These scams are sometimes referred to as phishing, spear phishing, deepfake impersonation, or business email compromise.
- They usually involve a malicious individual pretending to be someone they are not.
- Their aim is to steal information or money, gain access to your data/systems, or damage the reputation of your organization.
What are the common types of scams?
These scams range from basic opportunistic phishing emails to advanced scams developed by cybercriminals to take advantage of the trust organisations have with UNFPA.
- Phone scams – scammers may call or (sms) message you unexpectedly and try to elicit personal or sensitive information from you. They may appear friendly and helpful or in some cases scary and threatening.
- Social media scams – scammers have recently turned to WhatsApp, Facebook and other social media channels to propagate their scams.
- Email scams – various scam emails purporting to be from or associated with UNFPA have been detected. Examples of these scams include:
- Request for detailed information to register for an Executive board session (or another prominent event).
- Request to change banking information to facilitate payment into a new [fraudulent] bank account.
- Request for your banking information to process an entitlement from a government loan or other financial incentive.
- Request for payment of transaction fees to facilitate a funds transfer.
- Request for fee payment to process a job application or procurement service.
- Request for personal information or for remote access to your computer to remediate an issue such as a virus infection or compromised account.
Among the data typically requested by scam attempts are the user’s name and address; Social Security number; account numbers and passwords; and bank account and credit card information — sometimes even the account holder’s pet names, mother’s maiden name or similar private information used for password recovery can be asked by the scammer.
How do I identify a scam?
- Scammers often attempt to spoof a UNFPA staff member, purporting to represent UNFPA in some capacity. Common techniques used by scammers include:
- Spoofing a UNFPA address, by creating an email address that looks very similar to a legitimate email. Examples include:
- masking a fraudulent address with a legitimate one,
- adding a letter (e.g. @unnfpa[.]org), removing or replacing one letter with another, and
- modifying the domain (e.g. @executive-unfpa[.]org).
- Using UNFPA logos, or including attachments of [forged] official-looking documents (e.g. tenders, invoices, and conference agendas).
- Attempting to create a sense of urgency and/or secrecy with the request.
- The following indicators can help detect a fraudulent email / message / call:
- All official UNFPA correspondence should originate from a @unfpa.org address.
- UNFPA does not send formal communication via WhatsApp or SMS.
- UNFPA will always process payments through bank transfers, initiated from a designated UNFPA focal point.
- UNFPA does not request payment through PayPal, cheque, or money transfers.
- UNFPA does not request any information related to bank accounts or other private information.
- UNFPA does not request payment for bank processing or handling fees
- UNFPA does not offer prizes, awards, funds, certificates, compensation for Internet fraud, scholarships or conduct lotteries through e-mail, mail or fax.
What can I do to protect myself from a scam?
UNFPA strongly recommends that recipients of solicitations such as those described above exercise extreme caution in respect of such solicitations. Financial loss and identity theft could result from the transfer of money or personal information to those issuing such fraudulent correspondence.
- Verify requests. If you receive an unexpected or unusual request from a colleague or manager, call them through a trusted channel to verify the request.
- Be sceptical (but not hysterical). Be wary of unexpected communications that impose a sense of urgency.
- Use strong passwords and never re-use. Use a unique-password for each online account, including social media accounts. Passwords should be hard-to-guess, but easy to remember. Where possible, you should enable 2-Factor (or multi-factor) authentication on all your online accounts.
- Be cautious on social media. Social media is a place where many of us have “friends” we have never met – be suspicious of new friend or connection requests.
How should I respond to a scam?
Report suspicious activity immediately. Contact the below UNFPA focal point if you have suspicion of fraud or any other perceived wrong-doing:
Supply chain management team on firstname.lastname@example.org
Information security team on email@example.com
Clients or suppliers can contact UNFPA’s Office of Audit and Investigation Services (OAIS) at:
Email: firstname.lastname@example.org or
Telephone : (+1) 212 297 5200
You may also report the scam to your local law enforcement authorities for appropriate action.