Carolyn Woodard: Welcome to the Community IT Innovators’ Podcast. My name is Carolyn Woodard, and I am the Outreach Director for Community IT. I'm very excited to be here today with my friend, Carole Melvin, from Your Part Time Controller.
Carole, would you like to introduce yourself and what you do?
Carole Melvin: Thank you so much, Carolyn. And I'm equally excited to be here talking with you. I'm Carole Melvin from Your Part Time Controller or YPTC, as it is known.
YPTC is a financial and accounting services organization. We serve nonprofits. That's all we do.
We work with nonprofits to make stronger financial management teams. We have over 1,800 clients across the country in 11 different physical markets, but we're serving nonprofit clients all across the country, everywhere, because we're delivering our services remotely as well as in person.
I've been with YPTC for a little over five years. Currently, I'm the Regional Director for the Mid-Atlantic and Southeast Division, and I serve nonprofit clients as well. So happy to be here.
Carolyn Woodard: I wanted to follow up with you because we did a webinar together, maybe a couple of years ago, about financial fraud at nonprofits. And I know that there have been some changes, like there's some new tools, there's AI, of course, everyone's talking about. I wanted to connect back with you.
Can you share with us, are there new scams that people are seeing and hopefully not falling for, but maybe are falling for?
What are the new things that are happening in terms of financial fraud?
Carole Melvin: Yeah. Well, financial fraud, there's no getting around it. We know that it's increasing every year, there's always new kinds of fraud.
Nonprofits are susceptible to fraud just like other organizations. Sometimes there's a misconception that nonprofits are doing good in the world and who is going to take advantage and perpetrate fraudulent activity on nonprofits. But of course, they do and they're particularly vulnerable because often nonprofits may perhaps not have as robust of internal controls because they have a lean staff.
They are susceptible and we are talking about this because controllers not only have to be responsible for accounting and finance, but being vigilant and understanding the looming threat of cyber fraud has become part of our job every day.
Some of the things that we are seeing, a lot of it is related to the accounts payable function in our clients.
We're definitely seeing where a fraudster will compromise the email, the official business email, often the AP email, and then use that email to move funds. That's something that has happened many times, unfortunately.
We're also seeing vendor impersonation. We talked about a couple of these cases where a fraudster will pose as a legitimate vendor, because they are aware that the nonprofit is working with that vendor. And they will send fake invoices, create fake email addresses, and mimic that real vendor's website and the way that they look.
And they'll trick the nonprofit organizations into transferring funds into that account. We definitely see more and more of that. It's not as uncommon as it used to be.
And then we just saw this recently again, where the bad actor hijacks and actually takes control of the email, often forwarding the email to their own email, intercepting and acting.
You think you're communicating with your real vendor, but of course, you're actually communicating with the fraudster. And we've seen that it has been very successful for the fraudster in sending funds.
So those are some of the things that we typically see. And I know you just mentioned this in your last podcast about one of the newest frauds that we're seeing is the in-person event phishing, where they get you to click on a link and sign in, and then you're compromising your information as well. And we've even seen where people have gone to the event, and there is no event.
There is no event.
But in that email, you've given them the sign-in information because you're logging in and then your account is compromised.
Carolyn Woodard: Yeah, maybe we're a victim of our success in training people to be very suspicious of phishing emails that have a link. You're not supposed to click on a link. Also, a lot of automatic programs will keep those emails out of your inbox, so you won't even see them.
But what we saw is that a way around that is a document. In the case that we saw, it also is social engineering. It's more of a long con or a more in-depth scam. They're trying to prey on your emotions.
This person had been invited by - I think it was a senator's aid on a committee that wanted to talk about this nonprofit’s expertise in a policy area. They were inviting this person to a meeting at a restaurant and attached in the email they had a document that was the itinerary of how this aid from the senator was going to meet with the person for lunch.
The link to make the appointment was in the document, the itinerary. It was in a Word document that the person opened. And then that link was a fraudulent link, or a link to the scammers. But then to make the calendar event, she entered her credentials. So that was what they were trying to get is the ability to use those credentials. And then she showed up at the meeting and there wasn't a reservation. That was a couple of days later, so the fraudsters had access for a couple of days at that point. It was really insidious.
Carole Melvin: Yes, and the psychology of these wire fraud, it's really quite sophisticated. I think that's why nonprofits and I would say, anyone dealing with financial management in general, are even more susceptible because we're so wired, pun intended, to be fast at answering these urgent requests.
We want to make sure we're taking care of our clients, of our chief executives, of our constituents. Folks who are working in a nonprofit are thinking, if I don't respond to this urgent email, then someone is not going to get the services that they need. So it's that urgency that the fraudsters create in these emails.
It's easy to understand why you could fall for that, especially if you're in a high stress, high pressure, fast paced environment, your defenses might be down.
And it's also when they're giving you little pieces that check out, right? The email seems to be from the person it's supposed to be from. And sometimes it is from that person because that person’s identity is compromised, and the fraudsters are in their system sending out emails actually from their server.
So it's a real email, it's just they're not sending it. The fraudster is hacked into their system. Sometimes it tricks your brain into rationalizing it.
Yeah, okay, maybe they are asking me for this urgent payment to wire this payment because we have this contract coming up. And so you fill in the missing gaps of, yes, this makes sense. And that's why it's so easy to fall for.
Carolyn Woodard: I think we're also seeing the rise of AI has given fraudsters more tools at their disposal. They can pull information about your staff from different areas of the internet.
We had one attack where it was the person's personal Facebook that the fraudsters messaged through about something having to do with her position at the nonprofit. They knew that that Facebook account was the same person as on the org chart, at the nonprofit and they were able to be very convincing in that way, too.
Carole Melvin: Yeah, yeah, it's really hard because nonprofits that are serving the community need to communicate with the community. They're providing information about what their services are, what they're doing, where they're doing it. But yet you are setting yourself up for fraud because you give all that information.
We're seeing a lot of our clients taking email addresses off the website and being really careful with the information they are sharing.
Carolyn Woodard: With that in mind, I want to pivot a little bit. We've talked about all the ways they can get you.
Do you have some advice on the ways that you can prevent these types of attacks?
I know some of them are analog, like having sophisticated IT tools that help keep your inbox as safe as possible and keep spam and unwanted emails and phishing emails out of your inbox, so you don't even see them. But are there some other tips and tricks that you can take to stay safer?
Carole Melvin:
● Starting with fraud awareness in general and making sure that there is zero tolerance for risk, if that's possible.
● And making sure that the tone at the top is clear, that everyone knows that this is important.
Sometimes, talking about psychology, someone might not want to ask someone to verify, right? But if you have that tone at the top, the understanding that this is how we're going to operate. We are going to trust, but verify. I think that helps. People will be inclined to take those additional steps. I think that's first and foremost.
● Having fraud awareness training, having regular trainings, little mini trainings. Gone are the days where we do it in the annual training, right?
It's these frequent small trainings, where you're keeping it top of mind for people. They will hopefully pause before they click on that link, because this is something that is being talked about, and everyone really understands.
● In addition to developing that tolerance, the tone at the top, the fraud awareness training, and all of the internal software applications that you can use, we're also looking at just when you do get that urgent request, taking time to confirm that it is a real vendor. This is the simplest and most effective way is to pick up the phone and call, and don't use the phone number that is in the email that is provided.
Use a phone number that you know to be correct. And that's really the easiest way - verbal verification via phone. This prevents a lot of loss from happening.
We also were talking about setting up some sort of
● advanced verification protocols,
● having a certain code or password,
● making sure that there's also really good internal control about the dollar amount threshold that's going to require even more stringent confirmation.
That's your best line of defense really against those fraud attacks. And like I said, really pausing before you click on anything, change bank accounts, all of that is just making people aware to fight that sense of urgency and verify.
Carolyn Woodard: That all makes sense. I think also one thing we talk a lot about with our cybersecurity training is encouraging that culture of and training around what are your next steps. It's clearly the reason we get all of these emails and phishing links. People go to these efforts to trick us because it works a lot.
There shouldn't be a stigma around having clicked on the wrong thing. But everyone needs to know, if you think you just did that, who you tell next and how quickly you need to tell someone.
Carole Melvin: That's so true. It does happen and the key is knowing immediately, oh, no, I just clicked on that. Having that plan, you need to immediately drop everything and call your IT provider. Because often, they do have time to intercept, because a lot of times these bad actors, they're doing a wide swath and then they're coming back later to see what the hits are.
So sometimes if you know that you did something that maybe you shouldn't have, even if you're not sure, call your IT person, have them jump on and see if there's been any compromise, and they can often address it right then and there.
Carolyn Woodard: Yeah. We have a staff person who says he'd rather have 99 false positives to catch that one that really was a hack. Try to encourage that internal culture of if you're not sure, tell someone.
If it turns out to be nothing, fine, that's great. You did the right thing. Don't be worried about, oh, I'm going to bother them, or I've already turned in two today, so maybe I'll just not do this one.
It's really important for your IT staff and your supervisor to know what's going on. And I think in general, they'd rather have 99 that were okay, instead of having the one that wasn't okay get through.
Carole Melvin: Yeah, absolutely. That gets back to the culture because you could be embarrassed. I can't believe that I did that. I know better. You feel awful, but it could be worse. It could get worse. You have to immediately own up to clicking on that or doing whatever it was. And chances are you do have time if you address it immediately.
Another very simple prevention technique that we recommend for all our clients, it's just reviewing your bank activity every single day. Looking at that feed to make sure that all the transfers, all the EFTs and ACHs and all the transfers, wire transfers, in particular withdrawals, all of those are what you expected.
And it's a very simple, easy way. We hear all the time that that's a great way to catch things before it's too late, when it's still pending. Someone should be tasked with doing that every single day.
Carolyn Woodard: That makes so much sense. All right, so I have one last question for you. We've talked about a lot of the types of scams that we're seeing, and you've given us lots of great tips.
Is there one thing that you would say to everyone? If you can't do anything else, do this one thing. What would that advice be?
Carole Melvin: Oh, that's a good question.
Having that professional skepticism, I would say. We always want to think the best of everyone, but knowing that it does happen every day, it can happen.
Understanding it could happen to us. It could happen to all of us. I think it is important to understand that we need to have good internal controls. You need to be reviewing those.
You need to have lots of training. It needs to be top of mind, really.
Carolyn Woodard: Those are all great, great suggestions. And thank you so much for sharing your experience and expertise in this area and the things that you're seeing with us. I really appreciate your time today, Carole. Thank you.
Carole Melvin: Thank you so much. This is an important topic and it's great to have another partner to work with serving our nonprofit clients. Thank you so much.
