The Delaware Association for Nonprofit Advancement (DANA) has reported a new email scam targeting nonprofit organizations. The email subject reads: “RE: Action Required: Completed: *Foundation(R)#” and the body of the email includes what appears to be a Dropbox link. The organization reports that several nonprofits, including DANA, have received the email, and that it should not be opened.
It is not clear from the report what sort of damage may be caused by the email. SSD’s security team suspects that the Dropbox link may contain malware that steals the victim’s email account information. Several nonprofits have reported fraudulent emails being sent from their accounts to all contacts.
Compromised email accounts are a serious issue. Hackers commandeer email addresses to send scam messages that appear to be legitimate. For example, an employee in accounting might receive an email that appears to be from the CEO requesting a wire transfer of funds because of some vague “emergency” or impending deadline. Because the email appears legitimate, and most people want to comply with direct instructions from the boss, these scams are very effective. We discussed the issue in a previous post.
Wire transfer scams affect nonprofits as well. The scenario is changed only slightly: accounting receives an email seemingly from the organization’s director requesting that funds be transferred to an overseas bank to fund an operation related to the nonprofit’s mission.
At a more mundane level, compromised email accounts also serve to perpetuate the problem of spam and phishing emails. IT security experts have become effective at shutting down the servers that spammers use and blocking spam messages. If the email is generated from a legitimate account, however, it’s much harder to block.
This new alert serves as a reminder that IT security is everyone’s responsibility. Every end-user should take the following steps to help prevent a security breach:
- Exercise a healthy dose of suspicion. Look at emails carefully. If you’re not absolutely certain of the source, don’t open it or click on a link or attachment.
- Follow up using another means of communication. Call the sender of the email to confirm that it’s legitimate, particularly if it involves a financial transaction.
- Use strong passwords. Your email password should be at least eight characters and use a combination of upper- and lower-case characters, numerals and special symbols.
- Use a different password for every account. Cybercriminals use credentials stolen in major data breaches to try to hack other accounts. If your work email password is the same as your Gmail password, the hacker’s job is that much easier.
- If you have any reason to believe your email account has been compromised, immediately change your password and report the issue to your IT department. Your account may have been compromised if your contacts report strange messages coming from you.
SSD is here to help boost your organization’s cyber defenses. If you are concerned about this latest scam targeting nonprofits, the growing ransomware threat, or any other security issue, give us a call to schedule a confidential consultation.