For untargeted Phishing, or targeted Spear Phishing, attackers send fake messages or try to trick users into showing sensitive information such as financial data, or usernames and password. Attackers might try to trick you into sending money, steal your details to sell on, or they may have political motives for accessing your nonprofits’ information.
In the first post, we talked about how social engineering and phishing are extremely common forms of cyber-crime that often lead onto more serious and damaging attacks.
First – ensure that your users only have access to the data they need to, so if an attack is successful, the damage is reduced. Protect critical services like your email or finance systems with multi-factor authentication too, this again just means that if a password is taken, there is a second layer of protection.
Many phishing attacks happen via email – so it’s important to protect the most common form of attack. There are many email security services available, and most online provides such as Microsoft also offer email protection as part of their advanced suites. Whilst technical solutions help mitigate some messages, other forms of phishing, such as via text message or social media are still common and require a more proactive people-focused approach.
Consider how someone might target your organisation and make sure that your trustees, staff and volunteers all understand ways of working so that it’s easier to spot requests out of the ordinary. Attacks are often simple – an email attachment that looks like an invoice, that when opened installs malware on the device, or a request to transfer money to someone pretending to be from your organisation.
Spotting phishing is a critical skill that everyone in your organisation should have – these are three methodical steps to see if a message is genuine:
It’s in the detail
Many scams are generated overseas and have poor spelling or grammar. Others will try to copy the colours, logos and fonts used by official organizations.
Does this message look like one you have received in the past – is the quality what you would expect of the organisation that sent you the message? Is the email addressed to you by name? Oftentimes language like ‘valued customer’ or ‘friend’ is used instead because the sender doesn’t know you and is an indicator this could be a phishing message.
Authority and Urgency
Attackers want you to act fast, or without questioning. Does the message ask you to send details within a certain time, or to visit a website at once? Do they want to access your systems because of a virus and need you to act now?
Alternatively, is the message pretending to be someone high-ranking in your organisation, or a large beneficiary? Does the sender sound legitimate? What is the purpose behind the ask, and can you verify the request through another means, such as contacting their management directly?
If it’s too good to be true, it probably is.
A large donation to be made or promises of sponsorship if you sign into a website they’ve sent, or if you provide your banking details.