Nonprofits, protect yourselves!
So what does “phishing” mean, anyway?
Let’s start by defining our terms:
- Phishing: Cybercriminals disguise an email so it looks like it’s from a legitimate organization. It asks you to click on a link or download an attachment. If you do, you download malware that “could allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data … ” according to internet security company Norton.
- Spear phishing: Like phishing, but it targets a specific individual or organization. For example, the fake email to you appears to be from your boss.
- Smishing: Phishing by SMS/text.
- Vishing: Phishing by telephone. (V is for Voice, not Vendetta.)
Is there more phishing happening now?
A report from Google showed that there were nearly 149,200 active phishing websites in January 2020. That number rose by 50% in February and then in March jumped to nearly 522,500, a 350% increase since the beginning of 2020. PC Magazine reported that a major factor was fake COVID-19 websites.
The goal remains the same. The crooks want you to click on a link that installs malware, or they want you to hand over personal information, such as your Social Security number. They are building the old scams around this new virus. Here are a few examples:
- The sender appears to be the CDC, WHO or another legitimate group. The subject line cites the COVID-19 pandemic (“2020 Coronavirus Updates”) and the text offers a link to get information or register for a service.
- The crook exploits the increased use of video conferencing software. Phishing emails come with attachment names that play on Zoom or Microsoft Teams.
- The email asks you to download the new workplace policy on COVID-19.
- The email says you are eligible for a $1,200 stimulus check or free COVID-19 home test kit if you just provide your Social Security number.
Phishing is not the only type of scam that preys on people’s fears. A crook might post a website that promises supplies such as masks or disinfectant, and then not deliver the supplies you’ve purchased. Or they might offer you the opportunity to invest in a promising cure.
What can we do to avoid getting hooked by the crooks?
You are your best first line of defense from shifty phishers. If you know what to look for and stay alert, you can avoid getting hooked. Here are some tips gathered from sources including TechSoup, the FCC and the European Union Agency for Cybersecurity:
Develop good email management habits. Approach emails deliberately and with suspicion, and go through steps to determine whether they are legit, such as:
- Only open email from known email addresses, and check the email address twice.
- Be suspicious of emails that insist you act now. Phishers will try to generate a sense of urgency that gets you to act first, think later.
- Sniff out suspicious terminology. Check for terms and language that are different from what you would normally expect, like if the person calls you by your full name.
- Check whether the domain name matches the organization the person claims to represent.
- Check the link before you click. Hover the mouse over the link, or see your emails in plain text to check for the hyperlinked address to see the real hyperlink.
- If something looks suspicious, call or text your IT person, if you have one, to get their advice. Do not reply to the email.
To avoid phishing/smishing/vishing attempts in general:
- Never supply any personal or financial information or passwords to anyone by email, phone or text.
- Do not respond to calls or texts from unknown numbers, or any others that appear suspicious.
- Investigate before clicking links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to make sure they weren't hacked.
- Visit websites by typing the domain name yourself, rather than clicking on a link. If you receive a certificate error while browsing, it’s a warning sign something isn’t right with the website.
To avoid COVID-19 phishing/smishing/vishing attempts:
- Be wary of third-party sources spreading information about COVID-19. Legitimate government agencies will never call you or email you directly for your personal information.
- Get your news from trusted sources such as reputable news sites, official government websites (.gov), or sites with security certificates (https).
- Know who built that COVID-19 mobile app before you download. Only get COVID-19 apps from health departments, hospitals and trusted sources.
Want a little practice?Can you spot a phishing attack? Take this quiz from Jigsaw, a company under Google’s parent Alphabet, to help you find out.
Check out this TechSoup blog post on keeping your nonprofit’s systems safe during COVID-19. It covers basic topics such as what to look for to identify phishing, but also topics such as how to harden your home computers and networks and how to set up a VPN. The post also includes links to software available at reduced cost to TechSoup members. Visit this page for a complete listing of all the resources for nonprofits affected by COVID-19.
Your organization may be eligible for donated or discounted software, hardware and services through TechSoup if it is a nonprofit, library or foundation in the United States. The TechSoup catalog includes more than 375 products from more than 100 companies such as Microsoft, Adobe, Cisco and more. To apply for a free membership, go here.