Computer security.

I am treasurer of a hiking club... (Yeah, people actually trust me with their money). 

Last week, a member got an email from someone posing as me. Asked that a member withdraw $2,900 from her account so I can take care of a club problem and "I" would reimburse them. 

Of course, she refused.

Yesterday, a second member got the same email. Phsisher is not using my email address. 

What security measures should we take?

I'm sure you've sent out a blast email or maybe called or texted the members to make them aware. Would enlisting a phone tree of members help? Do you have a website with a members-only section?

this kind of sounds like an inside job, since it apparently references your position as club treasurer. some rando phisher would not know that.

if so, there is little you can do to prevent it.

unless...

as Peter mentions - is there a web site for the club that is NOT limited to members only? If so, you have to lock that site down with userids and passwords. If it's a FB group, you have to restrict membership to members only.

There is a club website, It is probably open to the public in the interest of attracting new members. 

We did send a blast to people on the membership list. I do not feel my privacy to be in jeopardy. The club account is secure in that it has no internet presence at all: all snail mail. Not even a debit card and all transactions are by me driving to the bank or mailing checks.

Do people ever publish their email addresses on the club website? If so they should stop. The only email published should be one for the club itself, not anyone's personal one. If you need someone's email, they can just send it to the club's email.

It might just have come from someone who scours the web looking for clubs like yours. They use whatever personal info they can find to make it sound like they're legitimate when they phish.

Something similar happened to me recently, after the email list of another local nonprofit was breached. This was one of those deals where supposedly someone was out of town and needed me to buy a gift card electronically. “She” would reimburse me. I knew right away it was a scam, but the wannabe scammer already had my email, so I corresponded a little and played along at first. I was fascinated that I was dealing with a real human scam artist, and not just a computer. Some people are just awful human beings. 

I'm learning the pitfalls of Facebook Marketplace while selling an excellent sofa at a very reasonable inexpensive price. One woman's fav site is a Nigerian scamming group. I passed her up. Another guy was supposed to stop by after I gave him my address but then vanished. One person after another with zero reliability or credibility on their Facebook profile is expressing interest. Sigh. 

drummerboy said:

Do people ever publish their email addresses on the club website? If so they should stop. The only email published should be one for the club itself, not anyone's personal one. If you need someone's email, they can just send it to the club's email.

It might just have come from someone who scours the web looking for clubs like yours. They use whatever personal info they can find to make it sound like they're legitimate when they phish.

How would blast emails to club members be handled? Announcements of hikes, etc.

If you have a separate email address for the club, you could send email blasts from there.  There are ways to send email blasts without any one recipient seeing the email addresses of the others. I frequently receive emails addressed to "me" (sender) with everyone else on the email list receiving a blind copy.

Formerlyjerseyjack said:

drummerboy said:

Do people ever publish their email addresses on the club website? If so they should stop. The only email published should be one for the club itself, not anyone's personal one. If you need someone's email, they can just send it to the club's email.

It might just have come from someone who scours the web looking for clubs like yours. They use whatever personal info they can find to make it sound like they're legitimate when they phish.

How would blast emails to club members be handled? Announcements of hikes, etc.

what joan said.