Phishing Attempts Have Gotten Personal

Since becoming the treasurer of a large nonprofit, I’ve experienced many phishing attempts that have taken things to the next level. No longer am I just receiving the generic emails from a Nigerian prince or a stranded “relative” traveling in another country. No, these new phishing emails are customized just for me! These phishers are doing their homework. They are posing as others within my organization and are asking me to process payments for “vendors.” The emails are good. They have the same organizational signatures that we have. They have the organization’s tagline. They know the names of the other people within the organization who may request these types of payments from me. If someone didn’t know better or the organization didn’t have good financial controls, I could see how someone may fall for one of these false requests.

How can you protect yourself? Even if the email looks legitimate, there are still clues hidden in the email.

  1. Read the text carefully. Is everything spelled correctly? Does the vernacular match how the “sender” would really speak to you? In the emails I receive, there are always clues. Cheque vs Check. Simple words are spelled incorrectly. Phrases that aren’t commonly used in our area are used in the email. These are all clues that the email didn’t actually come from the person it supposedly came from.
  2. Look at the email header or message details. The email displayed in the FROM field can be different from the email that actually sent you the message. When I look at the email header, I see that the FROM field shows someone’s email from my organization. The REPLY-TO field shows another email address, and the X-SENDER field shows yet another email address!
  3. Does the email actually have details about the payment that’s being requested? In my case, NO. There are never details about the actual vendor or what the payment is for. It’s just an invoice number that needs to be paid.
  4. Talk to the person the email supposedly came from, but don’t click on REPLY! Initiate a new email thread, text, or pick up the phone.


Bottom line, protect yourself. Listen to your gut. Be sure that you know where messages are coming from. This is not just true for emails, but for texts and phone calls as well. Any account can be spoofed. If you’d like to learn more, please visit these articles from the Federal Communications Commission and the Federal Trade Commission.