentication on all accounts.
- Report the phishing scam to your IT department, email service provider and ISP.
- Install an email security system that scans all email for phishing attacks.
While geared toward individuals, this AARP article provides great guidance about Spear Phishing attacks.
Hackers
Not-for-profits that fall victim to Spear Phishing scams often get hacked shortly afterward. Most employees will daisy chain passwords and accounts or, even worse, use the same password for every account!
The term “daisy chaining” passwords might be new to you. It’s simply a term for using related or similar passwords on several accounts, and here’s an example:
- FB password: Grandma456
- Bank password: #Grandma654
- CRM password: 789Grandma
- Office 365 password: 4grandma56
- Server password: 564Grandma
If a hacker gets login credentials for just one account, they will try variations to hack more accounts. And once a hacker controls a key account (like your email), it’s easy for them to break into every account you have.
Another form of daisy-chaining is using one online platform to log into other accounts. As an example, if your Google or Facebook account grants access to your CRM, then it becomes even easier for a hacker to gain access to multiple accounts.
The danger and risk posed by hackers is significant. They can not only use your constituent data to commit more fraud, but they can even hold your entire computer system ransom. If you think this won’t happen because you are a small nonprofit, think again. A few years ago, hackers broke into a small cancer nonprofit’s system and held highly confidential information ransom. The criminals told the nonprofit “Cancer Sucks, But We Suck More” while demanding $43,000 to return the data. It can also happen to companies serving nonprofits, just as it did in May when some of the data Blackbaud holds for nonprofits was held for ransom.
Protect Yourself
Throughout this post, I’ve shared some ways you can protect yourself and your organization. At a minimum, your organization should:
- Implement policies and procedures to ensure good password hygiene. This includes no daisy-chaining and regular password rests.
- Educate your staff, volunteers and board members on your IT policies and potential scams
- Consider an encrypted password manager (there are a lot of good ones out there. You can see which one is right for you at this C|Net article [ https://www.cnet.com/how-to/best-password-manager-to-use-for-2020-1password-last-password-more-compared/ ]
- Install phishing and hacking filters on your nonprofit’s email system
- Require two-factor authentication on as many accounts as possible
- Obtain cyber insurance
- Complete a risk assessment using an IT security consultant (or see if your cyber insurance carrier will do this for you)
- Routinely assess your staff’s knowledge. Example: here are two emails, which of these emails is from the bank and which isn’t?
The time and money invested in your organization’s IT security will be well spent. With cyber risk, an ounce of prevention is worth a pound of cure.
Why am I writing about this?
You may wonder why I’m writing about this since my nonprofit consulting work does not include technology security, software consulting or hardware set up.
A big part of my executive coaching and strategic planning work is identifying and addressing potential threats. If you’re looking to work with a coach or your organization is preparing for a planning project – check out the Services tab of this website.