Within associations, paid staff and volunteers are often our most valuable resource. Our missions could not be carried out without the key people who believe in our goals and dedicate themselves to reaching them through our organizations. And yet, when dealing with the topic of cyber security, a common refrain is, “employees are the weakest link.” Could it be true, that your most valuable assets are also your most vulnerable security risk?
Sadly, it’s true; but before you accuse your personnel of malicious intent, consider that most people are not aware of the vast array of malicious activity that occurs on the web and particularly through email. And while our associations are striving to accomplish good, a well-funded infrastructure of evil exists whose sole purpose is to steal credentials and funds from unsuspecting organizations and businesses.
Phishing scams are deceptive messages that come in various forms, including email, phone calls, social media, or websites. Their designed intent is to steal information, and ultimately funds, by tricking a user into divulging confidential information. While you may think that such attempts would be easily recognized and refuted, security software giant Trend Micro reports that 91% of all attempts to penetrate your cyber security begin with a “spear-phishing” email that targets specific people in your organization.
While your association may employ secure email with firewalls and spam filters, criminals who are experts at penetrating cyber security regularly send messages that appear trustworthy or demand an urgent response and fool unsuspecting users.
Some characteristics of the typical phishing email include:
Criminal experts at penetrating cyber security persistently devise new methods of capturing your association’s sensitive information from unsuspecting team members. Spam filters and secure email are a great beginning, but associations should take additional steps to protect themselves and their shareholders. The following protective steps are recommended:
Provide training for every team member in your association to educate them concerning the risks associated with phishing schemes. Warn them about offering confidential information or completing any banking transactions based on instructions received through an email. If you have not already done so, establish association policies and procedures about executing transactions and sharing confidential information. Share these procedures and restrictions with your team members, especially those that have access to sensitive information.
Online banking systems now offer electronic security and authentication controls. These safeguards ensure that an individual initiating a funds transfer cannot also authorize said transfer. With such a system in place, a wire transfer initiated by an unknowing team member cannot be executed until a second individual authorizes the transaction. Since it is highly unlikely that two team members would be equally fooled, this adds a layer of security to your association’s banking transactions.
Associations can also protect accounts by instructing team members to secure verbal authorization from the sender of an email before processing any transaction. Although the demand for such actions in the email may be urgent, a verbal confirmation is usually impossible to obtain, thereby uncovering the scam and protecting your accounts.
If your organization regularly communicates or receives requests to process transactions through email, a private code word or phrase can be established. This security word or phrase would be included in all email transaction requests to validate secure emails. Choose a unique word or phrase not easily associated with your organization and known only to internal personnel.
When any team member receives a suspicious email, your IT staff should be notified immediately so that spam filters and firewall settings can be adjusted if necessary. Such actions can mitigate the risk of future messages potentially bypassing these measures and penetrating your email security wall.
If your association happens to fall victim to a phishing scam, it is vital that you investigate the source of the spam email quickly. The criminal cyber landscape changes rapidly to stay ahead of law enforcement, and any delay could hamper efforts to discover the source of the scam and prosecute the offenders.
In a 2015 survey, 39% of employees admit to opening emails they suspected might be a phishing scam or contain malware. This is just one more reminder that your association’s cyber security measures should be constantly monitored and updated.