Non-Profits Are the Target: Spear-phishing and how to defend yourself

People are often the weakest link when it comes to being a target for cyber criminals, so it’s important to know the signs in order to avoid becoming a victim of email-based scams. 

Background 

Globally, the rate of email spam and phishing remained high in the second quarter of 2020. Roughly 50 percent of all email traffic was spam related. To make matters worse, many of those malicious emails were targeted attacks aimed at smaller organizations. These findings are reflected in our experience working with non-profit legal services providers. We have seen a recent uptick in spear-phishing emails specifically tailored to look like they are legitimate emails from individuals within the targeted organization. 

What’s the risk? 

Cyber attackers try to manipulate you into revealing personal information by sending fake emails that appear to come from a reliable source. They are often looking for passwords, account credentials and other sensitive information they can use for identity theft, fraud and financial crimes. Given the high rate of spam-related email traffic, it’s only a matter of time before your organization is targeted. One click is all it takes for your computer to be compromised and your sensitive data to be stolen. 

How to spot a fake 

Be on the alert for emails that are requesting favors or directing you to click on something. They may look like legitimate emails but on closer inspection they are malicious. Spear phishing emails are carefully designed to get a single recipient to respond. For example, you might receive what looks like a legitimate email from a colleague (apparently) saying “Hey, can you please look over this document?” However, if you click the link, malware gets installed on your computer while you’re reading the document. 

Before opening any attachments or clicking links sent to you via email be sure to: 

1. Wait before clicking. Review the email carefully before you click anything.  
2. Look closely at the sender’s email address (hover over the address). When hovering over the email address, be sure to look for the following: 
   • Is the person or organization name spelled correctly? 
   • Does the email address match the sender’s name? Malicious email addresses often contain a series of random numbers or characters. 
   • Be particularly careful of email addresses that closely resemble real email addresses but differ by one or two letters.  
3. Are there spelling or grammatical errors in the message?  
4. Hover over any links in the message. Be sure they point to the site you are expecting. 
5. Remember that malicious emails also come from legitimate users who have already been compromised. The sender’s name and email address may be correct but any weblink or attachment could still be malicious. 

An ounce of prevention 

As an organization, there are several ways to defend against spear phishing. We recommend these techniques on a regular basis to protect our legal services clients. 

1. Enable Multi-Factor Authentication (MFA). This requires users to provide two or more forms of identification (such as a one-time code in a text message) before being granted access. 

1. Ensure that staff are appropriately trained to spot suspicious activity. Have them attend security awareness training on an annual basis. 

1. Enable advanced email spam filtering to decrease the number of phishing emails that users receive. They can’t click on it if they don’t receive it. 

1. Install advanced antivirus software on all devices to improve detection, prevention and removal of malicious software. 

Conclusion 

The cyber security landscape is continuously evolving. The bad guys are constantly refining their methods and we are all forced to adapt as spear phishing emails increase in volume and become harder to distinguish from legitimate emails. It is critical to implement the right security tools and techniques that fit a non-profit’s budget while providing the required level of security that supports anytime, anywhere legal service delivery. The communities we support depend on it. 

If you suspect that you are the target of a spear phishing attack, reach out to our knowledgeable team at inquiries@just-tech.com for assistance.