The Austin Chapter of the ACFE has been targeted by fraudsters numerous times during the time that I have served on the Chapter Board. Generally, these attempts would come in as phishing emails spoofed to appear that they were from the Chapter President and were directed to the Chapter Treasurer. As I have watched this over the past few years, I have come to recognize the patterns and telling characteristics of these spoofed emails, and so far have successfully prevented any fraud on the Chapter. Not being daunted by our success at avoiding fraud the emails continue to come, but now they have changed their tactics slightly that may offer a better chance of success.
The old fraud:
The phishing method fraudsters have used for the past several years is, sending the emails directing the treasurer to send money to some entity or request to know the current balances we have on deposit. Many spoofed emails are easily detected just by looking at the email address from which they were sent. Some of the more creative fraudsters would use an actual email address of the person they were spoofing, but when you would reply to the email, a slightly different email address would be substituted. Modern email systems make using a “reply to” email address that is different from the sent email address very easy.
Here is an example of one that the chapter received recently attempting to get one of our members to send money:
---------- Forwarded message ---------
From: Billy Petty <firstname.lastname@example.org> (Don’t email me here, this is fake)
Date: Sat, Oct 6, 2018 at 9:40 AM
The “From” email address is a dead giveaway that this email is phishing, if you know that I do not use that email address. In more sophisticated instances, the “From” email address will actually list my real email address, but the “reply to” email address will be something different. The “reply to” email address does not usually become apparent until you actually create the reply email.
The new twist:
We have recently seen a trend where people associated with the chapter, other than the treasurer, are receiving email that appears to be from the chapter president directing them to send money to a third party with the promise of being reimbursed by the chapter. The only real change is that rather than targeting the chapter treasurer, they are targeting others who are associated with the chapter trying to get members to pay with their own money on behalf of the chapter with the promise of reimbursement.
Mitigation of the risk:
As a chapter we use multiple methods to prevent fraud such as budgets, communications other than email or online, and sharing information about new threats.
The chapter budgets for expenses for the year, and each board member has input in that process. The budgeting process not only helps us to plan our finances, but also helps us to recognize an unusual pattern of spending or unusual requests for spending.
There is an agreement between the treasurer and president about how requests for disbursements will be made. Typically these are done either face-to-face or through a phone call. Due to the frequency of phishing emails and some of the talent that has been seen in creating the phishing emails, we do not use email as the only method of requesting payments being made.
We share information among ourselves as we see different approaches being used to try and defraud us. Just as we are doing with this short article and in all of our training, sharing of information about the tactics and techniques that are being used helps us all to prevent or at least mitigate fraud.
As a chapter, we will not normally request members incur any expenses on behalf of the chapter to be later reimbursed. Your board members will occasionally incur small expenses that are reimbursed, but these are planned and expected. If you receive any requests like this, I would encourage you to reach out to me or another board member before sending any money as it would very likely be a phishing email.
Why not report this to police?
These type of fraudulent attempts can certainly be reported to law enforcement, as they are criminal attempts to defraud. Unfortunately the volume of these types of phishing attempts is overwhelming for law enforcement and often times there is too little information available to launch an investigation with any chance of successfully identifying and arresting the offender.
When phishing attempts are received, one technique that can be used to stop them is reporting the phishing attempt to the company that either hosts the domain name or to the company that hosts the email service. A query of the domain name with a “whois” query service such as CentralOps.net will provide information about the registrar that controls the domain name. Usually reporting the abuse to the registrar will eventually result in a cancellation of the domain which stops the phishing attempts for a short time. Unfortunately, acquiring a new domain is simple and relatively inexpensive, so this is unlikely to be a permanent solution.
Phishing is a problem that we will have for the foreseeable future. Using a mixture of traditional anti-fraud controls and continuing to learn about these techniques is the best protection we can use to stop our organization or us individually from becoming a victim of this type of fraud.