Australians have been losing $40 million monthly through social engineering scams. The Not-For-Profit (NFP) sector is not spared. While the Australian Charities and Not-for-profits Commission (ACNC) had warned of scams impersonating charities, the Australian Signals Directorate (ASD) confirmed NFPs are “prime targets for cybercriminals.”
Understanding and mitigating threats such as social engineering attacks is crucial for protecting your organisation’s mission and reputation.
What is Social Engineering?
Social engineering is any tactic that manipulates people into divulging confidential information or performing actions that compromise security. Common social engineering methods include:
- Phishing: Fake emails or messages that appear to come from reputable sources, prompting recipients to click on malicious links or provide sensitive information.
- Spear Phishing: Targeted phishing aimed at specific individuals or organisations, often using personal information to appear more convincing.
- Pretexting: Creating a fabricated scenario to obtain information from a target, often by impersonating someone trustworthy.
- Baiting: Offering something enticing to lure victims into a trap, such as a free download that would actually install malware.
Many of these are done via email, SMS, social media, and messaging apps. A few involve in-person activities, such as tailgating, or gaining unauthorised physical access by following someone with legitimate access.
How Social Engineering Affects Nonprofits
Social engineering attacks can have very serious impacts on an organisation, including:
- Disruption of Operations: Interruptions to NFP operations and services
- Financial Loss: Direct theft of funds or costs associated with remediation
- Reputation Damage: Loss of trust from donors, partners, and the public
- Legal and Regulatory Issues: Potential fines and legal action due to data breaches
The mental health of employees can also be affected by social engineering incidents. They can cause psychological distress to victims, including guilt, anxiety, fear, loss of trust, and a sense of helplessness. In turn, workplace productivity can decrease.
Additionally, understanding how to protect personal and sensitive information is key to maintaining trust and credibility with your stakeholders. For more insights on this, refer to our article.
Real-Life Cyber Incidents and Social Engineering Attacks on NFPs
The Cancer Council Australia was one of the Nonprofits affected by the data breach at fundraising services provider, Pareto Phone. It exposed names, dates of birth, addresses, email addresses, and phone numbers of donors and stakeholders. In a separate incident, Cancer Council Tasmania advised donors and prospects about hoax emails and website scams asking for donations.
The Australian Cyber Security Centre (ACSC) had also cited social engineering cases involving nonprofits. One involved a charity supporting families in need. Cybercriminals gained access to a staff email that did not use multi-factor authentication. They sent a fake invoice to the finance department and tricked them into sending over $30,000.
In another case, a corporate donor was defrauded via email spoofing. The attackers impersonated a Nonprofit supporting healthcare professionals, using a spoofed email domain ending in “.org” instead of “.org.au”. The corporate donor was convinced to redirect $20,000 to a fraudulent account.
Top Strategies for Preventing Social Engineering
To protect your NFP, consider implementing the following strategies:
1. Employee Education and Awareness
Ongoing training is essential to help employees recognise and respond to social engineering threats. Training should cover:
- Recognising phishing emails
- Creating and maintaining strong passwords
- Understanding the importance of verifying requests for sensitive information
Also, provide employees with ongoing support, regular updates, and other resources to help them stay informed and vigilant.
2. Security Policies and Procedures
Draft clear guidelines to guide staff about their role in maintaining security and what to do when threats arise. Key policies should include:
- Procedures for verifying the identity of individuals requesting sensitive information
- Guidelines for handling suspicious emails and messages
To remain effective, you must regularly review and update these policies.
3. Technical Controls
Implementing measures such as below can significantly reduce the risk of social engineering attacks:
- Email Filtering and Spam Protection: To block malicious emails before they reach employees
- Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring multiple forms of verification
- Intrusion Detection Systems (IDS): Monitors network traffic for suspicious activity
4. Incident Response Planning
Having a plan in place for responding to social engineering attacks is crucial. This plan should include:
- Steps for containing and mitigating the attack
- Designating a response team for handling security incidents.
- Procedures for notifying affected parties
- Regular testing and updating of the plan to ensure its effectiveness
- Post-incident activities to identify weaknesses and improve future responses
5. Regular Security Audits
Conduct regular audits to identify vulnerabilities and ensure compliance with security policies. Regularly review internal processes and systems for potential security gaps. You may also engage third-party experts to do comprehensive security assessments.
6. Secure Communication Channels
Ensure that sensitive information is communicated only through secure channels, such as encrypted emails and secure messaging apps.
7. Third-Party Security
Ensure that your stakeholders also adhere to strong security practices. Perform partner assessments regularly to evaluate their security practices. Include security requirements in contracts with third parties.
All these strategies can help you build a strong defence against social engineering attacks.
Protect Your Nonprofit Today
With the right strategies, you can protect your organisation against social engineering threats and therefore safeguard your mission. To help NFPs across Queensland, ADITS has designed a unique approach called CyberShield combining managed IT and essential cyber security services and IT governance. Find out how we can help you today.