Help Chapters Defend Their Data & Dollars Against Phishing

In the ASAE Collaborate discussion on chapter phishing, Sarah Maxwell, chapter administrator at the Project Management Institute, advised clarifying chapter financial guidelines, roles, and responsibilities. Beth Humphrey at the College and University Professional Association for Human Resources said:

“Establish procedures for processing payment requests [to] prevent fake payments from proceeding to the point of processing them.”

Instruct chapters to always follow their payment processing policy, for example, requiring two signatures for approval. They should also follow rules for sharing member or attendee lists—another common phishing request.

Even with business rules in place, humans still make exceptions (“just this one time”) and errors. The best way to prevent human error is to create a working environment where it can’t happen. Implement chapter financial controls and technology that take the human error element out of the picture.

For example, chapters and National could use a shared system for transferring funds (dues and other payments). An email request coming from outside the system would immediately be seen as suspicious by anyone, even a busy chapter volunteer leader.

Another over-looked area in many organizations, but particularly chapters, is backups. The reason ransomware is a death knell for so many organizations is because they don’t have up-to-date, comprehensive, and restorable backups of their data and files.

Too often, backups aren’t done frequently enough, aren’t stored in a secure location, and don’t contain all necessary files. And, if restoration of the backup has never been tested, how do you know it will work when you need it?

Encourage chapters to build periodic cybersecurity audits into their budget and operational plan. Besides the practical, preventative reason for doing this, financial auditors are now requiring proof that an organization isn’t at financial or legal risk due to insufficient attention to cybersecurity.

Knowledge is strength. Strengthen the human firewall and cybersecurity incidents will decrease. Every association should provide cybersecurity awareness training for their own staff and for chapter staff and volunteer leaders. Make it a mandatory element in your leadership onboarding program.

Nancy Berson, director of geographic services at the American Society of Civil Engineers, teaches her chapter officers about email red flags. According to security awareness training firm KnowBe4, some of the top most-clicked phishing email subject lines for the second quarter of 2017 were:

• Security Alert
• Revised Vacation & Sick Time Policy
• UPS Label Delivery (tracking number)
• A Delivery Attempt Was Made
• All Employees: Update Your Healthcare Info
• Change of Password (or password check) Required Immediately
• Unusual Sign-in Activity
• Urgent Action Required

Other social engineering red flags are:

• Spelling and grammar errors in the email subject line, message and “From” address
• Awkward style of writing, either too distant or familiar for the supposed sender
• Requests for credentials like passwords or other sensitive information

Consider signing up for security awareness training programs like KnowBe4, or asking your technology partners if they offer security training.

Sometimes chapter staff and volunteer leaders think National is responsible for exposing their email addresses to hackers—an opinion that reveals much about the relationship and lack of trust between that chapter and National. In reality, hackers use software bots to crawl the web looking for email addresses. When those addresses are on public pages, their job is made easier.

To minimize the security risks of displaying email addresses of chapter staff and leaders, you could suggest two alternatives:

1. Only list generic email addresses on website, for example, president@abcchapter.com. When leaders want to communicate with each other, they use a different, personalized chapter address like jdoe@abcchapter.com.
2. Jennifer Hedge, associate director of member engagement at the American Traffic Safety Services Association, suggested using an online contact form instead of displaying staff and leader email addresses.

Another area of vulnerability is the type of software and website plugins used by chapters. To save money, they often choose free or inexpensive options. Unfortunately, these tools are free or inexpensive for a reason: they’re not always supported and updated (patched).

Some even deliver malware intentionally or unintentionally because of poorly written code. Peggy Hoffman, chapter expert and president of Mariner Management, said. “The more connected we are, the more ‘con’nected we are.”

Don’t let your chapters get conned, scammed, or phished. Help protect your chapters by being a resource, leader, and model for safe business practices and a security-aware culture.