ALERT: Non-profits are the latest target of Phishing Schemes

AAFCPAs has been alerted by a number of nonprofit clients that they are receiving emails from scammers who are disguising themselves as an internal, senior member of the organization’s management team. These emails look legitimate and are from an email address very similar to the organization’s email, with a slight variation.
In the email there is an urgent request to fund a wire transfer or disclose secure financial information.  The email exchange typically begins with an inquiry if the person is available and then leads to a request to transfer money.  The perpetrators of these scams get information that is widely available on the organization’s website, including the nature of the business, names and email addresses of key management and board members, and personal information of these employees from social media sites including LinkedIn and Facebook in order to make the email appear genuine.
A Client’s Story
The CFO of a large nonprofit organization received an urgent email from the CEO asking “Are you free”.  The CFO responded that they were available.  The CEO then instructed the CFO to make a wire transfer to an individual.  Although this was an unusual request, the payment was in-line with the general operations of the organization.  The CFO then asked where to charge the expense to and the CEO responded: “Administrative Expenses.”  This tipped the CFO off that something seemed odd.  A phone call to the CEO proved that this was in fact a “phishing scheme.”
What should you look for?
Most of these phishing emails contain the same characteristics, including:

  • An email address from the sender that is slightly different, such as an extra letter in the domain name
  • A signature that is not consistent with others in the organization
  • Misspellings in the body of the email
  • A request for funds in an urgent manner

What can you do to protect your organization?
This scheme is easy to fall prey to, however it can be easily prevented if you follow these steps:

  1. Follow the normal processes the organization has in place for disbursing funds, including check requisitions and sign offs. Wiring funds with an “urgent” need, outside of the normal processes increases your risk.
  2. Educate employees about these scams. Sharing this information and reminding all employees of the standard protocols when disbursing funds will reduce your risk.
  3. If your organization has a program that requires immediate wire transfers where the request is sent electronically, consider setting up standard procedures that require either a verbal confirmation or the use of a code word in the email.
  4. Adopt a system that requires two individuals to be involved in the wire transfer process. The ideal situation will allow one person to establish the wire transfer and require a second individual to approve and release the wire.
  5. Notify your IT staff as soon as you receive a suspicious email.

Fraud can come in many different forms, including these types of phishing schemes. Phishing is the act of deceptively luring an individual into providing financial or personal information through a legitimate-looking website, email or instant message.  Although phishing schemes have been around for years, there has been a recent increase in phishing that has targeted nonprofit organizations.
AAFCPAs encourages you to proceed cautiously when receiving any email or communications soliciting funds or personal information.  These simple steps should greatly reduce your risk of falling victim to a phishing scheme.  If you are a victim to this scam, you should notify your bank and the bank that received the funds immediately and contact your local police.
For more information about fraud prevention and risk assessment, please contact your AAF Partner, or John Buckley, CPA, Partner, at 774.512.4039 or

About the Author

John Buckley CPA
John is the leader of AAFCPAs’ Educational Services practice, serving diverse academic and education services clients spanning independent schools, colleges/universities, special education schools, education services, charter schools and charter management organizations (CMOs). John chairs AAFCPAs’ Risk Committee and oversees the firm’s Enterprise Risk Management Program, ensuring proper practices are in place to surface, understand, and manage priority risks. Additionally, John performs various types of fraud audits for clients, including cash disbursement, credit card fraud, and falsifying employee reimbursement. He has been asked to serve as an expert witness for several attorneys involved in fraud cases.

Leave a Reply