The US Stamp Society (Usss) Got Scammed For $49,000

I didn't see this posted on SCF yet, and its certainly both newsworthy and disturbing.

https://www.linns.com/news/us-stamp...suffers-loss

Where I work, lots of money is spent educating employees to detect phishing emails, and what to do with them.

There is definitely a lesson in this.

I received a similar email, claiming to be from the president of the ISWSC (International Society for Worldwide Stamp Collectors) asking me to send money for veterans in hospice care because he was too busy to do it right now, but promising me the society would reimburse me.

This was an obvious forgery for several reasons:

1. The email address was not the email address of the person he was pretending to be.
2. I received several other emails scam artist, but their first emails were simple questions like, "Are you busy now, can you talk?"
3. Supporting injured veterans, while a noble cause, does not promote stamp collecting or any of these societies mission statements. Stamp societies
do not have large budgets and I find it unlikely they would just give their money away when several of them struggle to stay in the black.

It is my opinion someone is actively searching the membership roles of various stamp collecting organizations and actively targeting members, so we should all be aware.

Similar attempted attacks also are occurring in model railroad hobby organizations including several attempts to impersonate me. None resulted in a loss, although I am aware of a loss of about $5000 in a prior year of one organization, with previous leadership.

A variant of the attack asks the receiver to go to Target or a similar store, purchase gift cards, scrape off the backs to reveal redemption barcodes, and send a camera-phone picture of the barcodes to the scammer. When this occurs, the losses are not recoverable. The scammers immediately make online purchases using the codes, which Target considers legitimate redemption. No recourse exists.

Will they ever learn? We have all heard of these scams for years. Why not make a phone call to the other party to verify the identity and information requested. Oh yea, were all too busy to make a simple call because were too busy answering emails from "people we know". We all know the frauds that are being perpetrated. When it comes to any money, verify twice before doing anything.

Always sad to hear about things like this.

Cyber protection requires threes "Ps"; product, procedures, and people.

Product – Anti-virus and firewalls, stop the threats from entering the organization or home.

Procedures – Clear documentation on what to do and what not to do with emails, attachments, and file transfers

People – Training and education for users

All three "Ps" are required, if any one of them is missing or fails then the organization or home is at high risk. The 'weak link' with the three "Ps" is always the 'people'. No product or procedure is enough if you have some fool who insists on opening that email attachment or uses a password named 'password'. You cannot rely upon just 'products' to protect your home computer or organization, you have to train and count on people doing the right thing.
People got two chances at my company; first violation of IT procedures resulted in a warning and re-training. Second violation and the person was looking for a new job. Fifty thousand dollars is cheap compared to some of the damage and income loss that I have seen happen to some organizations.
Don

Anyone asking for gift cards is a sure giveaway.

In the USSS case, it was not a single event.

Is there a more detailed story about who was involved in this situation? Who could have such direct access to so much of the society's money? Is the person still with the society in such a position of responsibility? It is interesting how some stamp societies have a lot of money lying around. How much do they use for stamp research?

USSS Officials gave little information and appeared to "White Wash" the whole thing. How The Executive Body of themember ion several groups the USSS has handled it so far leaves a lot to be desired. They seem to be brushing everything under the rug. As a USSS Supporter, Contributor and supporter of otherSTudy Groups in the UPSS...there needs to be a full disclousure of who did what. when and how and need to put in place normal accounting safeguards to protect the club and its members Top Brass need to do some really explaining REAL FAST snd establish strong multi-level sign-off requirements, as is done in smarter organizations with better safeguards. YES, I am a member of the USSS, but that my change on how they handle this issue. So far, they get a grade of "F" in the way they are handling this.

Hal: I agree with what you said. The society should belong to all of its members. How some members may have easy access to society money is somewhat troubling. Whosoever is responsible for mishandling money should be held accountable in some way. Otherwise, members may start taking their support somewhere else. There are some organizations that have accumulated a lot of money over many years. Trying to get them to fund some philatelic research can be hard like trying to pull teeth.

Others have posted that this was not a single lapse in judgement or slip of a finger but rather occurred over a number of different incidents (with the same scammer). Frankly I find this even worse than someone making a single mistake and it certainly reflects a lack of check and balances in the organization. Hopefully they will revisit how the organizations works and retrain those who have this kind of control.

As a person who has strongly advocated philatelic organizations internally develop IT resources and expertise I continue to be mystified by outsourcing and the resistance to change. If the existing 'old school' resources are not willing to learn and evolve with the changing times they should be replaced. Imagine the devastation to an organization like APS/APRL if 'ransomware' were to get lose on their servers and lock all of their files.

As I mentioned above, no organization should reply solely upon AV software or firewalls; the weak link is people. Developing the proper user awareness and training skills is a large part of the justification of hiring good IT people.

Of course virtually every time I ever posted this kind of recommendation I got nothing but push back from 'old school' thinkers who do not want change. The default behavior is always to do exactly what was done yesterday and this is known by the 'bad guys'. They target organizations that are populated by those who are unwilling to change, run outdated operating systems and app software, and do things like outsource IT.
Don

A couple of weeks ago, I had sent an email to Roger Brody asking for an explanation and got a quick response. I will not post the response here but members should ask if they want to know. There was a little more detail. Safeguards have been added. The people involved are still in place.

According to the Linn's article, the loss was less than 10% of their total 2017 financial assets. Did this occur in 2017 and has just been recently publicized? Are future membership fees going to go up as a result of this? Is anyone responsible for this loss resigning?

There is nothing on the USSS website regarding this incident. I'd say they are not only ignorant in the area of IT but also in PR. Admit the mistake, state what measures are being taken to fix it, and do it quickly. Oh -- and apologize.

it was mentioned on page 244 in the June 2019 issue of the journal when it had a summary of WESTPEX meeting.