Are your payments a target for fraud?
In 2020, AFP reported that 66% of companies experienced fraud through payment by check. Wire transfers made up 39% of the attacks, with ACH debits accounting for 34%. Corporate/commercial cards (24%) and ACH credits (19%) follow closely behind. Sophisticated fraudsters with time and patience can cause significant losses by attempting to appear legitimate and attacking during vulnerable nonprofit organization transitions.
Your first line of defense is to understand the risks. There are two key fraud threats that can affect nonprofits using digital channels to conduct business, as identified by the AFP.
Business Email Compromise (BEC) Fraud
A fraudster impersonates a vendor, nonprofit executive, or another trusted financial partner – ultimately tricking you into making the payment to them.
According to the AFP’s 2021 survey, BEC fraudsters successfully target 76% of the impacted organizations in 2020, up from 64% in 2015. Accounts payable departments proved the most vulnerable part of the organizations, targeted 61% of the time. According to the 2020 FBI Crime Report, adjusted BEC losses totaled $1.8 billion, with an average loss of $93,000.
Enhance or create processes to protect your nonprofit organization against BEC fraud. The Federal Bureau of Investigation advises:
• Verify requests for a payment or transfer of funds by obtaining verbal confirmation using the contact information on file when requests contain red flags.
• Confirm requests for wire transfers or payments using a dual control process, allowing a second chance to identify and prevent potential fraud.
• Pay attention to details when making system account changes and confirm recent account changes before approving payments.
• Keep software systems up to date and use a good anti-virus program.
• Reconcile bank accounts daily.
• Promote employee security awareness to safeguard email accounts and login credentials.
• Implement dual custody protocols, requiring two users, on different devices, to initiate and approve online payments, payment instruction changes, and administrative changes.
• Verify payment changes with requestors before initiating requests and notate changes made (approvers should be able to verify both the payment and payment instructions).
Online Account Takeover (ATO)
Thieves gain access to make unauthorized transactions including funds transfers, creating and adding fake employees to payroll, and stealing sensitive customer information. The criminal typically leverages social engineering and malware to steal confidential information to access online accounts.
According to fbi.gov (2021) social engineering, commonly known as phishing, are schemes aimed at tricking you into providing sensitive information to scammers. With malware, attackers install malicious software surreptitiously on computers without consent to gain access to accounts and send unauthorized payments or the malware attack will block you from files, systems or networks. Ransomware is when a ransom payment is involved.
According to the Federal Trade Commission, best practices that help protect against ATO fraud include:
• Do not share online banking credentials.
• Do not click on links or download programs or attachments in emails or text messages, unless they are from a trusted sender.
• Be wary of unsolicited phone calls or text messages concerning unreported system issues.
• Use notification and alert services to receive text or email notifications regarding electronic debits from your accounts.
•Digitize your banking to make it easier and safer for donors and vendors
Advancing your nonprofit’s banking from analog (paper/check payments) to digital can streamline your operations, improve cash flow, and create a more seamless experience for donors and vendors. Banks, like Wells Fargo, can use technology such as application programming interfaces (APIs) to securely automate payment disbursement and collection processes. Digital payment options include Disbursements with Zelle, wires, electronic transfers using the Automated Clearing House (ACH) network, and commercial credit cards. Your financial partner can also assess your online donation collection system and help integrate it with your online banking portal.
Remember, one size does not fit all when it comes to cybersecurity, financial risk management, and digital payments. Integrate digital banking solutions and risk controls that best reflect your nonprofit organization’s priorities. Create an actionable response plan in case of a fraud attack. Remember to educate your vendors, trading partners, and donors – they are targets too. Simple process enhancements can help create operational efficiencies and help safeguard against cyber fraud.
Matthew Thomason is Wells Fargo Treasury Management and Payment Solutions Market Leader for Southern California. He can be reached at
firstname.lastname@example.org or (858) 261-6446.
Opinions expressed in this article are general and not intended to provide specific advice or recommendations for any individual or association. Contact your banker, attorney, accountant, or tax advisor with regard to your individual situation. The author’s opinions do not necessarily reflect those of Wells Fargo Commercial Banking or any other Wells Fargo entity.