Within associations, paid staff and volunteers are often our most valuable resources. Our missions could not be carried out without the key people who believe in our goals and dedicate themselves to reaching them through our organizations. And yet, when dealing with the topic of cybersecurity, a common refrain is, “employees are the weakest link.” Could it be true: that your most valuable assets are also your most vulnerable security risk?
Sadly, it’s true; but before you accuse your personnel of malicious intent, consider that most people are not aware of the vast array of malicious activity that occurs on the web and particularly through email. And while our associations are striving to accomplish good, a well-funded infrastructure of evil exists whose sole purpose is to steal credentials and funds from unsuspecting organizations and businesses.
Phishing scams are deceptive messages that come in various forms, including email, phone calls, social media, or websites. Their designed intent is to steal information, and ultimately funds, by tricking a user into divulging confidential information.
While you may think that phishing scams would be easily recognized and refuted, security software giant Trend Micro reports that 91% of all attempts to penetrate your cybersecurity begin with a “spear-phishing” email that targets specific people in your organization.
While your association may employ secure email with firewalls and spam filters, criminals who are experts at infiltrating cybersecurity regularly send messages that appear trustworthy or demand an urgent response and fool unsuspecting users.
Some characteristics of the typical phishing email include:
Criminal experts at penetrating cybersecurity persistently devise new methods of capturing your association’s sensitive information from unsuspecting team members.
Spam filters and secure email are a great beginning, but associations should take additional steps to protect themselves and their shareholders.
The following protective steps against phishing scams are recommended:
Provide training for every team member in your association to educate them concerning the risks associated with phishing schemes. Warn them about offering confidential information or completing any banking transactions based on instructions received through an email.
If you have not already done so, establish association IT security policies and procedures about executing transactions and sharing confidential information. Write up your security policy and share it with your team members, especially those that have access to sensitive information.
Online banking systems now offer electronic security and authentication controls. These safeguards ensure that an individual initiating a funds transfer cannot also authorize the transfer.
With such a system in place, a wire transfer initiated by an unknowing team member cannot be executed until a second individual authorizes the transaction. Since it is highly unlikely that two team members would be equally fooled, this adds a layer of security to your association’s banking transactions.
Associations can also protect accounts by instructing team members to secure verbal authorization from the sender of an email before processing any transaction.
Although the demand for such actions in the email may be urgent, a verbal confirmation is usually impossible to obtain, thereby uncovering the scam and protecting your accounts.
If your organization regularly communicates or receives requests to process transactions through email, a private codeword or phrase can be established.
This security word or phrase would be included in all email transaction requests to validate secure emails. Choose a unique word or phrase not easily associated with your organization and known only to internal personnel.
When any team member receives a suspicious email, your IT staff should be notified immediately so that spam filters and firewall settings can be adjusted if necessary. Such actions can mitigate the risk of future messages potentially bypassing these measures and penetrating your email security wall.
If your association happens to fall victim to a phishing scam, it is vital that you investigate the source of the spam email quickly. The criminal cyber landscape changes rapidly to stay ahead of law enforcement, and any delay could hamper efforts to discover the source of the scam and prosecute the offenders.
58% of organizations saw phishing attacks increase in 2020. This is just one more reminder that your association’s cybersecurity measures should be constantly monitored and updated.
Discover how to protect your organization in our Ultimate Guide to Cybersecurity for Associations.