Protecting Staff from Modern Scams

Mona Terry, Chief Operating & Programs Officer, ITRC

‍

Cybersecurity is not only reliant on technical safeguards like firewalls and encryption. Social engineering, where bad actors manipulate individuals into sharing confidential information or performing fraudulent actions, is increasingly used to bypass technological protections. Expanding staff’s knowledge of scams and creating some basic protective policies can go a long way in thwarting scammers’ attempts to get information and funds.

Current Scams that Target Staff

Scammers are using artificial intelligence (AI) at scale in "Business Email Compromise" (BEC) scams. By researching an organization’s leadership through websites and professional networking platforms, they can get the names and titles of employees and, even more alarming, use AI to craft convincing messages that mimic the communication style of senior leaders. The top 3 scams we hear about (and have seen at our own organization) are:

1. Fraudulent Gift Card Requests

It starts as an urgent email or text message appearing to come from a senior leader. The message typically claims the leader is in an important meeting or traveling (or both) and asks the staff member to purchase gift cards for an event or for staff appreciation using company funds or the employee’s own money that will be “reimbursed”. The scammer requests that the gift card codes/numbers be sent immediately, but once the information is shared, the funds are untraceable and cannot be recovered.

2. Payroll Diversion Schemes

A scammer, posing as an employee, requests to update their direct deposit information. If the update is processed, the employee’s paycheck is diverted to a fraudulent account. This results in financial loss for the organization and can create significant distress for the affected staff member.

3. Phony Invoice and Vendor Spoofing

Increasingly, scammers are sending fraudulent invoices that mirror those of organizations’ actual vendors. They may use a slightly altered email domain (e.g., changing ".com" to ".net" or using a Gmail address) or provide a new bank account for "updated" payment instructions. These invoices often use high-pressure tactics such as threatening to disrupt services or apply late penalties if payment is not made immediately.

The Impact of Identity Theft

Beyond the immediate loss of money, scams often involve an identity component. When a staff member inadvertently engages with a scammer, they may expose their personal or organizational Personally Identifiable Information (PII), such as banking details or account login information.

For an organization, a successful scam can be a precursor to a larger data breach, putting donor databases and sensitive internal records at risk. For the employee, the fallout from identity theft can be a multi-year process of restoring their credit and important accounts.

Prevention: Establishing Verification Protocols

To mitigate these risks, organizations should implement clear procedures for handling financial and data-related requests:

· Establish a Multi-Factor Verification Policy: Ensure all account logins have an accompanying multifactor authentication setup (preferably a code that is obtained through an authentication app). Mandate that any request to change sensitive information or established protocols involving funds must be confirmed through a separate, pre-established process.

· Encourage Professional Skepticism: Employee policies should explicitly state that questioning an unusual request from leadership or a vendor to prevent a scam attempt is encouraged. “Stop, breathe, and verify" is a very effective defense against social engineering.

· Identify Red Flags: Train staff to recognize the signs of a scam: an unusual sense of secrecy, an insistence on bypassing standard procedures, and a demand for immediate action.

Where to Turn When a Breach Occurs

If a staff member realizes they inadvertently shared sensitive information with a bad actor, time is of the essence.

For the Employee:

The employee should immediately notify their supervisor and the IT department. If personal banking information was shared, they should contact their financial institution to freeze their account and change account numbers. If login and password information was shared, they should change the password immediately and enable multifactor authentication (if they haven’t already).

For the Employer:

Leadership should document the incident and report it to the FBI’s Internet Crime Complaint Center (IC3). Consult with legal counsel and your insurance provider to determine if data breach notification laws have been triggered, depending on the information that was exposed or could potentially be exposed.

Recovering from these incidents can be complex and emotionally taxing. To support your staff through the recovery process, contactthe Identity Theft Resource Center(ITRC). The ITRC provides expert, no-cost assistance to victims of identitytheft, offering step-by-step guidance to help individuals secure theirinformation and regain their peace of mind.

‍

‍