Gone Phishing: One Accountant’s First-Hand Experience With a Social Engineering Attack

Print Friendly, PDF & Email
Posted on Jan 1, 2019

By Victoria Kitts, CPA, CFE

As an auditor, I’ve seen my fair share of fraud attempts. But personally, I had not experienced such an attempt against an organization I was volunteering with – until now. I have the dubious distinction of being among the hundreds of thousands who have received a social engineering phishing email (i.e., solicitation of information by posing as a trustworthy person).

Here’s the scenario: I’m the board treasurer for the local chapter of an association. The fraudsters likely found the board listing online and set up an AOL account (board.pres@aol.com) under the board president’s name. They then used that email address to send me the following email:

Subject: General Expenditures

Victoria,
Am currently out of town. What is our current balance? We have some disbursement to complete immediately.

The fraudsters then signed the message with the president’s full name.

There were several immediate red flags here. They wouldn’t know from the board listing, but our board president doesn’t sign emails with a full name. There was also uncharacteristic poor grammar (“some disbursement”). Additionally, we have a management company that handles our finances, so most inquiries would go there and not directly to me.

Here’s the simple internal control I used (and which is a great first line of defense): I contacted the real board president to confirm the authenticity of the email. (I sent an email to a known, verified email address; I did not respond to the AOL one.)  I immediately received confirmation that the disbursement message was fake. I could have also verified with a personal phone call. The key is to get independent, verified confirmation from the purported source.

It’s a good guess the fraudsters use this “board.pres” email address for many other boards and just change the name on the account when sending out their phishing emails.

Fraudsters cast a wide net – it takes only one fish to make it worth their time. The United States Computer Emergency Readiness Team has a webpage dedicated to social engineering/phishing. It has many helpful tips and is worth bookmarking for the future.

© Clark Nuber PS and Focus on Fraud, 2019. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Clark Nuber PS and Focus on Fraud with appropriate and specific direction to the original content.

FacebooktwitterlinkedinmailFacebooktwitterlinkedinmail

This article or blog contains general information only and should not be construed as accounting, business, financial, investment, legal, tax, or other professional advice or services. Before making any decision or taking any action, you should engage a qualified professional advisor.

Posted by:

Victoria Kitts

Media Contact

Lindsay Rose
Marketing Senior Manager
Clark Nuber
Contact Lindsay

Blog Archives

  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013

    • Clark Nuber PS

    10900 NE 4th St, Suite 1400
    Bellevue, WA 98004


    Phone 425-454-4919

    Toll Free 800-504-8747

    Fax 425-454-4620

    Client Access
    Employee Access
    Contact Us
    Careers
    Privacy Policy

    Who We Serve
    What We Do
    News & Resources
    Blog
    About

    Top Firms Best Firm Best Company

    Get Directions

    © 2023 Clark Nuber PS All Rights Reserved