Taking steps to protect your organization from scams benefits not just your organization, but those you serve. Setting up safeguards, and continually educating your teams on scam prevention are just two ways to mitigate the problem.Over the past few years, we have all seen a serious uptick in cybersecurity threats. From data breaches to phishing scams, individuals and organizations have to be more vigilant than ever. But how can you protect your mission-driven organization from scams? Understanding scams is the first step. Since online scams take many different forms, the next step is then to implement a variety of preventative measures. Every organization is unique, so tailor your scam prevention plan to fit your needs.
Understanding the threatPhishing is one of the main tactics of social engineering. Hackers use email, social media, and calls to steal valuable data. They craft emails to mimic correspondence from a trustworthy source, whether it’s your legal department, CEO, HR, or accountant. These emails often dupe individuals into clicking on a malicious embedded link, downloading a virus, or transferring money. Another and highly effective form of phishing is a spear-phishing attack. This is when a hacker researches an intended target and includes personal details in an email that make it seem credible. Scammers can get personal details from your organization’s overall social media presence, individuals’ activity data (such as event participation or website page views), and individual social media accounts. As background, Forum One is no stranger to scams on both an agency level and employee level. In 2018, online scammers impersonated Forum One on Indeed.com and posted a fraudulent job opportunity. Over 40 job seekers were affected, going through a fake recruitment process before being offered the job and asked for sensitive information. Here’s how we handled it. At the team level, our staff have even been contacted by what appears to be our CEO, asking for banking information or a billing task to be completed immediately. These are just a few examples that we and some of our clients have come across, but as scams can take many forms, so should your scam prevention tactics. Here are some ways your organization can protect itself from scammers.
Training teams in scam preventionYour team is simultaneously your best defense and weakest link. The best way to protect your organization is to train every team member in scam identification and prevention. This can mean regular company-wide security training sessions, individual programs, and inclusion in your orientation process. Employees should learn password best practices and understand the dangers of public wifi and casually browsing sites on work computers. It may also be beneficial for you to include a cybersecurity agreement in your employee contracts. Setting out clear guidelines on how staff use company resources, security requirements, and reporting pledges, will ensure you and your team are on the same page when tackling security concerns.
Setting up a reporting systemAnother essential step is equipping team members with the tools they need to report suspicious emails, alerts, and activity. Whether it’s installing an extension, creating an email account employees will forward suspicious messages to, or creating a direct line between employees and your IT team, your reporting system should fit your business. You can also implement an early alert system, informing all employees when a scam has been identified. If you don’t have the resources to set up a specific system, you can work within your means. When someone from Forum One gets a fake email from our CEO, they take to our Slack channel and send out an FYI, so that everyone knows to be vigilant.
Investing in security systemsAll company-issued devices used for work should be protected by robust anti-virus/malware programs. Install ad blockers, inbound spam filters that detect viruses, outbound web filters, and browser add-ons that can prevent staff from clicking malicious links. Always keep programs up-to-date and set them for automatic updates. You can also look into Next Generation Firewalls that scan inbound internet traffic for viruses, malware, and malicious sites to block them before they get to the end user’s device. Continually monitor antivirus status on all your equipment. Where available, always enact two-factor authentication on all accounts.
Being suspicious of unsolicited emailsTrain all staff to spot phishing attempts, and make sure they’re fully aware of their security responsibilities. One of the best ways to ensure your team is prepared and active in spotting potentially malicious emails is to perform a simulation. For example, send out a fake phishing email to all team members that asks them to click on a link, and then monitor who and how many people do. Use this information to assess your employees’ security awareness and inform company security training needs. All employees should know the basics precautionary steps when faced with a suspicious email:
- Never click/open attachments
- Try to confirm the message’s legitimacy through other channels
- Call the person in question if you’re familiar enough with them