Best Practices: Protect Your Association from Phishing Emails

Associations fall victim to Phishing Emails too

In light of recent news, where an Alberta regulatory body became victim of a phishing email resulting in a data breach, we wanted to provide some information about what phishing is and some steps that you and your members can take to ensure that you are as safe as possible. While we’ve mentioned phishing very briefly in our “Protect Your Association from a Privacy Breach” and “Man in the Cloud Hackers” posts, we’ve never expanded on how it’s done and what to do when you receive a phishing email. Below is an in-depth description of how they work, how to detect one, and key clues have been bolded.

Simple Definition of Phishing

Phishing is when someone (the potential hacker) sends you an email that looks official (for example, from the Society of Regulators of Alberta), trying to trick you into going to a website that they’ve also made to look realistic (like the Society of Regulators of Alberta’s login page). From here, you naively type in your username and password, basically handing over access to your account.

Signs to Detect a Phishing Email

Phishing emails are designed to steal information and money. They disguise themselves as legitimate emails from organizations you have an account with, or sometimes one you don’t even have an account with, and trick you into handing over your username and password.

The Greeting

First, phishing emails tend to be generic, since they tend to be sent in mass amounts. Official company emails are sent from a database that usually have your first and last name stored, phishing emails only have stolen email addresses, so their greetings will be something impersonal, such as;

Dear customer,”

“Dear member,”

“Hi Facebook user,”

The Message

The email also will usually have an urgent and threatening message such as:

“If you do not login and reset your password, your account will be permanently disabled.”

“Somebody has hacked your account, to re-claim your account, please login at the link below.”

“Please confirm your Paypal deposit of $500 by logging into your Paypal account immediately.”

The Errors

These emails are also usually written with a minor error, such as spelling mistakes, misspelled names or positions of the person they are writing as, or even signing it with a name of someone that doesn’t even work at the company.

The Email Address

The “from” address is guaranteed to not match the company’s official email domain. For example, if the hacker was imitating Paypal, they would likely have an email such as:

  • password@paypalinfo.com,
  • info@paypal-inc.com,
  • or even something as unofficial as paypalhelp@gmail.com (@gmail.com email addresses can be made by literally anyone),

instead of @paypal.com (which is their real email domain).

The Link

Speaking of domains, the phishing email will provide a link, this link will lead the recipient to a  fake login page. The login page will sometimes resemble the legitimate website, but just like an email domain, it will have a suspicious URL that will have minor differences from the real URL. The page might also have spelling errors, possibly authentic links to the company’s privacy policy or home page to look more realistic, and a form to fill out (the point the recipient turns into a victim). Sometimes they will just ask for your email address and password, and sometimes more. If it is your email account information they are asking for, it can be very damaging because from there they can hack any account you have linked to that email address, and most people use one email address for everything.

The Damage of a Phishing Email

Different phishers have different purposes. Some just want data, some want to scare people, and many want money (which they can also get in exchange for your data). Phishing usually targets individual people in a general population, such as Facebook users, or Google users, but like the recent event with APEGA, they can target all the members of a specific organization by phishing from the right people.

What to do when you receive a Phishing Email

When you are checking your email and see a suspicious email asking you to login to something, first, check on the areas mentioned above (i.e. greeting, message, “from” address, link (before clicking it)). If it seems fake, delete it, and no damage will be done.

If you are not sure, even after checking the email address that it is from, open your Internet browser and go to the official website of the account the email is asking you to login to. If the email is claiming that you need to change your password in order to fix something like a “hack”, you can obviously achieve that from changing your password from the direct website itself (no need to risk it and click on the link provided in the email).

Many popular websites that are used as phishing bait, such as Paypal, have an official page explaining how their real emails to users look like and what to do in case you receive a phishing email. While not all organizations take this level of precaution, you can still email or call them directly and ask if the email is real or fake.

To be safe, if you are suspicious from the moment you opened the email, because you know it looks slightly “off” compared to usual emails, it’s likely fake and should be deleted immediately.

Associations and Email Policies

In the era of phishing, associations may want to implement a policy to protect themselves and their members from a breach. This policy can include that the association will never provide specific links in their emails (minus the home page or blog posts), especially ones that are asking to be used as a login portal or to confirm payment. The policy can also state what to expect in their emails, like that they will provide the members’ first name, instructions to find the content they are informing their members with, and who at the association it is from.

  • An example of an email NOT following this policy would look like:

Dear member,

Your renewal fees are due today. To pay, please click below:

www.officialassociationpagepayment.com/payus

Thank you,

Association Admin

  • An example of an email that IS under this policy would be:

Dear Stephanie,

Your renewal fees are due today. To complete payment,  please follow the steps below:

1. Go to our website www.officialassociationpage.com.

2. Login and go to “My Account.”

3. Click on the “Pay Fees” button and you will find the payment screen to complete the process.

You will receive a reciept via email within ten minutes. If you have any questions, please reply to this email or give us a call.

Thank you,

Lisa Kudrow
Association Admin
780-123-4567

The bottom email sounds much more safe and with the members knowledgeable about the email policy, they will be able to tell the difference between an official email versus a phishing email. If you have any more questions, comments, or suggestions about phishing emails and how to be safe, please leave them below!


If your association or regulatory body is seeking new software, please use our Software Procurement Checklist. This checklist can be used with any AMS or license management software, and will help you compare all in one place. Click on the image below and download it now!

 

en_USEnglish