Phishing, spoofing, hacking. These are playful, interesting words gerunds that describe something very serious – FRAUD. With e-mail is so commonly used, it has become a favorite way to fraudulently obtain passwords, access to bank accounts or get a computer user to even grant complete access to that machine.
So how do you educate your nonprofit staff to understand what these threats are and identify them?
Some of these your staff is probably familiar with – a long-lost relative in another country who left millions – and all the executor of the estate needs is banking information to send that inheritance to the responder! A prince of a small country is trying to move some of his fortune and escape to America, and if you can help, you will be rewarded!
These are some oldies-but-goodies, however phishing scams have and will continue to get better and smarter. There was a time when these scams came filled with poor grammar, spelling errors, and writing that just seemed a little off. While these still exist, scams have become harder to detect.
Just recently a Netlink client responded to a phishing attempt (clicked on a link, and entered his/her password) and a hacker gained access to his/her e-mail account. The hacker got very close to successfully redirecting the company’s direct deposit transactions, but the attempt was stopped just short of a transfer of almost $40,000.
This is serious and all organization need to make sure that staff members from the newest intern to the CEO understand how these scams work and how to identify and prevent breaches.
The two most common scams are spoofing and phishing:
Phishing: An e-mail from a seemingly known source – but it isn’t – and it wants your information.
Netlink’s clients see these all the time. Microsoft needs you to click this to “authenticate that this really is your e-mail.” But look a little closer – you might need to hover the mouse over the sender and you’ll that the sender is really something like firstname.lastname@example.org. Why would Microsoft send from a Hotmail account? They wouldn’t. That’s the first step. Make sure that an e-mail is actually from the domain (the part after the @ sign) is from the company it says it is. Paypal doesn’t send from @somerandomname.com. It sends from Paypal.com, and only Paypal.com.
Spoofing e-mails – these e-mails look just like the ones from someone known and familiar.
This is harder to spot, and your staff needs to be aware that it’s possible. A well-known website can be cloned, or an e-mail can be manipulated to look as if it from a person known to the recipient. The one thing that all these e-mails have in common is an attempt to gather sensitive information. If a member of your staff gets an e-mail from the president of the company asking for the main company bank account number, caution is his or her best friend. If a person is asking for something unusual, verify by telephone or in person.
On top of that, create a company policy that certain types of sensitive information should NEVER be sent via e-mail.
Top general e-mail subjects in phishing e-mails*, according to the CSO Contributor Network
- A delivery attempt was made
- UPS label delivery
- Change of password required immediately
- Unusual sign on activity\
- Staff review 2017
- Join my network on LinkedIN
- All employees: Update your healthcare info
*Source: What is phishing? How this cyber-attack works and how to prevent it. By Josh Fruhlinger, CSO Contributor Network
These e-mails subject lines are common, and the best way to prevent breaches is to communicate. Let your coworkers know about attempts and remind your staff regularly to be aware of the e-mails that come to their inbox.
As an example, share this video from Huntington Bank on this topic: