The biggest vulnerability in any system is the person using it. People are fallible. We can be fooled, tricked and taken advantage of. That’s what phishing is designed to attack.
But, with a little education, you and your teams can avoid the worst of these risks.
We want every charity, good cause, school and not-for-profit organisation to be safe. This post will hopefully help with that.
What is phishing?
Phishing attacks are where you receive fake emails pretending to be from your bank, doctor, building society or somewhere else asking for personal information.
Criminals will use that information to steal your identity, access your bank accounts or set up new credit accounts in your name.
Phishing attacks don’t just target people, they target small businesses and non-profits too.
How to protect your non-profit from phishing attacks
Phishing is so prevalent that it is one of the most significant risks we face online. If you want to learn more about phishing, this report is a great resource.
It may seem obvious to ignore any random email asking for information, but phishing attacks are now so sophisticated that even the most aware people can be fooled.
Examples subject lines used in phishing emails include:
- Covid-19 in your area? Please confirm your address
- Click here for COVID-19 vaccinations
- Get your COVID-19 CARES Act relief check here
- Counterfeit Respirators, sanitizers, PPE
- Fake cures for COVID-19
- Message from the World Health Organization
Let’s be honest, in the times we live in now, who wouldn’t be tempted to read an email with one of those subject lines? Which is why phishing is so effective and why it’s important to protect against them.
Here are a few steps a non-profit, charity or any organisation can take to protect themselves from phishing.
Education and training
The most important part of cyber security is education and training. Teaching staff and volunteers to be aware of threats and to take sensible precautions.
Training alone won’t protect your network but it goes a long way to keeping you safe.
- Train staff on the types of threat. Show examples of phishing emails and the tricks they use to try to get information.
- Train staff to ignore emails from banks, building societies or credit card companies.
- Train them to be aware of any type of email from someone they don’t know wanting personal or confidential information.
- Train staff to never follow URLs within emails unless they are 100% sure of who sent it.
- Show staff what to do when they receive a phishing email and the reporting process for it.
- Train staff on safe internet use and the reasons behind rules on fair use.
Finally, make sure staff know they won’t be punished if they fall victim to phishing. You need them to report the incident and fear of blame can prevent that.
Keep antivirus and malware programs up to date
The vast majority of phishing uses social engineering to trick people into doing something. Some phishing emails will contain infected links that will secretly download malware into computers when clicked.
Keeping all devices up to date, with antivirus and malware running at all times can help prevent that.
Wherever possible, have antivirus and malware scanners run and update automatically. They are an important layer of protection for your organization.
Internet fair use and caution
The internet is an amazing resource when used correctly. It’s that ‘correctly’ part that some people have trouble with.
There’s a difference between spending 10 minutes online shopping for someone’s birthday and venturing into the darknet or downloading random files while at work. It’s the latter that needs to be prevented. The internet is the wild west and nobody is to be trusted unless they have earned that trust.
This is another area where education is key. Train staff on fair use, on the reasons why and what they can and cannot do.
Most people buy into rules if they see a practical reason for them. Internet fair use is one of those times.
Set clear policies and procedures for internet and email use
Clear policies and procedures work hand in hand with training to help prevent the worst phishing attacks from working. Clear policies on internet and email use shows staff and volunteers what they should and should not do.
Clear procedures for reporting phishing, or suspected phishing attacks shows them what to do should they receive one. Both can help reassure staff you have their back and that you’re aware of risks. They also demonstrate you’re taking steps to protect them and your good cause.
Invest in an email service that helps protect you
Email applications are often free or come with the computer but this may be one of those times when investing in your systems could help.
Cloud services like Office365 or Google Workspace have excellent spam filters. They also have very customisable email settings that can help prevent phishing emails ever reaching you.
Other options are available of course and we can talk you through them and their various security levels. We also run an extremely low-cost web and email filtering service that will protect you from the majority of spam.
Use a web filter
A web filter controls where staff and volunteers can go on the internet and helps build defence in depth.
It can block access to parts of the internet, any websites with a poor reputation, pages with known links to crime, malware or suspicious practices.
You can usually manually add websites or social networks to web filters to help control who does what and when.
Web filters can be a software application, a control within your router, cloud based or part of a hardware appliance. Our options are very reasonable, and you’ll be able to justify the cost very quickly for the high level of protection you receive.
A web filter won’t protect you on its own, but as part of an overall strategy of awareness, mindfulness and behaviours, it can help protect your good cause from the worst phishing attacks.
For further help and advice, simply get in touch with our team who will be happy to help.