Phishing in the New Wild West: Identifying Email Risks to Your Association

The word “phishing” makes me uneasy for a few reasons. First off, the spelling is just … creepy. Second, it refers to one of the most popular and most damaging cybercrimes today. Third, it reminds me of the prog-rock band named Phish – and I’m not a fan.

Phishing has been a problem for businesses and individuals for a long time (in internet years), but really rose to the top of Americans’ radar in 2016 when Hillary Clinton’s campaign chair, John Podesta, had his email hacked with a phishing attack. It seemed to grab the attention of cyber-criminals too – phishing attacks are growing in the U.S. and Europe.

In many ways, the lawlessness of the internet today resembles the Wild West. We all should be ready for an attack at any time. Like the Wild West, the internet is a vast, unforgiving landscape populated largely by criminals and other ne’er-do-wells, and dotted with islands of stability and safety.

Its not much of an exaggeration; in 2017, cybercrime cost Americans more than $5 billion.

Last year, TSAE asked me to write about ransomware and what associations can do to defend themselves.

Now, we’re talking about phishing, and why it poses such a unique threat to associations.

Phishing and Spear-Phishing

The United States Computer Emergency Readiness Team (US-CERT) defines phishing as, “an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual. These emails often attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate. The user then may be asked to provide personal information, such as account usernames and passwords, that can further expose them to future compromises. Additionally, these fraudulent websites may contain malicious code.”

That’s a major block of text, but it’s a great and exhaustive definition. If you skimmed over it, I cannot recommend strongly enough that you go back and read it.

Phishing costs American businesses about five hundred million dollars per year according to Forbes … and its only getting worse. The sophistication, number, and cost of attacks is increasing every year.

While most attacks in previous years were directed at major private businesses, attacks are now spreading to small businesses, governments, and nonprofit organizations.

In the modern Wild West, pretty much anyone is a target.

From truck drivers to high-ranking political players as we mentioned before, as soon as one’s guard is down, they can be exploited. But I believe that associations are particularly vulnerable.

Why?

The association industry – more so than just about any industry – is driven by people-people for people-people.

Associations want to work quickly for their members and colleagues and to be as helpful as possible. They want to connect people to the information they want or need in a timely fashion. And everyone who works in an association gets bombarded with a seemingly endless number of emails every day, meaning that slowing down is rarely an option.

And this is where things get even more devious.

Associations are increasingly being targeted by a very specific and especially dangerous form of phishing: spear phishing.

I work in the association world as an IT professional, so I see this type of attack becoming more and more common.

The difference between phishing and spear phishing is in the effort the criminal puts in beforehand, and the precision of the attack.

While phishing involves throwing a generic message out to the world, hoping to get something from someone, spear phishing is specifically targeted at individuals, using information gathered from across the web, and requesting information that the attacker can and will use quickly.

Spear phishing is designed to seem as legitimate and personal as possible. Often, spear phishers will send emails that appear to be from a colleague or loved one, asking for sensitive information, in other cases, recipients are directed to a website containing dangerous codes that will turn the affected computer into a spam bot, or even read key-strokes to learn passwords.

That’s how an association’s great strength – their ability to bring people together – can become a major weakness.

Major Scams to Be Aware of

Let’s address the two most common scams that we see affecting associations.

Member/Board Member Scam

In more and more cases for associations, phishers send emails that appear to be from members and board directors.

Something I’ve heard from a number of associations is that “board members” send emails asking for login information for the association’s website or database. The phisher in this case may be trying to get access to association information or may be trying to get a password hoping that the board member uses the same password for everything; their association login, email, bank’s website, and credit card company.

If someone emails you asking for login information, please call them to confirm they really have forgotten their password.

IRS/W2 Scam

Another common scam popped up over tax season. The phisher in this case assumes the identity of an executive emails the victim, asking the recipient to send them the organization’s tax information.

Again, call this person to confirm; they’ll appreciate the minor inconvenience for the sake of protecting your organization, even if it really was them asking for the information.

In other cases, phisher impersonate the IRS, telling the recipient that they are due tax refund. Remember; “The IRS doesn’t initiate contact with taxpayers.” That’s from the IRS’s own website.

If you receive anything like this, please forward that email to phishing@irs.gov.

Context is Key

Obviously, context is always important, but when it comes to avoiding cybercrime, it is paramount.

Here’s an example; you and your coworker Stacey have been discussing a payroll inconsistency over lunch. After lunch, Stacey sends you an email asking for private, payroll-related information. In this case, you might assume that this really is Stacey, because you were just talking about this issue. You’d probably be safe just replying to that email. However, it’s also a good idea to get in a security-conscious mindset. It wouldn’t hurt to call Stacey (or walk over to her office) and ask if that really was her requesting that information.

Here’s another example; someone who is out on vacation emails you, asking for your organization’s credit card number. Call this person! There is no context to this email. Maybe they really did forget to make a purchase for the agency and decided to handle it during their vacation. But this type of email should set off all your cybercrime alarms.

It cannot be said enough; a minor inconvenience is worth ensuring the safety of your association.

Security breaches can be devastating, especially to small organizations that lack the resources to recover quickly. And unlike the Wild West, you can’t get a posse together to track down the criminal that attacked you.

Conclusion

So why am I giving you these personal action tips instead of telling you how to set your spam filter to stop these messages before they arrive?

Unfortunately, at least for the moment, phishing has outstripped our protective technology. You can’t easily black-list phishers; they can randomly generate new email addresses. Spam filters don’t usually catch phishing emails because those messages often don’t have flagged words or phrases like, “free” “great new deal” or anything to do with sex.

So, it’s up to us to stay alert and take time to verify if the person we’re talking to really is who they say they are.

Author Dallas Emerson is a TSAE member and the Technical Sherpa for The IT Guys (www.itguysusa.com), an IT support firm in Austin that helps nonprofits. He can be reached at dallas@itguysusa.com.

 

 

 

Photo credit: ©ISTOCK.COM/JANWILLEMKUNNEN

Leave a Reply

Your email address will not be published. Required fields are marked *

*