Protecting Your Organization from Third-Party Referral Scams: Lessons Learned and Preventive Strategies

As a Technology Leader, I’ve been focused on helping faith-based and non-profit organizations enhance their security posture, especially in light of the rise in cyberattacks targeting these groups. Just recently, our own organization experienced a Third-Party Referral Scam, which reinforced the importance of orgnizational training and education on this front.

This type of attack relies heavily on social engineering, manipulating trust by claiming connections with reputable individuals or organizations to gain access to sensitive information.

Here’s how this scam typically works and how it impacted us:

How a Third-Party Referral Scam Works:

1. Claiming a Referral from a Trusted Source:

The scammer pretends to be referred by someone trustworthy—in our case, they falsely used the name of a respected figure, in this case our pastor. They mentioned a specific program, the “ESL program for disabled financial help,” along with a contact, such as claiming to facilitate the process. Along with this, the bad actor sends a photo of their correspondence both in text and email form. This referral and communications stream from made the scam appear legitimate and credible.

2. Gaining the Victim’s Trust:

Instead of immediately requesting personal information from us, the scammer sent what appeared to be their own driver’s license, credit card, and banking information to make the interaction seem genuine. This reverse tactic is designed to lower defenses, making it harder to recognize the scam. By referencing a trusted individual and offering personal documents, they attempted to create an illusion of credibility.

3. Contacting the Finance Department:

To further gain trust, the scammer took an extra step by calling our finance department directly, claiming legitimacy and attempting to manipulate the team into believing the referral was genuine. This direct outreach was part of their effort to build rapport and gain more access.

4. Social Engineering for Financial Gain:

While it seemed like the scammer was providing credible accounts, this was a calculated move to exploit trust for future financial gain. By establishing a false sense of security, the scammer set the stage for later fraudulent activity, likely involving financial exploitation or additional requests for sensitive information.

5. Red Flags: Typos and Sudden Hang-Up:

In our experience, the scammer’s correspondence contained typos, which tipped us off that something was amiss. Additionally, when I called the scammer, identifying myself as the CISO and letting him know I was conducting an investigation, he immediately hung up, further confirming our suspicions of fraudulent activity.

Key Characteristics of the Scam:

• Referral from a Trusted Figure: The scam hinges on a false claim that a reputable figure, like Dr. George, referred the victim.
• False Program or Financial Aid Scheme: Scammers promote nonexistent programs targeting vulnerable individuals.
• Request for Personal Information: They ask for sensitive data as part of a fake application process, ultimately using it for fraud.
• Social Engineering Tactics: Scammers manipulate trust to gain access to personal information.

How to Protect Your Organization from Third-Party Referral Scams:

1. Educate Your Team on Social Engineering:

Train your staff to recognize social engineering tactics, which are often used in these scams. Emphasize the importance of skepticism, especially when receiving unsolicited referrals.

2. Verify Referrals Through Official Channels:

Any referral from a trusted figure should be independently verified through official channels. If someone claims to be referred by a familiar name, confirm this with the individual or organization directly.

3. Establish Clear Protocols for Handling Sensitive Information:

Have strict policies in place for sharing personal or financial information. Ensure that no sensitive data is given out without thorough verification of the request’s legitimacy.

4. Use Multi-Factor Authentication (MFA) and Encryption:

Implement MFA and ensure sensitive information is encrypted. This provides extra security, even if scammers attempt to exploit trust.

5. Run Phishing and Scam Simulations Regularly:

Conduct simulations to test your staff’s ability to identify fraudulent requests. These drills help to reinforce the need for staff to be aware of their digital surroundings. To help with training, Microsoft 365 has an attack simulation tool that helps organizations evaluate how staff respond to suspicious emails. I highly recommend this tools, as well as others like KnowBe4 . Regular simulations foster a culture of security, reducing the risk of falling victim to real attacks.

6. Develop a Reporting System for Suspicious Activity:

Make it easy for staff to report any suspicious emails, calls, or requests. A strong reporting system can prevent further exploitation and give your organization the opportunity to respond quickly.

7. Update Security Policies Regularly:

Cyber threats evolve, so it’s essential to review and update security policies. Keep your team informed of new tactics, such as the Third-Party Referral Scam, and how to recognize them.

8. Engage Cybersecurity Experts:

Work with professionals who understand the unique threats facing faith-based and non-profit organizations. They can provide tailored solutions to protect against these scams.

Recognizing and Reporting Third-Party Referral Scams:

1. Verify Any Referrals: Always confirm the legitimacy of any referral through official channels.

2. Be Wary of Requests for Personal Information: Legitimate programs rarely ask for sensitive information upfront. Always verify the reason for such requests.

3. Report Suspicious Contact: If you suspect a scam, report it to the Federal Bureau of Investigation (FBI) and notify the organization or individual whose name is being used in the scam.

Communicating About Social Media:

This is important! You need to let people know if you do not have social media and that you will never be contacted via these platforms. This transparency can help prevent scams that rely on impersonation. For example, our organization had a fake Facebook account impersonating our senior pastor. The account contained details that were know about him. I get frequesnt calls from frustrated organizations that trying to remove these accounts. And in Facebook fashion, you had to know the right location on their site to get these fake accounts removed.

In our case, the senior pastors fake account was removed within 10 minutes after submitting a request. Note, we had to provide a copy of his ID for proof, but this eliminated the account. If you encounter similar situations, you can report fake accounts on Facebook using this link: Report Fake Account.

Wrapping it Up

Our recent experience with this type of scam taught the organization a valuable lessons. Even when no personal information is requested initially, scammers may use reverse tactics, contacting departments and providing seemingly genuine information to build trust. By educating our teams and following strict security protocols, we can better protect our organizations from falling victim to these types of attacks.

Our recent experience with this scam serves as a reminder that no organization is immune to these types of attacks. By understanding the role of social engineering and implementing protective measures, we can significantly reduce the risk of falling victim to such malicious schemes.

If you have any questions or need help, please feel free to reach out.