November 19, 2017
    What?! Membership lists now a target of phishing scams

    Is your association prepared?


    Are phishing scams getting more sophisticated? That can certainly be an argument, but more so, scammers are just finding new things to phish for, and unsuspecting associations can find they’re falling for the same ruse.

    Now, instead of money, these online confidence tricksters are going after associations’ membership lists. Hilltop Consultants, an IT management provider, identified the ruse last year when some of its association clients were contacted by these flimflammers.

    It works like this: The perpetrators spoof the association CEO’s email by creating an email address that looks very similar to your association’s email, but off by a letter or two, knowing that a person would not readily catch that. An email is then sent from the bogus account to a staff member, requesting the membership list (usually it’s money or personal information, though) be sent to a third party. That the request is for a membership list and not money might slip by an unsuspecting staffer.

    “Already [the perpetrators] have proven they have the ability to spoof the CEO of a trade association. That combined with access to the membership list, they could really exponentially increase fraud,” Hilltop president Jim Turner said (above). 

    How does an association protect itself from a phishing scam, especially one that involves its membership list? There are controls that an association can install, such as blocking key words. Also Hilltop uses security software from other companies in addition to its own system to control emails that are sent and received through mail servers. 

    But “it’s my experience that a technical solution isn’t going to protect you 100 percent,” Turner said. In addition, he strongly advises to “educate everybody who has access to your AMS, who can get to information you would not want to share with anybody else.

    “With wire transfers, there is a smaller number of people to educate on that. Now [the scammers] are not just asking for money, the information you have is as good as money.”

    Some of the measures Turner suggests are “very old school.” First, when an email comes in, especially from the CEO, requesting a money or information transfer, read the entire email carefully, including the email in the “From” field. Then call the supposed email sender or ask face-to-face - do not e-respond - regarding the authenticity of the email.

    At the ASAE 2016 Finance, HR and Business Operations Conference, a session on bank fraud by Tom Clolkosz of Access National Bank, and Sarah McConnell, CPA, of Johnson Lambert, also covered the best way to avoid getting swindled out of sharing personal information. McConnell described an exercise in which her IT director sent out a phishing email to the staff to see who would easily give up personal information, such as passwords. Of the 160 staff, 40 responded to the phishing email within six seconds of opening it. On a subsequent phishing email test, those who were repeat offenders were registered for a training course in sharing information. Also, KnowBe4, a company started by the original hacker Kevin Mitnick, provides email awareness training.

    Association TRENDS