By Anthony Hargreaves, MBT, CISA, CRISC
Not-for-profits (NFPs) rely heavily on the most current and innovative methods of communicating and receiving contributions from their supporters. Donor campaigns often use the latest social media platforms and payment methods as a means of staying up-to-date and securing important funds. NFPs and donors also increasingly rely on their smartphones as a preferred communication tool and as a means of managing their lives, business, relationships, and finances. Emails are still a life blood of communication, but text messages are becoming an easier, quicker method of staying in touch.
In this technologically connected environment, it’s more crucial than ever that your NFP’s IT and HR departments have a policy covering the use of smartphones (both from inside and outside of the organization), the risks they pose, and how email and text messages are used.
The public and businesses are becoming more aware of the threat of phishing emails and the recent spike in “spear phishing” attacks. Phishing emails are broad attacks that may be addressed to either your employees or your donors. Usually there’s a link in the email which, if clicked on, will either redirect the target to a bogus web site or potentially install malicious software on the user’s device.
Spear phishing is a more direct, focused attacked where the hackers incorporate personalized pieces of information they’ve gained via social engineering or digital profile harvesting. An easy way they accomplish this is by visiting your website, matching board level executives with their LinkedIn profiles, cross-referencing this with Facebook profiles, and spoofing a website domain similar to your own. (Example: www.savelives.org becomes www.save-lives.org , notice the extra hyphen.)
With all that relevant information, hackers can then craft a convincing email to the finance or HR director that appears to come from a “board member” requesting sensitive information such as W-2s or a wire transfer. The hacker may even time this email for when they know the treasurer is on vacation thanks to vacation photos they’ve uploaded to social media or an airport check-in status update from their Facebook account.
All too quickly, the element of human nature of wanting to help can prompt us to act quickly and respond to what appears to be a legitimate work email. That response is what hackers are counting on to compromise your organization, cause you to lose valuable funds, or impact the trust your donors have with your organization.
As more people become aware of these types of phishing email attacks, and your IT department gets better at filtering them out, hackers are now moving towards targeting smartphones with “Smishing” attacks. Smishing, short for SMS + phishing, are legitimate-looking text messages containing fraudulent links. Many trust incoming texts more than they trust emails. Adding to this mix, many 2-Factor-Authentication (2FA) apps and banking organizations use your phone to send you legitimate authorization codes. It’s no wonder that hackers are using this “trust” factor as another way to target people and organizations.
These nefarious text messages may be disguised as an alert from your bank for suspicious activity or for donors, a bulletin update from their favorite NFP organization with a success story thanks to their donations. When you click on the link within the text message, it’s just like a link within a phishing email. You may be redirected to a bogus website or potentially allow malware to be downloaded on your phone. It may even install a key logger to track everything you type and cause all the accounts associated with your phone to be compromised.
Here are a couple examples of what these smishing text messages may look like or lead to:
So how do you combat smishing attacks?
It’s become more crucial than ever for your NFP organization to have a cybersecurity program. This is a security awareness initiative that regularly provides information about different security issues and risks your organization faces. At a minimum, you want to provide annual security awareness training for onboarding new staff and on-going training for current employees. Have some key IT security policies in place such as:
- Information Security Policy (InfoSec)
- IT Acceptable Use Policy
- Bring You Own Device Policy (BYOD)
- Security Incident Response Plan (SIRP)
Your board must do its due diligence and be regularly apprised of your organization’s security posture. It’s imperative to establish some regular cadence of communication and reporting. A key step for getting this process started is by performing a formal risk assessment. A risk assessment helps baseline the organization and provides visibility into the operations and risks your organization faces.
If your organization uses smartphone media technology such as Twitter, Facebook, or a donor app, then smishing will be a potential risk for you. How aware are you of the risks from an end user, IT department, finance, or brand perspective? The trust relationship your organization has with your employees and donors must be protected
If you need some more information on this subject or want to talk with Clark Nuber about performing a risk assessment for your organization, please contact Anthony Hargreaves.
© Clark Nuber PS, 2018. All Rights Reserved