You might not realize it, but from an early age, you’ve been warned about impersonation schemes. Think of such classic examples as the Big Bad Wolf acting like Granny in Little Red Riding Hood or the Wicked Queen’s shapeshifting in Snow White. Unfortunately, we are seeing a rise in impersonation schemes in real life, and many of these stories don’t have a happy ending. Here are a few current examples, and how to protect yourself from them.
Examples of Vendor Impersonation Schemes
A local nonprofit received an email from a major vendor’s CFO stating that the vendor needed to update the payment account information and that all future payments should be made to this account. The email looked legitimate to the CFO, so he made the change. The nonprofit then received a series of three invoices totaling over $100,000 that it processed, approved, and paid.
Eventually, the frequency and amount started to raise suspicion with the CFO, who then contacted the vendor and realized they’d been had. They are now working with the bank, authorities, and their insurance company to determine what, if anything, can be done to recover the funds.
In another example of vendor impersonation, the accounts payable person at an organization received a call from someone claiming to be from a major vendor explaining that, due to COVID, they had some changes in personnel and that their vendor contact person had changed. They asked if the clerk could update the contact name in the vendor master file.
A few weeks later, someone using the new vendor contact name called the organization and told them that the vendor had recently changed their payment process and asked if the organization could update the bank routing information in the accounts payable system. The clerk verified that the name of the person was the same as the one in the vendor master file, and therefore concluded it was ok to update the payment information.
As invoices came in over the next few months, the organization paid each one, sending the payments to this new bank account. The vendor noticed invoices weren’t being paid by the organization, but they were being lenient with the nonpayment, because the nonprofit had been such a good customer over the years and the vendor assumed COVID had put them in a cashflow crunch. However, after several months of non-payments, the vendor decided it was time to call the organization and see if the organization could pay something or be set up on a payment plan. It was only then that the organization realized they had been defrauded.
How to Catch Vendor Impersonators
What can we learn from these examples?
In the first example, the vendor had been hacked, and the hacker had most likely monitored the CFO’s emails to gain an understanding of that person’s style when emailing. The emails originated from within the vendor’s email system and had a similar style and tone to prior emails from that vendor.
In the second example, the request to change the vendor contact seemed innocuous enough, but it added a level of legitimacy to the second request to change the payment information. Both examples were extremely well thought out and tough to detect.
The biggest lesson you can take away from these examples is that if you receive a request to change the vendor contact or vendor payment details, always call the vendor directly to confirm that the request is legitimate.
Examples of Employee Impersonation Schemes
Most people are aware of these schemes and may have even personally experienced them. In an employee impersonation fraud, the hacker gets into the system and sends out fake emails from a high level officer, with the goal of tricking employees into doing something they shouldn’t.
Here are some recent variations of that scheme. In them, the fraudster:
- Contacts the payroll clerk claiming to be an employee who has moved and needs to change their direct deposit information.
- Spoofs an email from the executive director to IT requesting that their IT privileges be escalated in the system. This would allow the fraudster access to sensitive data and the power to push the data out of the system.
- Pretends to be from IT and asks an employee working from home to allow them remote access to the employee’s computer “to make security upgrades.”
- Spoofs an email from the executive director to the HR director asking the HR director to send sensitive employee data.
- Spoofs an email from HR to employees claiming there are changes to the policies and procedures that the employee must read and acknowledge, then instructs the employee to click on a link that contains malware.
- Spoofs an email from the executive director to the CFO directing that money be wired to another organization. This is the example most people are familiar with.
How to Catch Employee Impersonators
What can we learn from these examples?
It’s important to educate employees that if they get a request to send sensitive information, send money (wire transfer, bitcoin, gift cards, etc.), or click on strange links, that the employee should reach out directly to the requestor to confirm it is a valid request before acting.
There are many other examples of impersonation schemes, such as law enforcement, family, friends, government agencies, and medical personnel. Regardless of the form the impersonation scheme takes, the best advice is, if you are being pressured into acting quickly or something seems off, you need to trust your gut and call a time out to verify the facts before acting. Pausing a minute to double check may be all it takes to stop the scheme.
©2021 Clark Nuber PS. All rights reserved.