Nonprofit Accounting Basics

Phishing and Spoofing Attacks Growing Ever More Common


You know the scam; someone in a foreign country has inherited a large sum of money and needs your help to get the money delivered to them. They just need your bank account information to move the money into, for which you will receive a percentage of the inheritance. Everyone sees these phishing e-mails and most everyone ignores them, but occasionally, they still work. Crooks being crooks, they have found new ways of separating you or your organization from your cash. Spoofing is the latest criminal innovation that finds new victims every day.

Its 4:30 on a Friday, you get an e-mail from the owner or executive director of your organization who happens to be out of town. “You need to wire $10,000 to XYZ Company, I have been working with them very closely on a project and they need the cash right away.” (Or something along those lines.) Not wanting to upset the boss, you wire the money out, per the wire instructions included in the e-mail and leave for the weekend, not realizing that the $10,000 is now gone. On Monday, when you see the owner and ask him about XYZ Company, he says that he doesn’t know what you are talking about. That’s when you realize that the $10,000 and maybe your job is now gone.

So what happened? Many companies have sophisticated computer systems which are ever watchful for hacking attacks. We feel secure behind firewalls, two step verifications, host intrusion software, complex passwords and so on. Where is the weakness? It’s in the person sitting at the keyboard. That’s right, we have become the weakest link. Criminals play on our vulnerabilities. Vulnerabilities such as;

• Its 4:30 on a Friday and we are trying to get out of the office to head off to the beach. We are rushed.

• The boss is out of town. The criminal doesn’t know that, but they know that small business owners and executive directors frequently travel, so it’s a good guess.

• The e-mail comes in from Mary Jones, the owner. Most e-mail systems allow for the transmittal of a name so when the e-mail shows up in your inbox it comes in as Mary Jones, not as The actual e-mail is from You’re responding to the criminal, not your boss.

So what to do to protect yourself and your organization?

Although e-mails are considered by most organizations as “official correspondence,” there should be a two-step process to authorize any financial transaction. An e-mail that arrives directing you should be followed up with:

• a phone call to the person or

• a separate email back to the person who is directing you. This shouldn’t be a reply email, but a separate email directed to them specifically. It should also include a second person who would be allowed to authorize financial transactions in the boss’ absence.

• Wait. If you can’t contact someone, you should wait. It might be a legitimate transaction, but the boss needs to understand that you are gatekeeper and you take that responsibility seriously.

• Bosses need to communicate upfront and make arrangements beforehand if situations like this may possibly occur.

• Never give passwords to anyone. Another common phishing technique uses the same methods as above, but maybe it asks for your e-mail or network password or maybe even your banking password. No one should ever ask for your passwords by email and you should never give those passwords to anyone.


That’s a good thing. The predators are hoping that you’re not. They’re hoping that you want to get this newest “task” completed and off your to-do list quickly. Remember, Thomas Jefferson once said, “Eternal vigilance is the price of Liberty.” The same concept applies here. Phishing and Spoofing attacks growing ever more common.