From the Claims Files: Phishing Scams

Learn from an NIA member that was victimized by a phishing scam.

Phishing scammers are more sophisticated than ever — now, even an email appearing to be from your own CEO could be a scammer looking to drain your nonprofit’s resources. Learn how you can help protect your mission.

By Joe Shreve Posted
a credit card on a fishing hook

How do you think your donors and board members would react if you told them that you unwittingly handed over tens of thousands of dollars to a phishing scammer?

Picture it: An official-looking email shows up in your inbox, it appears to be from a vendor your nonprofit regularly does business with, requesting you update your payment method to digital bank transfers. You’re busy. The email seems legit. You make the update and send over the money.

But, a few days later, the actual vendor calls — and they never emailed you at all. You realize you’ve been tricked into giving scammers thousands of dollars that were meant for your nonprofit’s mission.

As technology advances, these types of scams are becoming more and more common — and scammers have been known to impersonate familiar businesses, other nonprofits, government officials, celebrities, even people within your own organization.

Victims often find there is little chance of recovering money that was voluntarily given away (even under false pretenses), and most insurance providers don’t cover these types of situations, so nonprofits cannot afford to take chances.

Let’s explore a typical scenario involving a fraudulent email scam and discuss some steps and practices your nonprofit might consider adopting to help protect your essential funds and assets and avoid finding yourself in a similar situation.

The Nonprofit:

A nonprofit operated three thrift shops in different neighborhoods of a large city.

The stores were independently managed, but large purchases, finance, and vendor contracts — such as shipping and delivery expenses, IT, facility maintenance, utilities, etc. — were handled by the nonprofit’s central office.

Most of the nonprofit’s vendor contracts were paid quarterly via paper check.

The Incident:

One day, a staff member at the central office received an email, claiming to be from the nonprofit’s facility maintenance vendor, that requested that the nonprofit change the disbursement of its quarterly payments from paper checks to digital transfer, going so far as to provide all the relevant information for where to send the payments.

The staff member, noting that it appeared to be an authentic email from the vendor, complied with the request and sent over a payment, which totaled a little over $9,500.

A few weeks later, the nonprofit called the vendor over an unrelated matter. During the conversation, the vendor’s representative noted that the nonprofit was behind on their payments.

It was soon discovered that no email had been sent by the vendor, and that the $9,500 the nonprofit had paid had not been received.

The Coverage:

While the nonprofit did contact their broker immediately in hopes of activating a claim, their NIA coverage — like that of many other insurers — could not be applied to this situation.

Although NIA does offer specialty coverages around fraud and theft — such as Money and Securities, Computer Fraud and Funds Transfer Fraud, Cyber Breach Management and Reward Expenses, and Cyber Extortion — they cannot be applied to cases where the funds or assets were given willingly.

The Result:

Based on the fact that the nonprofit’s employee had willingly sent the requested funds to the fraudulent actor — even though it turned out to be under false pretenses — the claim was not covered.

What Did the Nonprofit Do Right?

Unfortunately, in this situation, the nonprofit had few precautions in place — leaving them short of options once they realized they’d been scammed.

Other than contacting their broker to check if their insurance policy contained any coverage that could be applied, this nonprofit’s actions left much to be desired. Adopting preventive steps, such as regular cybersecurity training and better financial practices, may have led to a different outcome for the nonprofit.

How Can Your Nonprofit Avoid This?

The truth of the matter is, once your nonprofit has willingly handed over money or assets to a scammer, even under false pretenses, those resources are most likely gone for good.

Your mission can’t afford losses like that, and insurance can’t cover them — so it’s up to you to make sure that your financial practices are secure, that your staff is trained to recognize a scam when they see one, and that your payment and approval processes are not left up to one person.

Remember, scammers are able to impersonate familiar businesses, nonprofits, government officials, celebrities, and even people within your own organization — so don’t ignore a red flag if you think you see one.

If you get an email, text message, or phone call requesting anything to do with money or finances:

  • Verify the source: Don’t agree to anything until you’re sure that the email is legitimate.

Find the phone number your organization has on file for the person or business the email is claiming to represent, and give them a quick phone call: “Hey, did you just send us an email, text message, etc.?”

Also, if the message did, in fact, come from a scammer, that person or business needs to know their systems may be compromised, as well.

Note: Never reply to the email in question or use any contact information it may include (phone, email, links, etc.). Be sure to use the contact information that your organization has on file, as online resources may also be compromised.

  • Require two or more approvals in payment processes: Allowing a single person to approve purchases, payments, etc. is a mistake.

Never allow any large payments or payment method changes to be made without at least two signatures or approvals.

Minimally, requiring a second person’s approval provides a second set of eyes to hopefully spot suspicious activity.

  • Don’t click or download anything: Suspicious emails or text messages will usually have a link or a file attached. Whatever you do, do not click that link or download that attachment.
  • Watch for red flags: Scammers are sneaky, but there are some telltale red flags to watch for that may help:
    • Are they asking for an unusual form of payment? Scammers love to be paid in gift cards.
    • Check the sender’s email address. Does it have a subtle typo?
    • Is your executive director on vacation or out of town and now they’re suddenly emailing you?
    • Does the message have weird-looking links or attached files?
    • Are the messages claiming your nonprofit ordered something or owe money for something?
    • Do the messages contain a sense of immediacy and urgency?

Trust your gut: If you notice something feels off, it probably is.

  • Consult with a cybersecurity expert: If you’re getting suspicious emails from someone impersonating a vendor, your executive director, or another trusted person, chances are your system has already been breached.

Once they’re in, these scammers can see who you are in contact with, learn people’s schedules, and use all that information and more to try and trick you.

A cybersecurity expert can help you get a handle on this situation and help train your staff to catch this activity before it has a chance to do harm. This could be a service your nonprofit purchases or an in-house IT team.

  • Regular training is crucial for prevention: A team that can recognize a suspicious email, phone call, or text message when they get one — and knows what to do next? That’s your best defense against these scammers.

Training your nonprofit’s staff in cybersecurity practices, with regular refreshers, can help them stay up to date with current scams, learn how to protect sensitive data, and practice what they can do to spot and report suspicious communications.

Conclusion

Scammers are more technologically advanced than ever, and they have zero qualms about targeting nonprofits.

Gone are the days of sketchy emails pushing “enhancement” supplements and other easily spotted scams flooding your inbox. Now, it’s very easy for scammers to pass themselves off as just about anybody they want.

That means you have to get comfortable with the idea of double-checking any unusual request involving money — even if it appears to come from someone you trust.

Doing that, along with keeping a tight control on your financial practices and training your team to defend against scammers, will help protect your assets and keep them doing what they’re supposed to be doing, which is serving your mission.

Related Articles

two women vworking in a thrift store
Insurance Explained

Thrift Shops: Insurance Explained

Nonprofit thrift shops are more than just a place to bargain shop and treasure hunt — they also provide jobs, raise funds, and help the environment. When it comes to their insurance, what do they need the most? Here’s what some real NIA members had to say.

January 24, 2025

Beware: Fake NIA Calls & Emails
Alert

Beware: Fake NIA Calls and Email Phishing Schemes

Fake emails and calls impersonating NIA are going around. The emails look convincing but contain links that go to a fraudulent payment website.

January 17, 2025

people working together to create sidewalk art
Insurance Explained

Art Centers: Insurance Explained

Nonprofit art centers provide the space for communities to discover and explore their creativity and imagination through artistic expression. What’s most important to these organizations when it comes to their insurance? Here’s what some real NIA members had to say.

January 14, 2025

Read More NIA Articles