Cybercrime is on the rise, and the association management industry is not immune.
This blog dives into the most common cybersecurity threats faced by associations, we’ll also explore actionable steps associations can take to protect themselves and their members from these ever-evolving threats.
EMAIL: PHISHING, SPOOFING, COMPROMISE, & ACCOUNT TAKEOVER
Generally, this is any type of unauthorized access to an email account. This access leads to unauthorized activities, impersonation, fraudulent emails, and financial losses.
Definitions:
Spam is any unsolicited email, instant message, or social media message. These messages are fairly easy to spot but can be damaging if you open or respond. Think of them like junk mail in your mailbox at your home and immediately put them in the trash.
Phishing is an email sent that is disguised as an email from a legitimate, trustworthy source. The message is meant to lure you into revealing sensitive or confidential information. These can be tailored to try to fool you with information from your website or social networking sites.
Spoofing describes an email in that impersonates another individual or organization, with the intent to gather your personal or business information.
Compromise and account takeover is when an unauthorized party gains access to your account and sends emails on your behalf that are malicious in intent. Once access is gained to your account, criminals can send unauthorized emails on your behalf to anyone in your contact book – colleagues, vendors, clients, personal contacts, etc. They will typically try to then gain access to the recipients’ accounts and the cycle continues.
Action:
- Conduct regular audits to identify any vulnerabilities in your people and in your systems and address them immediately. Don’t be afraid to consult an IT vendor for support.
VENDOR AND THIRD-PARTY COMPROMISES
- Even if your system is secure, third parties’ may not be. Third party systems (like vendors or clients) are often hacked resulting in fraudulent requests (invoices, account changes, etc.) or unauthorized access to your system resulting in the email risks outlined above.
Action:
- Be sure to assess the cybersecurity practices of vendors, especially those with access to your systems or sensitive information. It is a good practice to require anyone with access to your system to carry cyber insurance.
ONLINE FINANCIAL FRAUD
Financial fraud is not new, but technology is changing the way it looks. Financial fraud includes:
- Unauthorized wire transfers and ACH drafts.
- Whitewashing of checks is when bad actors take a physical check and change the payee or the amount on the check. They may also lift signatures to be used on other checks in the future.
- Fraudulent invoices and payment requests.
- Example: They have gotten super creative here! At one company, an employee’s email had been hacked and they reached out to the HR dept and asked their next paycheck be sent to a different account via ACH.
Actions:
- Implement strict verification processes and consider requiring dual approvals for transactions over a certain dollar amount to reduce risk.
RANSOMWARE ATTACKS
- A ransomware attack is when an email pretending to be from a trusted source tricks recipients into clicking links that download malware. The malware then locks the user out of their system & the attackers will require a payment of a “ransom” to regain access.
Actions:
- Develop and maintain a comprehensive incident response plan that includes procedures for responding to ransomware attacks and steps to prevent them.