A guide to the most common types of phishing and how to avoid them

What is phishing and why should you care?

Phishing is a form of cyberattack that involves sending fraudulent emails or other messages that appear to come from legitimate sources, such as banks, charities, or government agencies. The goal of phishing is to trick the recipients into clicking on malicious links, opening infected attachments, or providing sensitive information, such as passwords, credit card numbers, or personal details. Phishing can cause serious damage to your non-profit organization, such as financial losses, data breaches, reputation damage, or legal liabilities.

What are the types of phishing attacks?

There are many types of phishing attacks, but some of the most common ones that target smaller non-profits are:

• Spear phishing: This is a targeted attack that focuses on a specific individual or group within your organization, such as a board member, a donor, or a staff member. The attacker researches the victim and crafts a personalized email that mimics their usual communication style, tone, and content. The email may contain a fake invoice, a donation request, a security alert, or a business proposal, and ask the victim to click on a link, open an attachment, or reply with confidential information.
• Whaling: This is a form of spear phishing that targets high-level executives or leaders of your organization, such as the CEO, the CFO, or the president. The attacker pretends to be a trusted authority figure, such as a lawyer, a partner, or a regulator, and tries to persuade the victim to authorize a large transaction, a wire transfer, or a sensitive document. The email may look very professional and use official logos, signatures, or seals.
• Vishing: This is a form of phishing that uses voice calls instead of emails. The attacker calls the victim and claims to be a representative of a legitimate organization, such as a bank, a charity, or a government agency. The caller may use a spoofed phone number or a voice changer to sound more convincing. The caller may ask the victim to verify their identity, confirm their account details, or make a donation.
• Pharming: This is a form of phishing that involves redirecting the victim to a fake website that looks identical to a legitimate one. The attacker may use a technique called DNS poisoning, which alters the domain name system (DNS) records of a website, or a technique called typosquatting, which registers a domain name that is similar to a legitimate one, but with a slight spelling error. The fake website may ask the victim to log in, update their information, or make a payment.

How to prevent and respond to phishing attacks?

Phishing attacks can be hard to detect and avoid, but there are some best practices that you can follow to protect your non-profit organization, such as:

• Educate your staff, volunteers, board members, and donors about the signs and risks of phishing. Provide regular training, awareness campaigns, and updates on the latest phishing trends and tactics.
• Use strong and unique passwords for your online accounts and change them frequently. Use a password manager or a two-factor authentication (2FA) system to enhance your security.
• Install and update antivirus software, firewalls, and spam filters on your devices and networks. Scan your emails and attachments for viruses and malware before opening them.
• Verify the sender’s identity and the message’s authenticity before responding to any email or call that asks for personal or financial information. Check the email address, the phone number, the domain name, the spelling, the grammar, and the tone of the message. Look for any discrepancies, inconsistencies, or red flags.
• Do not click on any links or open any attachments that you are not expecting or that look suspicious. Hover your mouse over the link to see the actual URL or use a link scanner tool to check its safety. If you are not sure, contact the sender directly using a different channel, such as a phone call or a text message.
• Report any phishing attempts to your IT department, your management, and the relevant authorities, such as the Federal Trade Commission (FTC) or the Anti-Phishing Working Group (APWG). Forward the phishing email or the phone number to the appropriate organization or website.

Conclusion

Phishing is a serious threat to your non-profit organization and can cause significant harm to your mission, your reputation, and your resources. By being aware of the types of phishing attacks, the signs of phishing, and the ways to prevent and respond to phishing, you can protect your organization and your stakeholders from falling victim to these cybercriminals.