How to Spot Phishing Emails & Other Nonprofit Cybersecurity Threats

Since we’re in the midst of National Cybersecurity Awareness Month, it’s a good time to talk about nonprofit cybersecurity threats. With all the personal data entrusted to your organization’s care, you can’t take security for granted. But it’s awfully easy to make a mistake when rushing through your inbox.

Phishing is the leading cause of security breaches. Since 46 percent of U.S. workers have fallen for a phishing attack, these tips for spotting cybersecurity threats will help keep your organization out of trouble—and out of the news.

The most common nonprofit cybersecurity threats

You can better educate and prepare your organization by understanding the different types of cyberattacks. Don’t assume your colleagues are security-savvy. 64 percent of working adults don’t know what ransomware is.

Let’s review the most prevalent nonprofit cybersecurity threats.

Phishing: An attempt to trick you into revealing sensitive information or exposing your computer and network to malware. Cybercriminals send phishing emails that try to persuade recipients to open an attachment that downloads malware or click on a link to a website hosting malware.

Malware: Software created for malicious purposes, for example, to steal account credentials so hackers can access data, information, or money.

Examples of malware include:

  • Ransomware: Program that holds a computer and network hostage until you pay ransom to unlock the files.
  • Keylogger: Program that surreptitiously collects a user’s keystrokes with the intent of using that information to access accounts.
  • Hijacked site: Hijacked website that downloads malware to the computers of website visitors.
  • Cryptojacking: Hijacking a computer’s processing power to surreptitiously mine cryptocurrency. In the first half of this year, cryptojacking accounted for 35 percent of security threats.

Email spoofing: Emails created intentionally to impersonate a known sender in the hopes of tricking you into clicking a link or opening an attachment.

How cybercriminals use social engineering

Cybercriminals buy affordable phishing software on the black market to send blast emails, but many of them have become more discriminating. They intentionally choose their victims and use public information to create well-crafted campaigns.

A report from Menlo Security explains why they succeed:

“Attackers know very well how to manipulate human nature and emotions to steal or infiltrate what they want. They use email messages that induce fear, a sense of urgency, curiosity, reward and validation, an emotionally charged response by their victims or simply something that is entertaining and a distraction to convince, cajole or concern even seasoned users into opening a phishing email”

This summer’s “sextortion” phishing scam relied on emotional manipulation strengthened by personal information. The email subject line included an old password (purloined from a massive database breach) of the recipient. The sender said they hacked your computer and recorded you visiting a NSFW website. If you didn’t pay up, they’d release compromising evidence to your contacts. Even if you’d never visited an X-rated site, this phishing email was alarming.

How to detect and dodge phishing emails

Listen to your gut. If your spidey sense is tingling, pause and look at the email in question. Or, send it to your IT department to check out. Keep in mind: banks, utility and service providers, website and domain hosts, and social platforms don’t send emails requesting your account information.

A favorite tactic is credential phishing. Cybercriminals try to steal user credentials by tricking you into logging in with your username and password on a bad site, either a site they hijacked or one they created to mimic the authentic site.

Review the email address, sender, subject line, and text. Look for missing characters, spelling mistakes, incorrect grammar, and awkward syntax. Is the language and style characteristic of the sender? Abrupt and vague language is a give-away that something’s not right. Is the nature or timing of the email strange?

Don’t take action until you’ve investigated further. Many people have fallen victim to phishing emails that appear to be sent by a colleague or supervisor, usually an executive, board member, or IT or HR staff. The “sender” requests sensitive information like a donor or member roster, or a money transfer or payment. Or, they ask the recipient to log into an account or reset their password.

Here are the most commonly used phrases in phishing subject lines:

  • Urgency: act now, action required, and quick review.
  • Finance: name of bank, statement, wire transfer, invoice, payment, remittance, and past due. We’ve received many emails with fake, “past due” invoices attached.
  • IT: verify account, unauthorized login attempt, and unusual log in activity.
  • Action: copy, memo, document, and we need you to do this.
  • Delivery: order, package arrival, receipt, and shipping information. These phishing emails ramp up during the holiday season.

If an email looks phishy, verify its authenticity by:

  • Calling the supposed sender.
  • Creating a new email to contact them. Don’t reply to the suspicious email.
  • Using search to go to the real website. Don’t click on the link in the email even if it looks legit.

Take this phishing quiz to see how well you can spot a phishing email.

How to spot a spoofed email

Spotting a spoofed email takes more work. The sender’s email address may look correct when you review it, but it could be spoofed.

Here’s how to check. Open the email header. On some email platforms, the header is called “Original.” Look at the “Return Path” field. The email address there should match the one you see in the “From” field. Your email platform may use different terms, so find out how to view headers and verify email addresses on your platform.

How to avoid hijacked or fake websites

Before clicking on a link, hover your cursor over the URL to view the actual URL. Look carefully at each character. Letters could be disguised as numbers, for example, 1 and l or 0 and O.

Additional text in the domain could be a sign of a bad URL. For example, none of the domains below would lead you to the authentic fionta.com site. Instead, they could lead you to a cybercriminal’s site:

  • info.net.fionta.com
  • info-fionta.com
  • fionta.info.com
  • fionta.com.co

To be safe, use a search engine to find and go to the real site.

Immediately leave any web page advising you to download browser, security, Java, Adobe, or other software updates. If you need to update software, go to the provider’s website. Better yet, change your browser and software settings to automatic updates. Software updates are extremely important because they contain security patches.

Be careful with pop-up boxes, especially the ones advising you to update or install software. Don’t click or use the links in pop-up boxes. Don’t provide information. Close the page.

Never download free tools unless your IT department or consultant has approved their use. Many free tools come with unexpected extras.

Security software, although necessary, has its limits because most data breaches come through the leaky human firewall. A subscription to a simulated phishing email service is a cost-effective way to train staff, especially when you consider the tangible and intangible costs of a data breach. Ask the service if they have a nonprofit discount.

Regular security awareness training is the best practice. Share helpful articles like this one and stories about data breaches with colleagues. Discuss how the breach occurred and how your organization can prevent the same thing happening to you.

Cybersecurity threats are a very real and critical issue for nonprofits and associations. Fionta’s strategic technology and risk assessments help our clients prepare for and deal with the inevitable cybersecurity attacks.