Nonprofit Accounting Basics

Is Your Data Protected for Phishing Attack?

Sep 30, 2020

No matter what kind of organization you run, if you use the internet, you are at risk of a cyberattack. Cyber criminals look for information such as contact lists, employee information, banking information, credit card numbers, etc.   

Phishing is a cyberattack that uses disguised email, telephone or text message as a weapon. Most phishing attacks are very targeted, personal, and compelling to recipients. Some closely mimic a legitimate company's email, by using a genuine email and changing the links. Other forms of phishing attack target senior executives and other high-profile individuals.

A typical phishing email comes in different forms that including the following:

  • Appears as an important notice, urgent update or alert with a deceptive subject line to entice the recipient to believe that the email has come from a legitimate source.
  • Contains messages that sound attractive rather than threatening, e.g. promising the recipients a prize or a reward.
  • Uses a forged sender's address or a spoofed identity of the organization, making the email appear as if it comes from the organization it claims to be.
  • Copies of contents such as texts, logos, images and styles used on a legitimate website to make it look genuine.
  • Contains hyperlinks that will take the recipient to a fraudulent website instead of the genuine links that are displayed, or attachments that contain a malicious link.
  • May contain a form for the recipient to fill in personal/financial information and will let recipient submit it.

Phishing attacks are so successful because humans are the weakest link in the security chain. Therefore, to reduce the threat, developing effective phishing awareness training to all levels of employees is vital. The training should focus on all types of phishing scams, be ongoing and updated, and involve simulated phishing schemes regularly sent to employees to see if they are susceptible to phishing attacks.

Organization should also establish a phishing response policy that requires all employees report any phishing scam they have detected or clicked on to minimize the damage and stop the spread of any malware downloaded in any system.