If you receive an email for your ministry regarding a failed ACH transaction that appears to be sent from NACHA (The Electronic Payments Association), do not open it or you risk infecting your computer with a sophisticated new version of malware that could ultimately siphon large amounts of money from your ministry’s bank accounts.
According to a recent alert issued by the Federal Bureau of Investigation (FBI), the email is likely part of a sophisticated phishing attack designed to capture online banking log-in credentials and transfer funds from your ministry’s accounts. NACHA never sends emails directly to businesses or consumers.
The FBI urges caution whenever you receive communications from senders that would not normally send you email or are not from the sender’s normal email address. You should not open such emails.
To learn more about how to protect your ministry from phishing attacks, visit ECCU’s Member Security page.
When I joined the ECCU staff, I was surprised by the scope of training we receive here. Regular training on matters of banking security is mandatory, even for those like me who don’t handle member’s money or have access to their personal information.
Some of this training is fascinating. In one session a video showed us the sophisticated methods hackers use to get at people’s information online. It had an effect similar to that old documentary Scared Straight. I left the session and immediately changed many of my passwords to make them more secure.
A recent Forbes article used a little intrigue to underscore the importance of picking smart passwords. “25 ‘Worst Passwords’ of 2011 Revealed” makes you smile unless yours is on the list. My favorite is “letmein.”
Besides a chuckle, the article gives readers practical guidance, including three tips from a list of password best practices created by NASA to help safeguard their rocket science, including: “It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.”
Have you chosen smart passwords to protect your important information and assets?
“Your account appears to have an unauthorized transaction. To ensure that your account is not compromised, please click the link below and confirm your identity.”
Sound familiar? That message is from a recent phishing attempt I received via email. In the act of phishing, Internet fraudsters send spam or pop-up messages in hopes of gaining access to your personal information (credit card numbers, bank account information, Social Security numbers, passwords, or other sensitive information). The email looks official and raises concern and may even threaten dire consequences if you do not respond. They include a link to a website that looks official, but isn’t, and captures any personal information you enter so they may steal your identity.
Now, the same type of scam is finding its way to you via your cellular phone. In a smishing attempt, identity thieves send a similar message to your mobile phone using an SMS text. The text relays that an urgent matter needs to be discussed and provides a toll free number where a fake automated voice-response system records account number and password information. Smishing relies on the tendency for individuals to be more trusting of text messages than email messages.
In a world where fraudsters are looking for any opportunity to gain access to our private information, how do we defend ourselves? The American Bankers Association suggests financial institutions share tips and remind customers that socially engineered schemes rely on methods financial institution would never employ.
“To avoid fraud, banks and credit unions should remind customers to”:
- Never give out personal or financial information in response to an unsolicited phone call, fax, e-mail or text.
- Contact the financial institution to confirm the legitimacy of any e-mail that asks for the submission of personal or banking account information.
- Check credit card and bank account statements regularly for unauthorized transactions…even small ones.
- Make sure websites are secure when submitting financial information online. Check for padlocks or key icons at the bottoms of Internet browsers. Most secure Web addresses also use “https.”
- Report suspicious activity to the Internet Crime Complaint Center, a partnership between the Federal Bureau of Investigation and the National White Collar Crime Center.
- Contact your financial institution immediately if a phishy link may have been clicked or a suspicious communication responded to.
What have you done to prevent identity theft?
It’s easy to understand why ministries believe they are less likely to become a victim of a financial crime. This is because of the great trust they have for their staff. And while that trust may have been earned or even warranted because of their common Christian bond, internal controls are still necessary. Proper controls don’t say “We don’t trust you.” Instead, they say, “We want to protect you.” Not only do they remove the opportunity for any misappropriation of funds, they also catch errors and protect staff from innuendo and false accusation if a loss is incurred.
Here are six key elements of internal controls for churches and ministries:
1. Maintain clear organizational structure, including proper channels for reporting suspected improprieties.
2. Keep policies and procedures that are clearly written, current, and accessible. This leaves no question about authority, and helps part-time and volunteer staff carry out activities and continue them during periods of turnover.
3. Implement separation of duties. Some of the most important separation of duties for ministries include handling donations and being responsible for recording the receipts in the accounting records. A key component is the routine review and reconciliation by someone other than the preparer or transactor to determine that transactions have been properly processed.
4. Practice dual control over all cash donations. Two persons should be assigned counting responsibility for all cash and for deposit preparation. The cash counters should not also prepare the deposits, and all positions should be rotated periodically.
5. Require dual control of cash until it is delivered to the bank or a courier. A locked safe that requires two distinct individuals to remove the cash keeps it secure.
6. Implement dual control for online banking systems. Individuals who create files should be different from those who release files for processing.
What other financial controls has your ministry found helpful?
An elder or usher or staff member at your church voluntarily confesses to embezzling church funds. How do you respond?
“In some church embezzlement cases, a person who has stolen church funds will voluntarily confess—usually out of a fear that he or she is about to be caught. Often, the embezzler will confess in order to prevent the church from turning the case over to the IRS, the police, or to a CPA firm. Embezzlers believe they will receive better treatment from their own church than from the government.”
This excerpt is from a recent Your Church blog by legal expert Richard R. Hammar, who tackles this thorny question objectively and biblically. To learn more, check out “If an Embezzler Confesses.”
How would your church respond?