Blog Insights
Strategies for Your Team to Prevent Scam Attacks

July 16, 2019

Taking steps to protect your organization from scams benefits not just your organization, but those you serve. Setting up safeguards, and continually educating your teams on scam prevention are just two ways to mitigate the problem. 

Over the past few years, we have all seen a serious uptick in cybersecurity threats. From data breaches to phishing scams, individuals and organizations have to be more vigilant than ever. But how can you protect your mission-driven organization from scams? Understanding scams is the first step. Since online scams take many different forms, the next step is then to implement a variety of preventative measures. Every organization is unique, so tailor your scam prevention plan to fit your needs. 

Understanding the threat

Phishing is one of the main tactics of social engineering. Hackers use email, social media, and calls to steal valuable data. They craft emails to mimic correspondence from a trustworthy source, whether it’s your legal department, CEO, HR, or accountant. These emails often dupe individuals into clicking on a malicious embedded link, downloading a virus, or transferring money.  Another and highly effective form of phishing is a spear-phishing attack. This is when a hacker researches an intended target and includes personal details in an email that make it seem credible. Scammers can get personal details from your organization’s overall social media presence, individuals’ activity data (such as event participation or website page views), and individual social media accounts. As background, Forum One is no stranger to scams on both an agency level and employee level. In 2018, online scammers impersonated Forum One on Indeed.com and posted a fraudulent job opportunity. Over 40 job seekers were affected, going through a fake recruitment process before being offered the job and asked for sensitive information. Here’s how we handled it. At the team level, our staff have even been contacted by what appears to be our CEO, asking for banking information or a billing task to be completed immediately.  These are just a few examples that we and some of our clients have come across, but as scams can take many forms, so should your scam prevention tactics. Here are some ways your organization can protect itself from scammers. 

Training teams in scam prevention

Your team is simultaneously your best defense and weakest link. The best way to protect your organization is to train every team member in scam identification and prevention. This can mean regular company-wide security training sessions, individual programs, and inclusion in your orientation process. Employees should learn password best practices and understand the dangers of public wifi and casually browsing sites on work computers. It may also be beneficial for you to include a cybersecurity agreement in your employee contracts. Setting out clear guidelines on how staff use company resources, security requirements, and reporting pledges, will ensure you and your team are on the same page when tackling security concerns. 

Setting up a reporting system

Another essential step is equipping team members with the tools they need to report suspicious emails, alerts, and activity. Whether it’s installing an extension, creating an email account employees will forward suspicious messages to, or creating a direct line between employees and your IT team, your reporting system should fit your business. You can also implement an early alert system, informing all employees when a scam has been identified. If you don’t have the resources to set up a specific system, you can work within your means. When someone from Forum One gets a fake email from our CEO, they take to our Slack channel and send out an FYI, so that everyone knows to be vigilant. 

Investing in security systems

All company-issued devices used for work should be protected by robust anti-virus/malware programs. Install ad blockers, inbound spam filters that detect viruses, outbound web filters, and browser add-ons that can prevent staff from clicking malicious links. Always keep programs up-to-date and set them for automatic updates. You can also look into Next Generation Firewalls that scan inbound internet traffic for viruses, malware, and malicious sites to block them before they get to the end user’s device.  Continually monitor antivirus status on all your equipment. Where available, always enact two-factor authentication on all accounts.

Being suspicious of unsolicited emails

Train all staff to spot phishing attempts, and make sure they’re fully aware of their security responsibilities. One of the best ways to ensure your team is prepared and active in spotting potentially malicious emails is to perform a simulation. For example, send out a fake phishing email to all team members that asks them to click on a link, and then monitor who and how many people do. Use this information to assess your employees’ security awareness and inform company security training needs. All employees should know the basics precautionary steps when faced with a suspicious email:
  • Never click/open attachments
  • Try to confirm the message’s legitimacy through other channels
  • Call the person in question if you’re familiar enough with them

Separating work and personal

Apps on personal phones introduce a specific vulnerability. As an organization, you can’t tell your employees what apps they can and can’t have on their personal devices, but generally speaking, personal apps and sensitive company information shouldn’t mix. Company-issued phones should have the same protection as company computers, i.e., mobile users should be connected over Virtual Private Networks (VPNs) to services that provide secure Domain Name System (DNS) and blacklisting to prevent access to phishing sites.

If you take donations on your website

Use a Securely Hosted Payment Page. Your donation page URL should be short, compelling and easy to share, but most importantly, it should start with https. The “s” at the end of the http stands for SSL and allows all confidential information such as credit card numbers to be safely transmitted. Not only is this a security best practice, but knowing that their information is secure will also make visitors more likely to donate.  Additionally, you should add information about PCI (Payment Card Industry) Compliance to your donation form. Maintaining PCI Compliance simply means that the donation page is up to code with the payment card industry’s standards. You never want to store credit card information on your website and make it vulnerable to potential intruders, so leveraging a third-party PCI compliant payment gateway will ensure you are not assuming the risk exposing important personal information of your donors.  This sensitive data should always be encrypted or tokenized. Tokens serve to replace credit card or bank account numbers with a series of randomly-generated numbers that are produced using proprietary algorithms. This approach allows you to only keep a small portion of the sensitive information (e.g., the last four digits of a credit card) as a means of accurately matching the account owner to the token. This makes it much more difficult for attackers to gain access to donor data. Even if tokens are accessed by an intruder, they will not get access to donor data. 

Enacting data handling policies

All your organization’s files, passwords, and financial information should, of course, be secured; however, who can access this encrypted data? And when? Creating a data handling policy ensures that sensitive information is accessed safely by appropriate employees. Limited access and permission levels create another layer of security so that if a hacker gets access to an individual staff member’s system, it doesn’t mean they can access the entire company’s system. Take stock of what sensitive information your company collects and stores. Then make decisions on who can access to passwords, account numbers, databases, and personal customer/constituent information.  You can also plan ahead. What will you do if a company computer is compromised? What do you do if a staff member accidentally sends account information to a scammer? Setting out a process beforehand will allow you to act quickly and smartly. 

Triple check social media settings

A social media presence opens your organization up to new vulnerabilities. Whether you’re setting them up now, or have established pages, review your security settings. Security preferences for your pages should be regularly reviewed, as platforms are constantly updating their security policies and options.  Remember, it just takes one person, one time. Your team is the first line against hackers gaining access to your organization’s information. Implementing an arsenal of technical security measures won’t help if a staff member’s personal email is hacked, and they use that same password for work accounts. Defending against scammers requires your organization to have a coordinated and layered approach to security. Not everyone can, or should, implement every measure listed above; however, everyone should be taking preventative steps that will keep your organization safer. 

Additional reading 

Hacking Democracy: Tips on How to Stay Safe, from Forum One’s Vice President of Government Services, Mike Shoag
LinkedIn

Are you ready to create impact?

We'd love to connect and discuss your next project.