Nonprofit Cybersecurity Insights: Vendor Impersonation Scams

Protecting your nonprofit from vendor impersonation and other scams

Scammers are becoming more sophisticated in their attempts to defraud businesses. One of the most common scams is where an imposter pretends to be a vendor of a trusted company and sends new invoice payment instructions. In 2020, The National Automated Clearing House Association (Nacha), reported 75,000 vendor impersonation schemes which resulted in losses of over $2.7 billion.

Vendor Impersonation Scam Example

A hacker gains access to ABC Services Company’s system and Ann Brown, an employee’s email account. The hacker uses Ann Brown’s email to send an email to ABC Services Company’s client, XYZ Charitable Organization, informing them that invoice payment instructions have changed. The hacker directs XYZ Foundation to wire all future payments to a different bank in Sweden.

XYZ Charitable Organization directs invoice payments to the new bank which total over $65,000.

XYZ Charitable Organization discovers the fraud when an ABC Services Company employee contacts them regarding unpaid invoices.

This is one example. Other variations of the vendor impersonation payment scam could include directions to update the bank account and routing number. Responding to these types of attacks in a timely manner can be particularly difficult because there can be significant delays in the detection of the scam. The fraudulent act is not usually revealed until an organization’s client sends a reminder about a payment that is due.

Steps your nonprofit can take to avoid payment and phishing scams

1.Train Your Employees and Volunteers

Your best defense is an informed workforce.

• Train employees and volunteers to be vigilant and to question any unusual requests.
• Provide a cybersecurity education and awareness program to keep employees and volunteers up to date on the latest fraud techniques and threats.
• Frequent training on how to recognize malicious actors is an essential piece of any cybersecurity plan.

2. Verify the Request

If you receive an email or phone call requesting a change in payment instructions,

• Verify the request with the vendor using a known phone number or email address.
• Do not use the contact information provided in the email.

3. Check the Invoice

Scammers often create invoices that look similar to invoices your organization is already used to receiving. They may include names and logos from the vendor they are impersonating. Scammers know that when the invoice is for something critical, like keeping your website up and running, you may pay first and ask questions later. However, if you pay, you may not retrieve those funds. It is important to set up a review process for all invoices your nonprofit receives. 

• Match the invoices submitted by a vendor against financial documents like purchase orders and payment receipts.
• Validate any payment requests received via email. Call the sender at a phone number known to your company and verify the request.

4. Use Secure Payment Methods

Scammers use untraceable payment methods. They often want payment through wire transfers, reloadable cards, or gift cards that are nearly impossible to reverse or track. Use secure payment methods that can be traced and reversed if necessary.

5. Establish Effective Internal Controls

To effectively combat vendor fraud, organizations need to establish effective internal controls.

• Segregate duties so that no one individual is in a position to control all parts of a business transaction.
• Implement dual controls by requiring two users to be a part of a transaction. Vendor fraud thrives in organizations where just one employee vets vendor invoices.
• Conduct regular audits of both your business transactions and your IT infrastructure.
• Perform periodic reviews of changes made to the vendor master file by someone that is independent of the vendor setup process.

6. Be Aware of Common Scams

Scammers regularly find new ways to collect your financial data.

• Be aware of these scams and take steps to prevent them.
• Build a network of business peers who can share information about new cybersecurity threats they become aware of.

By following these tips, nonprofit organizations can protect themselves from scams, including vendor impersonation. It is important to be vigilant and to question any unusual requests. By doing so, your organization can avoid falling victim to these scams and protect vital financial resources.

What do you do if your nonprofit is targeted by a scam?

Scams should be reported to the Federal Trade Commission (FTC) online or by phone at 1-877-382-4357. Reporting fraud to the FTC helps the government investigate and bring cases against scammers.

For assistance meeting your organization’s cybersecurity governance needs, contact your Keiter Opportunity Advisor or our Cybersecurity specialists today.

Download Keiter’s Cybersecurity resource guide for quick tips on how to defend against cyber threats: