Avoid Getting “Reeled In” While You Work from Home
One of the most significant changes that’s happening in the workforce during the Covid-19 crisis is the shift from working primarily in an office to working primarily (or exclusively) from home. With this change comes a new landscape of IT obstacles to navigate, including increased security threats, especially in the form of phishing campaigns.
“Phishing” refers to an attempt by attackers to gain access to sensitive information and login credentials, and it is the most common type of cyber-attack on nonprofits. Typically, a “phisher” will send emails with links to look-alike sites that mimick a website login page in hopes that the unsuspecting employee or volunteer will try to log in. When they do, the phisher gains access to their user name and password.
If the hacker is successful in stealing a user’s login credentials, they have complete access to the account and any sensitive data stored therein. Instead of primarily targeting finance software, there’s a growing phenomenon of phishing campaigns affecting software as a service (SaaS) offerings such as Office 365. Gaining access to login info for these types of accounts will grant the phisher access to all of the documents and data stored on that service – this means that a lot of valuable information is at risk. If an email account is compromised, the phisher gains access to contact lists and other user accounts; the threat can quickly spread through an organization and wreak havoc.
One of the most common phishing tactics is for the hacker to pose as an Executive Director/CEO or board member. For instance, you might receive an email from the CEO with a forged invoice to pay or instructions to transfer money to a new vendor or partner. Sometimes the email will ask for the recipient to do a “quick favor” where the emphasis is on getting the task done before any red flags are raised. This will often include sending money orders or gift cards. This impersonation can be an extremely effective tactic. If the recipient falls for it, the hackers stand to make an immediate profit.
The risk of phishing and other hacking attempts is heightened in the nonprofit sector where working from home has become the norm and new technology platforms are being rolled out quickly in order to address new challenges. The ever-increasing number of phishing attacks targeting nonprofits will cause billions of dollars’ worth of damages across the country. It’s critical to remain aware of these kinds of scams, train employees to recognize suspicious communications, and do the following:
- Don’t engage: do not reply to the message, and definitely do not click any links or download any attachments
- Report it: you should alert your IT team and your email provider – often there is a “report email” feature built into your email server. Discuss with your organization what the procedure for reporting suspicious communications will be, and make sure staff follow it.
- If you’ve received a suspicious email from a known contact, reach out to that person and alert them their account may have been compromised. Do not reply to the email. Do not forward the email – that just spreads the risk. Create a new email message, text, or call them to ask if they sent you the message.
- Finally, delete the email and remain vigilant for further phishing and hacking attempts.
Best practices for nonprofits to avoid falling victim to phishing include robust prevention measures. What infrastructure can a nonprofit focus on to safeguard against phishing?
- Making sure that staff know to use unique, strong passwords for each platform. This way if login info for one service is compromised, at least the hacker doesn’t have the password for multiple platforms.
- Use a SPAM filter that detects fraudulent email and viruses, etc.
- Keep all software current with the latest security patches and updates.
- Consider adding text to the subject line of incoming mail from external servers, such as “EXTERNAL:”, so that employees can quickly identify impersonation emails. Click here for instructions to do this for Microsoft 365 and Gmail
- Use two-factor authentication for logins whenever possible.
- Encrypt all sensitive company information.
- Consider creating a comprehensive information security policy to address cyber threats.
What training should you give your staff? Make sure everyone on your team, including volunteers, knows what phishing attempts look like. Running through scenarios and outcomes as a team is a valuable practice. You should also regularly go over appropriate responses and protocols for reporting cyber security threats. You may also consider having your IT team send “test” phishing emails periodically to see where weak spots may be in your organization’s response and handling of these security threats.
The reason phishing is often successful is because it takes people by surprise. Knowing what to look out for helps everyone be prepared to respond correctly when a suspicious email appears in their inbox.
By staying aware and vigilant about different types of technological security threats, you can stay one step ahead of these bad actors and keep your organization and data safe, even when you’re working from home.