Everyone thinks phishing and ransomware attacks only happen to other people and organizations. If only. The ugly truth: an increasing number of phishing attacks happen at all levels of our organizations. But you can take steps to protect your chapters against cybersecurity attacks and breaches.
How Organizational staff, chapter and volunteer leaders, and members get phished
Last year, phishing emails were responsible for more than 90% of cyber attacks. It’s not surprising chapter members, and leaders take the phishing bait. Imagine trying to keep up with chapter business while busy with classes, studying, or work. Does this sound familiar?
“A [chapter] treasurer will get an email from what looks like a president requesting funds to be paid.”
Can you guess what might happen next?
Sometimes they recognize the ploy, but sometimes they don’t. The email looks like it’s coming from the president, but it might not be. Hackers use software that allows them to “spoof” someone’s email. You usually can’t tell the difference unless you inspect the email address in the ‘From’ field or the source code in the email header. Earlier this year, DelCor Technology Solutions explained how to spot a spoofed email and how to prevent it from happening to your organization or chapter.
Phishing emails don’t always request fund transfers. Usually, they try to trick you into opening an attachment containing malware or ransomware that will infect your computer and, if not stopped, your network.
Or they fool you into clicking on an URL for a compromised website hosting malicious code that is automatically downloaded to your computer and, eventually, your network.
Consequences of a cyber attack on chapters
In the best case scenario, if someone clicks on a bad link or opens a bad attachment, only their computer is infected. To get back to work, their hard drive must be wiped and files restored from a backup—an inconvenience at best. But that’s not how it usually works because their computer may be connected to a network and the malware spreads quickly.
A ransomware attack usually ends up encrypting everyone’s files, and everyone is locked out of their computer and network—an operationally and financially crippling scenario.
Files and data must be restored from backups, assuming the chapter has backups. If not, they have to pay the ransom which means setting up a virtual wallet to buy bitcoins—a process that can take up to five business days. Then, keep your fingers crossed that the hackers unlock the files because sometimes they don’t.
Meanwhile, it’s quite possible that data could be compromised or stolen—and you have to let those affected know. If organizations don’t secure payment information in a PCI-compliant manner, they can also be held in violation of PCI regulations.
Cybersecurity attacks can bankrupt organizations. They never recover from the interruption to operations, financial and legal liability, damage to their reputation, and loss of their community’s trust.
Don’t let your organization or chapter become a cyberattack victim. Learn how to prevent and prepare for the inevitable ransomware attack >>
How to help chapter leaders and members prevent phishing
Hackers get into networks because people make simple, but preventable, mistakes. But you can help chapter leaders, chapter members, and volunteer leaders take action to prevent phishing attacks.
1. Require compliance with Organizational standards and rules
One key component of preventing phishing is clarifying chapter financial guidelines, roles, and responsibilities. Beth Humphrey at the College and University Professional Association for Human Resources said:
“Establish procedures for processing payment requests [to] prevent fake payments from proceeding to the point of processing them.”
Instruct chapters to always follow their payment processing policy, for example, requiring two signatures for approval. They should also follow the rules for sharing member or attendee lists—another common phishing request.
2. Implement safe and sound practices
Even with all of the rules in place, humans still make exceptions (“just this one time”) and errors. The best way to prevent human error is to create an environment where it can’t happen. Implement chapter financial controls and technology that take the human error element out of the picture.
For example, chapters and national organizations may use a shared system for transferring funds (dues and other payments). An email request coming from outside the system would immediately be seen as suspicious by anyone, even a busy chapter leader.
Another over-looked area in many organizations, but particularly chapters, is backups. The reason ransomware is a death knell for so many organizations is because they don’t have up-to-date, comprehensive, and restorable backups of their data and files.
Too often, backups aren’t done frequently enough, aren’t stored in a secure location, and don’t contain all necessary files. And, if restoration of the backup has never been tested, how do you know it will work when you need it?
3. Provide security awareness training
Knowledge is strength. Strengthen the human firewall and cybersecurity incidents will decrease. Every organization should provide cybersecurity awareness training for its staff, as well as chapter and volunteer leaders. Make it a mandatory element in your leadership onboarding program.
It’s critical that everyone is familiar with some of the more common email red flags. According to security awareness training firm KnowBe4, some of the top most-clicked phishing email subject lines are:
- Security Alert
- UPS Label Delivery (tracking number)
- A Delivery Attempt Was Made
- Change of Password (or password check) Required Immediately
- Unusual Sign-in Activity
- Urgent Action Required
Other social engineering red flags are:
- Spelling and grammar errors in the email subject line, message and “From” address
- Awkward style of writing, either too distant or familiar for the supposed sender
- Requests for credentials like passwords or other sensitive information
Consider signing up for security awareness training programs like KnowBe4, or asking your technology partners if they offer security training.
4. Eliminate online vulnerabilities
Sometimes chapter members and volunteer leaders think their national organizations are responsible for exposing their email addresses to hackers. In reality, hackers use software bots to crawl the web looking for email addresses. When those addresses are on public pages, their job is made easier.
To minimize the security risks of displaying email addresses of chapter members and leaders, you could suggest two alternatives:
- Only list generic email addresses on the website, for example, [email protected] When leaders want to communicate with each other, they use a different, personalized chapter address like [email protected]
- Another option to minimize exposing personal email addresses is using an online contact form instead of displaying chapter leaders personal email addresses.
Another area of vulnerability is the type of software and website plugins used by chapters or members. To save money, they often choose free or inexpensive options. Unfortunately, these tools are free or inexpensive for a reason: they’re not always supported and updated (patched).
Some even deliver malware intentionally or unintentionally because of poorly written code. Peggy Hoffman, chapter expert and president of Mariner Management, said:
“The more connected we are, the more ‘con’nected we are.”
Don’t let your chapter and its members get conned, scammed, or phished. Help protect your chapter by being a resource, leader, and model for safe business practices and a security-aware culture.