January 1, 2019

As an auditor, I’ve seen my fair share of fraud attempts. But personally, I had not experienced such an attempt against an organization I was volunteering with – until now. I have the dubious distinction of being among the hundreds of thousands who have received a social engineering phishing email (i.e., solicitation of information by posing as a trustworthy person).

Here’s the scenario: I’m the board treasurer for the local chapter of an association. The fraudsters likely found the board listing online and set up an AOL account (board.pres@aol.com) under the board president’s name. They then used that email address to send me the following email:

Subject: General Expenditures

Am currently out of town. What is our current balance? We have some disbursement to complete immediately.

The fraudsters then signed the message with the president’s full name.

There were several immediate red flags here. They wouldn’t know from the board listing, but our board president doesn’t sign emails with a full name. There was also uncharacteristic poor grammar (“some disbursement”). Additionally, we have a management company that handles our finances, so most inquiries would go there and not directly to me.

Here’s the simple internal control I used (and which is a great first line of defense): I contacted the real board president to confirm the authenticity of the email. (I sent an email to a known, verified email address; I did not respond to the AOL one.)  I immediately received confirmation that the disbursement message was fake. I could have also verified with a personal phone call. The key is to get independent, verified confirmation from the purported source.

It’s a good guess the fraudsters use this “board.pres” email address for many other boards and just change the name on the account when sending out their phishing emails.

Fraudsters cast a wide net – it takes only one fish to make it worth their time. The United States Computer Emergency Readiness Team has a webpage dedicated to social engineering/phishing. It has many helpful tips and is worth bookmarking for the future.

© Clark Nuber PS and Focus on Fraud, 2019. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.

This article contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.