1.866.245.5499
[email protected]
Log In

Help Chapters Defend Their Data & Dollars Against Phishing

Does your association need to defend against phishing attacks? Protect your chapters against attacks/breaches to defend their data and dollars.
Help Chapters Defend Their Data & Dollars Against Phishing
Help Chapters Defend Their Data and Dollars Against Phishing Attacks
2
By Mark Prevost Articles Associations

Help Chapters Defend Their Data & Dollars Against Phishing

Everyone thinks phishing and ransomware attacks only happen to other people and organizations. If only. A recent discussion in the ASAE Collaborate community confirmed the ugly truth: an increasing number of phishing attacks on chapters. But you can take steps to protect your chapters against cybersecurity attacks and breaches.

 

How chapter staff and volunteer leaders get phished

Last year, phishing emails were responsible for more than 90% of cyberattacks. It’s not surprising chapter leaders take the phishing bait. Imagine them trying to keep up with chapter business while busy at work. Kim Grimm, deputy director at the National Association for Catering and Events, said:

 

“A [chapter] treasurer will get an email from what looks like a president requesting funds to be paid.”

 

Can you guess what might happen next?

Sometimes they recognize the ploy, but sometimes they don’t. The email looks like it’s coming from the president, but it might not be. Hackers use software that allows them to “spoof” someone’s email. You usually can’t tell the difference unless you inspect the email address in the ‘From’ field or the source code in the email header. Earlier this year, DelCor Technology Solutions explained how to spot a spoofed email and how to prevent it from happening to your association and chapters.

How chapter staff and volunteer leaders get phished

Phishing emails don’t always request fund transfers, usually they try to trick you into opening an attachment containing malware or ransomware that will infect your computer and, if not stopped, your network.

Or they fool you into clicking on an URL for a compromised website hosting malicious code that is automatically downloaded to your computer and, eventually, your network.

 

Consequences of a cyberattack on chapters

In the best case scenario, if someone clicks on a bad link or opens a bad attachment, only their computer is infected. To get back to work, their hard drive must be wiped and files restored from a backup—an inconvenience at best. But that’s not how it usually works because their computer is connected to a network and the malware spreads quickly.

 

Ransomware Attack

A ransomware attack usually ends up encrypting everyone’s files. The entire staff is locked out of their computer and network—an operationally and financially crippling scenario.

Files and data must be restored from backups, assuming the chapter has backups. If not, they have to pay ransom which means setting up a virtual wallet to buy bitcoins—a process that can take up to five business days. Then, keep your fingers crossed that the hackers unlock the files because sometimes they don’t.

Chapters in Crisis: How to Handle & Prevent Chapter Cybersecurity Attacks

Meanwhile, employee, customer, and member data is compromised or stolen—and you have to let them know. If chapters don’t secure payment information in a PCI-compliant manner, they can also be held in violation of PCI regulations.

Cybersecurity attacks can bankrupt organizations. They never recover from the interruption to operations, financial and legal liability, damage to their reputation, and loss of their community’s trust.

Don’t let your association or chapters become a cyberattack victim. Learn how to prevent and prepare for the inevitable ransomware attack >>

 

How to help chapter leaders prevent phishing

Hackers get into networks because people make simple, but preventable, mistakes. But you can help chapter staff and volunteer leaders take action to prevent phishing attacks.

 

1. Require compliance with standard business rules

In the ASAE Collaborate discussion on chapter phishing, Sarah Maxwell, chapter administrator at the Project Management Institute, advised clarifying chapter financial guidelines, roles, and responsibilities. Beth Humphrey at the College and University Professional Association for Human Resources said:

“Establish procedures for processing payment requests [to] prevent fake payments from proceeding to the point of processing them.”

Instruct chapters to always follow their payment processing policy, for example, requiring two signatures for approval. They should also follow rules for sharing member or attendee lists—another common phishing request.

 

2. Implement safe and sound practices

Even with business rules in place, humans still make exceptions (“just this one time”) and errors. The best way to prevent human error is to create a working environment where it can’t happen. Implement chapter financial controls and technology that take the human error element out of the picture.

For example, chapters and National could use a shared system for transferring funds (dues and other payments). An email request coming from outside the system would immediately be seen as suspicious by anyone, even a busy chapter volunteer leader.

Implement safe and sound practices

Another over-looked area in many organizations, but particularly chapters, is backups. The reason ransomware is a death knell for so many organizations is because they don’t have up-to-date, comprehensive, and restorable backups of their data and files.

Too often, backups aren’t done frequently enough, aren’t stored in a secure location, and don’t contain all necessary files. And, if restoration of the backup has never been tested, how do you know it will work when you need it?

Encourage chapters to build periodic cybersecurity audits into their budget and operational plan. Besides the practical, preventative reason for doing this, financial auditors are now requiring proof that an organization isn’t at financial or legal risk due to insufficient attention to cybersecurity.

 

3. Provide security awareness training

Knowledge is strength. Strengthen the human firewall and cybersecurity incidents will decrease. Every association should provide cybersecurity awareness training for their own staff and for chapter staff and volunteer leaders. Make it a mandatory element in your leadership onboarding program.

Nancy Berson, director of geographic services at the American Society of Civil Engineers, teaches her chapter officers about email red flags. According to security awareness training firm KnowBe4, some of the top most-clicked phishing email subject lines for the second quarter of 2017 were:

  • Security Alert
  • Revised Vacation & Sick Time Policy
  • UPS Label Delivery (tracking number)
  • A Delivery Attempt Was Made
  • All Employees: Update Your Healthcare Info
  • Change of Password (or password check) Required Immediately
  • Unusual Sign-in Activity
  • Urgent Action Required

 

Other social engineering red flags are:

  • Spelling and grammar errors in the email subject line, message and “From” address
  • Awkward style of writing, either too distant or familiar for the supposed sender
  • Requests for credentials like passwords or other sensitive information

Consider signing up for security awareness training programs like KnowBe4, or asking your technology partners if they offer security training.

Provide security awareness training

4. Eliminate online vulnerabilities

Sometimes chapter staff and volunteer leaders think National is responsible for exposing their email addresses to hackers—an opinion that reveals much about the relationship and lack of trust between that chapter and National. In reality, hackers use software bots to crawl the web looking for email addresses. When those addresses are on public pages, their job is made easier.

To minimize the security risks of displaying email addresses of chapter staff and leaders, you could suggest two alternatives:

  1. Only list generic email addresses on website, for example, [email protected] When leaders want to communicate with each other, they use a different, personalized chapter address like [email protected]
  2. Jennifer Hedge, associate director of member engagement at the American Traffic Safety Services Association, suggested using an online contact form instead of displaying staff and leader email addresses.

Another area of vulnerability is the type of software and website plugins used by chapters. To save money, they often choose free or inexpensive options. Unfortunately, these tools are free or inexpensive for a reason: they’re not always supported and updated (patched).

Some even deliver malware intentionally or unintentionally because of poorly written code. Peggy Hoffman, chapter expert and president of Mariner Management, said:

 

“The more connected we are, the more ‘con’nected we are.”

 

Don’t let your chapters get conned, scammed, or phished. Help protect your chapters by being a resource, leader, and model for safe business practices and a security-aware culture.

 

Looking to connect with others about all things component relations?

CEX: The Component Exchange is officially on the books for October 13th! Hosted by Mariner Management & Marketing and Billhighway – Register now >>

Mark Prevost / About Author
Mark is known for his success in helping empower non-profit organizations across the U.S. and around the world to do more, multiply their impact, and grow. He regularly walks organizations through discovery processes that uncover internal obstacles, helping them identify and implement ways to more effectively run chapter-based organizations through process improvements and the use of innovative technologies. As a sought-after industry thought leader, he often speaks at leadership conferences, and regularly hosts educational roundtables and workshops in the non-profit sector.

Mark has an unrelenting passion in helping solve problems for mission-based organizations so they can better focus on their mission and expand their impact across the nation and around the world.
More posts by Mark Prevost

Related Posts

Vision concept in business with vector icon of businessman and telescope, monocular. Symbol leadership, strategy mission and objectives. Eps10 vector illustration.
Winning Back Relapsed Members: Solutions for Non-Renewal Reasons
9
04 Sep 2018
Social media concept banner. Flat style vector illustration.
Turn Chapter Members Into Social Media Influencers
5
31 Aug 2018
Group of paper planes in one direction and with one individual pointing in the different way. Business concept for innovative solution.
Chapter Member Engagement: Components as Innovation Incubators
5
03 Sep 2018
Chapter Roundtables
Member Engagement: The Best Engagement Program For Your Chapters
6
30 Aug 2018
secret of success flat design business concept
How to Retain Chapter Leaders by Preventing Burnout & Turnover
8
20 Aug 2018
Chapter Technology Tools You Can’t Live Without
5
13 Nov 2018
Are Your Association Chapters Reaching Their Highest Potential?
4
20 Aug 2018
Chapters: Are They Worth The Effort? A Chapter ROI Template
6
20 Jul 2018
understanding your 990s
The Buried Truth in Your Chapter 990s and How You Can Access It
11
02 Feb 2022
Beat the Heat with Auto-Renewals…They’ll Keep Your Staff Cool!
9
01 Aug 2017
AIGA Slack: A New Tool for Chapter Leaders
9
10 Jul 2017
The Chapter Playbook: Part 1 –Finances, Dues & Governance
10
14 Apr 2017
10 Warning Signs a Chapter Restructure May Be In Your Future
7
31 Mar 2017
Small Steps to Get Your Chapter Dues Process Under Control
6
15 Mar 2017
Show Some TLC to Your Chapter KPIs
7
23 Feb 2017