From the Claims Files: Phishing Scams

Learn from an NIA member that was victimized by a phishing scam.

Phishing scams are becoming increasingly sophisticated, sometimes appearing to come from trusted vendors or even people within your own organization. For nonprofits, a single fraudulent transfer can divert funds away from mission critical work.

a credit card on a fishing hook

The Nonprofit:

A nonprofit operated three thrift shops in different neighborhoods of a large city.

While each store was managed independently, vendor contracts, property/rental agreements, finance, and large purchases were handled by the nonprofit’s central office.

Most vendor payments were made quarterly using paper checks.

The Incident:

A staff member at the central office received an email that appeared to be from the nonprofit’s facility maintenance vendor. The email requested that the nonprofit change its quarterly payment method from paper checks to digital bank transfers and included detailed instructions for where to send the payment.

Believing the email to be legitimate, the staff member complied with the request and transferred a payment totaling a little over $9,500.

When a bill arrived several weeks later, the actual vendor was contacted, and they informed the nonprofit that no request for digital bank transfers had been made by anyone on their staff.

The Coverage:

After discovering the fraud, the nonprofit notified its insurance broker, who began the process to activate a claim with Nonprofits Insurance Alliance (NIA).

The Result:

Following review of the incident, including the circumstances of the transfer, the loss was determined to fall outside the scope of the nonprofit’s existing coverage.

The funds transferred to the scammer could not be recovered, and the incident resulted in a direct financial loss to the nonprofit.

Things the Nonprofit Did Well:

Once the discrepancy was discovered, the nonprofit promptly contacted the vendor to confirm the issue and notified its insurance broker to report the incident.

The organization documented the circumstances surrounding the fraudulent transfer as part of its internal review.

How Can Your Nonprofit Protect Itself?

Nonprofits that manage vendor payments sometimes consider how payment change requests are verified and approved, how financial staff confirm unusual requests, how communication channels are authenticated, and how staff are trained to recognize and react to suspicious online activity.

Clear verification processes and documentation practices can help organizations reduce exposure to fraudulent payment requests and respond more effectively when scams occur.

Whether simply using email, hosting a public website, collecting donations digitally, or storing client data online, nearly all nonprofits have a degree of cyber liability risk.

It is imperative that nonprofits discuss their cyber liability with their insurance broker to determine the coverage options and risk mitigation tools available.

From the Claims Files stories are for general information only. They are simplified examples and do not guarantee coverage, a defense, or any specific outcome. Some losses described in this series may not be covered.

Coverage depends on the specific facts and on the terms, conditions, and exclusions in your policy. Contact your insurance broker or agent for guidance, and follow your policy’s claims reporting procedures if an incident may involve a claim.

This story is not legal, medical, financial, or professional advice. In an emergency, contact local emergency services first. Any risk management practices mentioned are general suggestions and may not apply to every nonprofit. Follow all applicable laws, licensing rules, and reporting requirements.