How Nonprofits Can Minimize Email Fraud Risk

Strapped for time and resources, nonprofit professionals rely on email for the bulk of their communication — especially those working at smaller organizations. Those inboxes contain various personally identifiable information and serve as a gateway to payment systems, donor records, and staff accounts — making them a prime target for fraudsters. Yet sensitive information is left vulnerable through simple and avoidable mistakes in how staff handle external email.  

Of course, prevention matters — strong passwords and secure systems make a difference. Staying vigilant and verifying requests outside of email provides additional safeguards. But as schemes become more difficult to detect, a prepared incident response plan and prompt reactions to fraud threats become essential to minimizing financial and reputational losses when fraud hits your nonprofit.

Mitigate Risk Now to Avoid Costly Mistakes Later

No guarantee exists in any situation that all money will be protected or recovered in an instance of fraud, regardless of complexity of the scheme or speed of the response.The most effective way to avoid permanent losses is to take steps that prevent them from occurring in the first place. Here are four actions to protect your organization:

• Implement multifactor authentication on all account logins. Train staff to use a verification method like a trusted phone number to verify sensitive or unusual requests.
• Challenge unexpected communications. Educate your team and donors to question suspicious voice or video calls, even if they appear to come from known contacts, and adopt a code word among your team to disrupt voice-cloning scams.

• Run phishing simulations routinely. Test staff with simulated phishing emails to reveal vulnerabilities in your defenses and see where your team is most at risk. Tailor training by role, as different parts of your team may encounter different types of fraud schemes.

• Keep fraud policies on file and updated. These documents should address risk areas and handling of information, as well as conduct annual audits to ensure implementation and good standing. Ensure procedures are followed at all times, especially when events occur that could affect security, such as a change in staff that necessitates updating account access.

Here are two sample scenarios to illustrate how email compromises could affect your organization. 

The Payroll Redirect

The human resources manager — who also serves as the receptionist and office manager — receives an email notice that an employee changed banks and needs to update direct deposit information. However, the email account had been hacked, the update request email was fraudulent, and a full paycheck ended up in a dummy account in the control of a fraudster. Realizing the mistake, the two employees talk in person and realize the error.

Prompt communication with the nonprofit’s banker may help the bank move quickly to open an investigation about the type and timing of payment involved. If the bank determines recovery is possible, it can then initiate applicable third-party recovery efforts and contact with the bank where the fraudulent account sits, potentially leading to the release of funds either in full or at a high percentage. While there’s no requirement that the depositing bank responds or cooperates with requests from the nonprofit’s bank, a timely attempt can increase the chances of a successful recovery.

The Vendor Invoice Scam

The office manager receives an emailed invoice from a vendor for a regularly occurring service with request for an electronic payment on a tightened deadline. While out of the ordinary, the request doesn’t seem suspicious and funds go out. In reality, a hacked external email account allowed a fraudster to seek out funds as a bad actor. 

Days later, the genuine invoice arrives via postal mail, and the nonprofit leadership team quickly notifies the vendor and verifies the fraudulent activity thanks to an established protocol between the two. The nonprofit contacts the bank, which again steps up to help facilitate fund recoveries.

Overcome Nonprofit Limitations Through Trusted Partnerships Before a Crisis

Often policy-driven or service-oriented, nonprofits face the dual challenge of identifying real-world solutions that can be successfully implemented and utilized, while also maintaining financial stability. Creating that balance while employees regularly manage multiple roles and time-intensive duties can both lead to fraud vulnerabilities and lengthen response times. Building the right outside relationships before fraud hits — not after — is one of the most practical steps a nonprofit can take.

When evaluating banks, auditors, or outside advisers, prioritize those who ask not only about the mission but also operations and potential pain points that create vulnerabilities. The process should continue with regular check-ins with updated insights and assessments of how to make improvements to continually safeguard funds.

When it comes to effective partnerships with financial partners, the approach must start with a deep understanding of systems involving an outside industry that include security code words and other predetermined verification methods that can quickly identify potential threats and start the process of maximizing recoveries of any losses incurred. Delays can lead to protracted situations where funds or even accounts end up frozen or unrecoverable and create critical delays in operations and services.

Stay Ahead of Organizational Vulnerabilities

When fraud does eventually strike, nonprofits shouldn't have to navigate the response alone. Worries over reputational damage if the occurrences become public can compound the issues. 

Siloing all responsibilities among a few trusted stakeholders invites complacency and slows response times. Outside auditors or advisers can help segregate duties and responsibilities and provide resources to help manage through limited resources, staff attrition or a high volume of volunteer workers. Long term, these factors also create barriers to effective fraud awareness and risk management training, leaving organizations more exposed as fraudsters use increasingly more sophisticated and frequent schemes. 

Protecting a small or resource-limited operation requires more than simple transactional support. Start by asking your current bank whether it has a dedicated fraud response contact and what its wire recall process looks like — before you need to use it.

The preceding content was provided by a contributor unaffiliated with NonProfit PRO. The views expressed within may not directly reflect the thoughts or opinions of the staff of NonProfit PRO.