“Don’t worry. I’m from the IT team.”
—Unknown
As we begin the month, it is time for TCDLA to run scans and ensure we pass all the PCI Compliant tests. These are security standards we must follow to process payments online while maintaining a level of security that protects data. After several days, countless hours of answering more than 200 questions, running tests on servers, and contacting IT on our website and database providers, we passed. The good thing is we get to do this all over again next year!
Coincidently, this month I attended a professional development training on cyber security and how it affects associations, members, and vendors. In addition, Mike Adams, TCDLA and Technology Committee member, submitted an article for this issue that complements mine perfectly.
What I have learned—and witnessed—is that anyone that can be a victim. Yahoo Finance reported cyber‑attacks increased by 341% during COVID‑19, according to Nexusguard Research. All too often, people are embarrassed to admit tobeing victims, and unfortunately, they don’t share their experiences, allowing us to continue thinking it can never happen to us. But think again. Attacks no longer take the form of emails with lousy grammar or fake voicemails intoning, “This is the IRS. You will be arrested . . .” (IRS repeatedly says they never call, always corresponding by mail.)
Just recently in my own world view I’ve seen deposit accounts altered, payment methods changed, ransomware paid, wire transfers intercepted by duplicate email accounts, and more—all when knowledgeable, professional people are the victims.
Data by RiskIQ suggests cyber‑ crime costs organizations $2.9 million every minute, with major businesses losing $25 per minute as a result of data breaches. Ransomware attacks have gone mainstream with the proliferation of ransomware‑ as‑a‑service (RAS), where cyber‑ criminal groups create and market ransomware to “affiliates.”
Who knew there were so many phishes (from information accessed here: Eight types of phishing attacks and how to identify them | CSO Online)?
Whaling: Seeking CEO or president credentials. When assuming office, our incoming president each year receives emails from members telling them “you have been hacked.” No, they’re not being hacked, just targeted as high‑profile titles. When you look at the sender’s email address, it may indicate, for instance, from Melissa Schank, mschank@tcdla. com <akfdjfalksdjfl;kaj@gmail. com>. If you look closely, you’ll see it’s not the actual email address it seems to be at first glance. Several such fake emails led people to think that I needed them for a minute, or wanted them to process something for me, or needed to make bogus payroll/vendor account changes. In our office we must remain alert about our established procedures for payment for members, vendors, or even staff (when dealing with in‑house payroll/401k updates).
Phishing : Mass-market emailing looking for you to log in. You might see, for example, an email saying your PayPal password expired; your storage has been exceeded; your account is frozen; or something as blatant as “click here to pay the outstanding invoice.” If you enter your information, they have you. If this should happen, of course, you’re advised to change your password(s) immediately and contact the entity to make sure nothing is billed you.
Spear Phishing: Targeting large corporations or government agencies. Assembling critical data, these criminals work for long periods researching then strategically attacking these organizations.
Clone Phishing: Creating a near-perfect replica. The look is the same, often gaining entry by resending a message received previously that was intercepted by a cloned website. If you receive what seems to be an odd request or repeats a previous message, reach out to the end‑user directly to find out. (Some offices have particular code words or do not handle specific processing through email.)
Vishing: Phone call from a financial firm asking for personal information due to a “security problem.” Whenever I get one of these, I hang up and log into the secure site, determine if there is in fact a breach, make sure my password works—or even call the firm as needed.
Smishing: Pretending to send text messages from a company to get you to click on a link. Often attackers use the name of a reputable company, replicating the logo or site and asking you to log in. Recently I purchased something from Best Buy, using a Wells Fargo card, and the site asked for a verification code from my bank. My bank info is saved in contacts, so I know if they text or call. They responded to my inquiry: “Wells Fargo will never call or text you for this code. Don’t share it.” Why these are successful: 98% of text messages are read, with 45% responded to, while emails run 20% and 6%, respectively.
Snowshoeing:A viral type of spam. We get a message, open it—and every one of our contacts gets a message we didn’t send. We tell everyone not to open that email after someone tells us about it. At any rate, change your password immediately, then let people know not to open the infected message. The most virulent form can invade your contact list once you start clicking away and spread again. Most malware software will catch this, so it is essential to keep an active subscription. (When I notice something is working oddly on my computer, I immediately run a scan.)
Other attacks:
- Man in the middle: someone pretending to be you and intercepting all your emails and transfers by having your information
- Email Forwarding Activity: attackers set up email rules to hide their malicious activities or have emails forward
- Ransom: send us bitcoins or we will hold your data hostage
- Fake Malware and Updates
- SQL Injection: attacking your database
- Drive-by Attack :website loaded with viruses
A helpful to visit for more information is cissar.com.
Additional Preventive Measures (from information and graphics accessed from TSAE CEO Forum)
- Determine what data your organization saves that could be lost if you are Also, consider the cost to replace it (or pay reparations to members) for a breach.
- Conduct an annual review of the organization’s cybersecurity stance, policies and procedures, the threat landscape, any training program, and insurance.
- Implement multi‑factor authentication (MFA) for all.
- Make sure that your website is secure with HTTPS.
- Conduct a baseline, simulated phishing attack for both the board and staff to raise awareness and improve skills.
- Ensure that antivirus and malware detection is provided to all staff computers, then monitor, maintain, and review them regularly.
- Communicate and enforce clear password models. Promote the use of password vaults for all.
- Make your password longer and harder to guess, with a minimum of 16 characters using a combination of letters, numbers, and special characters,
- Change your password
- Develop business continuity plans that include what may need to happen in case of a cyber or ransomware attack. Then, create and communicate an incident response plan.
- Implement document retention and destruction plan.
How secure is my password?
These attacks are exceptionally successful because the attackers are perfecting their craft. After all, this is what they do, and they do it well. At the end of the day, we all try to be as secure as possible, and awareness is critical. Unfortunately, there is a new scheme, attack, or virus every day. We can be so busy sometimes that we do what is fastest, all too often leading to otherwise‑avoidable consequences. I thank those who bravely share their stories. We’re not judging them, rather, thanking them for making others aware who might otherwise fall victim. By sharing this piece, I hope you were able to maybe take one new thing away—or just be reminded about the threats.
