Photo accompanying publication

Don't fall victim: How to recognise scams targeting grassroots sport

View all · 06 Mar 2018 · revolutioniseSPORT

With the growth in technology and its increasing accessibility, we have seen the modernisation of sporting clubs nationally, and in turn, a rise in the efficiency of these organisations. However, as time-consuming paper-based processes are replaced with the powerful click of a few buttons, we slowly begin to open ourselves up to increasingly creative criminal cyber-attacks.

Replacing the age-old scam (from a Prince in some far-off land, offering you a sum of inheritance money with more zeroes than would fit in this article) is an increasingly alarming scheme of fraudulent emails, targeted at amateur sporting clubs.

Speaking the right language

'Spamming', 'spoofing', and 'phishing' are terms that are often used interchangeably when it comes to fraudulent emails, but knowing the difference is imperative in identifying potential threats—and understanding how best to respond.

Spamming: a person receives unsolicited emails. These emails are usually sent in bulk to a number of recipients. These emails may be safe, advertising genuine products and/or services—but in some instances, they may be promoting illegitimate goods.

Spoofing: a sender masquerades as someone else, often a trusted source (e.g., a colleague), in order to solicit money or information.

Phishing: like spoofing, phishing relies on the creation of falsified emails (addresses and/or content) that appear to be from a trusted source (e.g., PayPal, eBay, your bank, etc.). However, unlike spoof emails, phishing emails often include a link to an external website that prompts you for personal or sensitive information (e.g., your PayPal login details, other usernames and passwords, credit card information, etc.)

Why does it matter?

Being aware of these differences allows you to identify fraudulent or dangerous communications that you receive via email. There are subtle differences in how scammers cover their tracks—and their methods strongly link with the attack they are seeking to make.

In the last 12 months, we have seen a multitude of clubs receive spoof emails, whereby members of the committee are impersonated and emails are cleverly crafted to solicit money or information from other members of the committee.

How the scam works

In most cases, we have seen these spoof emails take the following form:

1. The scammer accesses your website and makes note of any publicly available contact names, email addresses, and positions (e.g., President name and email).

2. They may assume the identity of any of the organisation's committee—but in the case studies we've seen, they often impersonate the President, and target the Treasurer.

3. The scammer prompts the Treasurer for the organisation's bank balance, stating that a bank transfer needs to be made.

4. The Treasurer replies, providing the bank balance.

5. The 'President' (our scammer) specifies the invoice amount and provides bank details for transfer.

*** Indicates actual bank account details that have been redacted.

Asking for the bank balance a) creates a false sense of security by asking a contextual question without asking for money to be transferred; and b) allows the scammer to determine an appropriate (and proportionate) amount to steal from you, to lessen the likelihood of raising suspicion.

What can you do?

There are a few strategies you can employ to circumvent falling victim to spoofing, phishing and scam emails.

Have firm processes for handling expenses in place

One of the easiest ways to protect your data is to ensure your organisation has a policy or procedure that outlines managing expenses.

Essentially, you should develop a system that will allow you to automatically assume that unsolicited emails are fraudulent. For example:

1. Verbally confirm the expense request with the sender

If you receive an email requesting the transfer of money (regardless of how real it may look)—always call the person who sent it to you to confirm the expense request—and consider making this an organisation-wide policy. A quick phone call could ultimately ensure that your organisation's privacy and finances are not compromised.

2. Use a finance tool/CMS to manage expenses

Many finance tools or customer management systems allow organisations to track invoices and expenses.

Exemplar sporting organisations we have spoken to adhere to variants of the following procedure:

  • Organisation representative receives invoice from supplier.
  • They log into their finance/CMS tool and upload the invoice as an expense.
  • Treasurer is notified each time a new expense is raised.
  • Expenses are (through the finance tool/CMS) approved by organisation administrators.
  • Once approved, the invoice can be paid.

Using a finance tool or CMS safeguards you in a number of ways. Firstly, they are only accessible by administrators with appropriate access; and secondly, many of them will specifically allow you to track who has processed expenses in the account, thus holding everyone accountable.

Check the sender's email details

When an email is sent, technical information about the sender is packaged and hidden in what is called the 'email header'. The header details who created the email, which email servers it was sent through to reach the recipient, who it is addressed to, and the date it was sent. It also contains the 'from' address (i.e. the email address it appears to be from), and the reply-to address (where it's actually sent when you reply).

Generally speaking, the 'from' address is visible, while the reply-to address is hidden by default (as 99% of the time, these are the same).

Scammers will exploit this by providing false information in the email header. They will often attempt to mask the 'from' address, so that the email appears to be from a trusted sender. The 'reply-to' address, on the other hand, will be the scammer's actual email address.

To easily check the true sender of the email, hover over the 'from' email address, or click to reply to the email. This will show you the true 'reply-to' email address.

Inform your bank and the police

If you believe your organisation has been scammed, contact your bank immediately. You should also submit a police report.

Some scammers may provide you with their own bank details; if that is the case, it would also be worthwhile contacting their bank.

Where to from here?

Emails can be spoofed, phished, and hacked. They can be a point of vulnerability and may best be avoided when dealing with sensitive or financial information. That's not to say you need to eliminate emailing altogether from your day-to-day processes—but it's vital to remain mindful of the potential threats to security inherent in email communications.

Having said that—there are tools that provide the efficiency of email, but with added security. Inevitably, all organisations will need to strengthen their technological arsenal to keep up with the changing technological landscape, and the shifting nature of the risks involved.

Using a trusted and secure communications system will allow you to formulate safe processes and ensure the security and integrity of your data—encouraging growth and efficiency without putting your organisation at increased risk.

Rapid leaps in technology mean that the future is here today. Understanding how to use technology, and which tools to employ, will ensure that your organisation stays current and relevant, with minimal concerns regarding security—allowing you to focus on the more important (and fun!) aspects of running a sports club.


Originally published on LinkedIn.