As a charity, local organisation or local business this is a reminder to stay vigilant and protect yourselves from the works of scammers whether it is a phone call, text message, email or identity fraud.
Magie Dang
In this week’s note, I’m sharing a phishing scam attempt aimed at me, the Finance Manager here at BD Giving and some preventative measures you can implement to protect yourself and your organisation.
Scams can have deeply detrimental effects on an organisation and its staff. Unfortunately, in the case of Millom Network Centre, scammers succeeded in stealing £47,000 from their bank account through multiple transactions. I can only imagine the distress and impact this must have had on the charity and members involved. Thankfully they did receive a refund and compensation from their bank. You can read more about their story here.
Having been targeted by a similar fraud, I understand the panic and anxiety such events can induce. I am sharing my own experience to illustrate how easily and quickly you can become a victim of a devastating phishing scam.
In my incident, the scammer posed as our CEO, Geraud, sending an email indicating an invoice that needed processing and payment. As the Finance Manager I deal with multiple invoice requests so it is not unexpected to receive one from Geraud. The scammer created a fake ‘forwarded email chain’, which prompted me to reply and request a follow-up email with the attached documents for processing.
Here’s a screenshot of the interaction.
As you can see, the email address is not visible, making it easy for me to assume it was directly from our CEO. The timing of the invoice and its relevance to our current projects coincided perfectly, leading me to believe it was one of the expected invoices from our solicitors.
Fortunately, we have security and verification measures in place, which helped us catch this scam before it was too late. As a small team we communicate regularly ensuring all invoices are signed and we follow financial protocols before payments are authorised. However, it took us a couple of hours to realise what was going on.
I’m a big advocate for having two-person authorisation for all payments, even if it may seem cumbersome. This dual authorisation is what prevented the fraudulent payment from being processed, allowing us to cancel it before any damage occurred.
Security tips
To help prevent such scams, here are some essential security measures we should all implement:
- Two-Person Authorisation: Ensure your bank requires two-person authorisation, not just two-factor verification. This means exactly two members of your organisation must authorise and verify any payment before a transaction can proceed.
- Multiple Authorised Signatories: Ensure that there are at least two or three authorised signatories on invoices before proceeding with any payment.
- Effective Communication: When in doubt, verify payment requests on different platforms, preferably in person. Always check with senior management before proceeding with any large payments.
- Voice-Activated Passwords: Implement and verify voice-activated passwords within your management team before authorising significant payments.
- Double-Check Email Addresses: Always double-check the sender’s email address. This simple step could have prevented the entire incident from escalating
By incorporating these practices, we can significantly reduce the risk of falling victim to phishing scams.
I am also sharing the invoice sent by the scammers to show the sophistication of the attack. This example highlights both the subtle details that can be overlooked and the critical checks we can perform to ensure an invoice’s legitimacy.
Spotting fraudulent invoices
Here are some ways to recognise fraudulent invoices and verify their validity:
- Check the Logo: Look for signs of a copied and pasted logo, such as box shadows or poor image quality.
- Verify Company Information: Search for the company name and address online to ensure they exist and are legitimate.
- Confirm the Address: Always double-check that the address on the invoice is correct and matches known information.
- Check Recipient Details: Ensure the invoice is addressed to the correct person within your organisation. Scammers often use the CEO’s name to add legitimacy.
- Context: It is crucial to stay informed and understand the context of each invoice to ensure that you have a clear understanding of the services or products being billed for.
- Validate Bank Account Information: Confirm and verify any bank account details provided on the invoice before processing payments.
In response to this incident, we promptly reported the email address associated with the phishing scam. As the perpetrators included their personal bank details, we also notified their bank in hopes of initiating an investigation and potentially closing such accounts.
I shared this information within our network to emphasise the severity and potential impact of such incidents, not only on charities but also on local organisations and small businesses.
This experience is a reminder to remain vigilant and to take a moment to pause, especially when things get urgent. For your safety, avoid sharing sensitive information over the phone or via email and always follow your organisation’s protocols.
Wishing you and your charity or business all the best!