I regularly help Not for Profits reduce their cybersecurity risks through IT investments. However, last week, I had a personal experience that showed how cybercriminals are becoming more local and human while targeting Not for Profits.
I received an email from my Kayak Club’s President. It asked me to complete a task by clicking on a link.
I’m the Club’s Treasurer. So, it’s not unusual to get requests from the President.
Looks fairly legitimate, right? Only for me, it didn’t.
I wasn’t aware of a new task management system being implemented that would send me such a generic request. And our president is far more casual in his messages than that.
The sender’s email address also looked suspicious. So, rather than clicking on the link, I took a screenshot and texted it to Tom.
“Hey Tom, is this a legit message?”
“Nope, not at all. Where is that from?”
Tom’s response told me what I needed to know. I immediately sent a picture of the message (not the message itself) to the entire Committee to see if anyone else had received it. Interestingly, the answer was no.
We checked with our IT guy to see if there were any suspicious activities or evidence of a hack. Nope.
This message seemed to come through our normal contact page on the website – directed to the Treasurer.
What makes this phishing attack really concerning is that it was likely a human (or a very good AI version of a human) rather than a bot that did this.
Had I not seen the clues of a phishing message, it’s highly likely that the link would try to convince me to transfer cash or disclose bank details.
Lessons Learned from phishing attacks of cybercriminals:
- Question any email that doesn’t “quite” seem right, even from what may appear to be a legitimate source.
- When in doubt, take a photo and ask. Do NOT forward the email because someone may accidentally click on it.
- Alert your team immediately to warn them in case they, too, received similar messages.
- Check with your IT service provider to ensure that there hasn’t been a cybersecurity breach in your systems.
- Permanently delete the phishing email afterwards.
Finally, I’m questioning the need for the contact page to identify the Committee members specifically or if we can place a more generic form on the website.
Because it’s an all-volunteer organisation, it may be too much work for the Secretary to redirect all emails to the correct place. However, perhaps, we could use a drop-down form instead that makes it less obvious and more focussed on the inquiry instead.
Nevertheless, if a human is willing to go to the trouble of sending a message with the signature block of our President to the Treasurer – any changes we make will only require one more step to find the necessary information.
Not for Profits – Beware!
I regularly help Not for Profits plan their future IT investments, including those required to reduce cybersecurity risks. Let me know if you need some help.
P.S. If you found this article helpful, you might want to read this one too: What are some cheap ways to enhance your organisation’s cybersecurity?
Tammy Ven Dange is a former charity CEO, Association President, Not for Profit Board Member and IT Executive. Today she helps NFPs with strategic IT decisions, especially around investments.