What do hackers do when they go on vacation?

They go phishing. 

Fishing is all fun and games until you become the fish.

You’re swimming along minding your own business, see a delicious worm swirling freely in the water, and take a bite. You instantly realize the worm is actually a piece of rubbery plastic, but by that point, it’s too late...you’ve already taken the bait.

Hook, line, sinker.

Phishing is no different.

Phishing is when an attacker sends a fraudulent message that is designed to trick you into offering personal or confidential information. If you fall prey to their tactics, your computer can be overtaken, your information stolen and publicly broadcasted, or your software overtook by ransomware. 

Although online hacking isn't anything new, it’s grown craftier over the years as technology has progressed. Like any virus, once remedies are given, it grows stronger and stronger in hopes to do even bigger damage on its next attack.

This is a huge threat happening to businesses, organizations, and individuals across the world.

But I’m not at risk, I’m super tech-savvy…

But I’m safe, I’m part of a small organization…

But I’m not targeted, I don’t have loads of money...

Sound familiar?

Well, before you think you’re in the clear, take a look at these common misconceptions.

Top 3 Misconceptions regarding phishing attempts

1. Phishing emails are easy to detect

How hard could it be? Just look for misspelled words, ridiculous URL addresses, or obviously fake attachments, right?

Wrong.

Just as the awareness around phishing attacks has increased in recent years, so have the hacker’s tactics. Knowing people have caught on to their schemes, phishers now feel the pressure to be even more creative in their schemes to fool even the most vigilant.

Hackers spend countless hours looking for ways to dupe their victims into releasing their personal or sensitive information. Many of these hackers have backgrounds in computer programming and design and are experts in making their emails look and feel legitimate. 

Some hackers even have grammar-correcting programs or hire copywriters to ensure their words are spelled correctly and their messaging clear, making their emails that much more appealing.

The bottom line is this: it can be difficult to determine if an email is genuine.

2. Only large companies are at risk for phishing attempts

While any company can be vulnerable to this type of attack, small to medium size companies are particularly vulnerable.

Believe it or not–larger corporations aren’t necessarily the top pick for hackers.

Seeing themselves as the obvious target, large companies put in the time, resources, and tools it takes to protect their cyber security.

So who are the more likely targets?

Smaller businesses and nonprofits who don’t have that security in place.

Big companies have big budgets. This means they can afford to pay an entire team devoted to handling cybersecurity. At smaller organizations, like local nonprofits, this role is played by a one-size-fits-all person who is probably wearing multiple other hats. Most likely, they aren’t specifically trained to handle cybersecurity and can only devote a certain amount of time to the issue. 

According to a study from the Ponemon Institute, 1 in 3 small businesses report having no single function in their company that determines IT security priorities. And to make matters even more concerning, a BullGuard study shows that 60% of these surveyed owners don’t think their businesses are a likely target for cybercrimes.

To put it plainly–hacking smaller organizations offer low risk and high returns for cybercriminals.

3. Hackers only go after people/companies with a lot of money

Hackers and motivated by one thing: profit.

But there’s more than one way to kill a cat… 

Access to your information is actually the number one way for hackers to make money. One of the most recent developments in accomplishing this (and arguably the most threatening) is known as Ransomware.

Ransomware is an ever-evolving piece of malware designed to encrypt files on your device. Once encrypted, hackers will then demand payment to release the encryption or else exploit your confidential information on the Dark Web. 

Sounds like a hostage situation, doesn’t it?

Well, that’s because it is.

Your information is the hostage, and your money is the ransom.

Here’s how ransomware could play out…

You receive an email with a link in it, and you click it. From there, a couple of things could happen. The link you clicked could ignite an encrypted key leaving your computer to be taken over completely. Or, the link you clicked leads you to what looks like a trusted website asking you to log in or type in your password. In either case, the hacker now has access to all your data. Your accounts, your passwords, your personal information, and even confidential information like the medical history of clients, or donor information from nonprofits. 

True to its name, the hacker will then demand ransom money to release your device or your password (anywhere from thousands to millions of dollars). A countdown clock shows up, and every time that clock hits zero the ransom amount increases. If this happens too many times without the money being sent, your information is put on the web for everyone to see.

Some larger companies who get hit with this attack could pay the ransom and still financially recover…

But for nonprofits, this would be game over.

If a hacker got access to your “secured” donor information, you can say goodbye to donor trust. If donors can’t trust that you handle your resources wisely and securely (even something as little as donor information) you’ll lose them for life. With no donors to help you recover, you are inevitably tanked.

But here’s the good news–there are things you can do as an organization to help protect your information and boost your cyber security.

How to protect your organization from phishing attacks:

1. Train all employees and volunteers on how to spot phishing emails.

Although these emails are becoming savvier and harder to decipher, there are still a few obvious phishing signs to look for in unexpected emails.

• Does it induce a fear response?

• Does it create a sense of urgency?

• Does it feel personal or come from someone you know?

• Does it have misspellings, odd grammar, or awkward URLs?

• Does the domain match the domain of the company/site it’s being sent from?

• Does it have an attached link asking you to click it?

• Does it ask for personal information?

  2. Ensure your password strength is strong.

Strong passwords should be a minimum of 15-20 characters and contain lowercase letters, uppercase letters, numbers, and symbols. Passwords should never contain anything that someone can learn about you (street addresses, family names, phone numbers, etc) and never be duplicated on multiple accounts.

But although password strength is critical, it’s simply not enough. 

3. Require multi-factor authentication on all accounts in your organization. 

Multi-factor authentication goes beyond just typing in your password. This also includes answering personal questions, having a code sent to your personal device, or entering a pin. This is the single best way to protect your organization because even if hackers get working passwords, they won’t get in without the second and third authentication source. 

This should be implemented by every single staff member on every single account.

4. Manage staff wide passwords and change them regularly.

Cyber criminals are ever evolving, as are their tactics. Your passwords need to be ever evolving too.

It’s recommended to change your passwords every three months, according to a post from Business Insider. Yes, that’s a lot to remember, so invest in a password manager like LastPass where you can store encrypted passwords online.  

5. Have a unique server, wifi, or VPN.

Simply put, shared servers aren’t safe.

It’s extremely important to have each server on a segregated network, and all externally exposed systems under a Virtual Private Network (VPN).

6. Invest in a managed service provider.

Find a reputable company that can standardize your software and hardware and monitors your computer as a third-party entity. They will be able to monitor for unusual internet activity and can spot an attack and shut it down before things go from bad to worse.

It can be costly, but it’s worth it. Honor your donors and clients by securing their information and protecting their trust. 

7. Have anti-virus protection.

Anti-virus protection is a great safety net in case you download something phishy. This protection can help stop the virus before it completely takes over your computer.

After all, 95% of all hacks are due to user errors clicking things they weren’t supposed to click.

And lastly…

8. Know what to do if you receive a phishing email.

Think you might have received a phishing email?

• Don’t click on any links, open attachments, or expand any included pictures

• Don’t try to respond to the sender

• Report the phishing email and forward the email to forward it to the Anti-Phishing Working Group at reportphishing@apwg.org

• Delete the email from your computer

These threats are nearer than you expect, and Serve Denton has seen their fair share of phishing emails. In the past few months alone they’ve received roughly 20 of these emails, some impersonating their CEO, while others falsely accuse and demand payment.

But here’s the good news...

Serve Denton is taking this threat seriously. Here’s what they’re doing:

Serve Denton has always done their part to keep their information secure. But seeing as these threats are becoming craftier and more frequent, we are taking their security to the next level.

Serve Denton is partnering with a third party managed service provider to standardize our hardware and implement the steps listed above. Each staff member is receiving front-end training on all the foundational aspects they need to know regarding cyber security and information protection. We are also implementing ongoing phishing training throughout the year in addition to our password policies and protocols.

Most critically, we are pivoting to guarantee both Serve Denton, as well as each of our partners, have their own private network to ensure security.

Being a trusted nonprofit is extremely important to us. We are taking the extra steps to honor our donors and make sure both their information and our systems are well protected.Serve Denton is doing our part to tighten our security as we continue to serve our partners and the community.

Is it time to boost your cyber security?

Contact Serve Denton about resources you can implement today and keep your donor information safe.