By Jesse Daves
The article “Nonprofits, Don’t Get Caught in Phishing Schemes” (read the article here) outlines a deceptive breed of phishing scheme that has become common within the nonprofit sector. Specifically, in recent years, there has been a global surge in fraud schemes designed to trick companies into sending wire transfers to bank accounts set up for this fraudulent purpose, often in another country.
When learning about a scheme of this type, an organization should work with a seasoned investigative team and follow the steps below to quickly identify and remediate the fraud.
1. Preserve and Plan
Early in an investigation, it is critical to identify sources of potentially relevant data. Relevant sources include computers, email messages and attachments, mobile devices, network files and logs, as well as various accounting records. Once the sources of information are identified, developing a preservation and analysis plan, including proper “chain of custody” procedures, must be established. Make certain that evidence is properly preserved to maintain its integrity and defensibility.
2. Interview
A fraudster’s strategy relies upon human error and employee fallibility. An investigative team must understand the level of employee participation, if any, in the scam. Interviews of company employees are often conducted to determine whether an employee was a witness, victim or should be the subject of an investigation. Background checks, or investigative due diligence, are often conducted to determine if there are other factors that might influence decisions made by employees. An investigation should include a review of a company’s internal controls, especially those processes associated with executing wire transfers. Collaborating with counsel to address legal concerns involving employees, privilege issues or whistleblower matters is also prudent.
3. Analyze
Analyzing the following data points is key:
- Wire transfer activity and related accounting records
- Email messages and attachments
- Network files
- Mobile devices
- Computers and hard drives
- Phone records
- Network logs and/or traffic
- Internet research related to domain registration
- Policies and procedures related to disbursements
An investigation should also rule out possible malware or other malicious software that may have resulted in an unauthorized intrusion.
4. Communicate
Communication with the relevant board members is essential, including regular updates about the investigative approach and findings. While employees may be stressed throughout the course of an investigation, board members will be keen on finding answers-—particularly about the internal controls environment and understanding the security measures surrounding their funds.
5. Recover
How much effort is warranted to recover funds lost in a fraudulent wire transfer? Fraudsters have become adept at disguising ownership of email addresses (domains) and bank accounts, especially those residing in foreign jurisdictions. An organization should determine if insurance coverage under fidelity bond or computer crime polices for this type of event may be a better option than recovery efforts. A report can also be filed with the Federal Bureau of Investigation to be considered among the growing number of reports filed each year by companies that are similarly defrauded.
6. Remediate and Prevent
It is important to uncover what happened, determine who was involved, identify the potential for recovery and create a remediation plan to mitigate similar fraud events in the future. Successful remediation plans close gaps in the internal controls environment, employ monitoring tools to detect intrusion and include training and education programs.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Winter 2015). Copyright © 2015 BDO USA, LLP. All rights reserved. www.bdo.com
