Congratulations—you have just been named the recipient of some much-needed and well-deserved funding!
The bad news? Well, now you need to be on high alert for cyber scams. That press release listing you as a recipient of a major award may have put a bullseye on your back. Your name and the award have probably landed you on the radar of some hackers.
But before your eyes glaze over and you think this is just another overblown warning: this has already happened to other organizations like yours. Some of them were wiped out within weeks of receiving huge grants that were about to transform their world. In 2016 after raising millions of dollars for the Standing Rock Sioux Native American tribe protests, a quarter million dollars was inadvertently wired by the political non-profit Our Revolution to scammers who posed as trusted business vendors. In 2017, Save the Children was phished into sending $997,400 to a scammer. The most recent victims are keeping the incidents confidential, as you can imagine.
Even if you haven’t (yet) received that kind of windfall, it’s important to know these various types of scams continue to make their way through the nonprofit world as well as the for-profit.
There’s good news though: there are three steps you can take to protect yourself, and they don’t require you to find extra money to hire an IT consultant.
Not a Masters in Fine Arts, but the other MFA: Multi-Factor Authentication. This is the security measure used by financial and other websites to send you a code on your cell phone before you can log in. Does this kind of security seem like a pain? Maybe, and sometimes it actually is, but think of the pain of having your accounts wiped out or getting locked out of your essential business operations. Also, where possible or when given a choice, go with the Google Authenticator or similar app-based authentication codes as opposed to text or email message-based codes.
Don’t stop protecting your own accounts though. Ask your partners, vendors, advisors, and even donors to do the same as soon as possible. It’s an interconnected world, and the account that you are linked to for an automatic payment could be the one that leaves an open door for hackers. Any communications system such as email, Slack, or chat could be a risk, in addition to your financial and accounting systems, and your banks.
Contact Info and Security Word
Collect contact info for the authorized contacts of your vendors, your advisors, and your partners, ideally during a call or video meeting—not in an email. Get a cell phone, work phone, WhatsApp, or Signal contact info—and don't allow it to be changed without verbal confirmation. Especially for donors and significant financial partners, create a code word you share and agree to include in any information update requests.
There’s a reason that websites ask you for those annoying and obscure details like the name of your 7th-grade science teacher (no offense, Mrs. Martinez). Hackers can find a lot of personal information online (um, yes Facebook, thanks for telling the whole world the name of your cat), so look for something that would never be online and that you don’t plan on announcing online, ever.
Even with social media accounts that are set to “private,” most people are overconfident in the privacy that exists online. Move around in the digital world as if you have no privacy at all (because in many cases you don’t) and treat your personal information accordingly.
Outbound Calls Only
Here is a really big tip: don’t change anything or say yes to anything on an inbound call or through text. Don’t give any information in response to an email query (phishing scams are a lot more sophisticated these days than the old “wire me some money” spam). Confirm all wire/ACH transactions via an outbound phone call to one of those pre-collected contact numbers above. Do not accept an inbound call for verification, and never click on links sent via text even if they look legitimate. If your bank ever does need to verify any account activity, that message will be waiting for you when you log into your account, or when you call their customer service line.
In short, just make it a habit to never click any links or give any personal information from an inbound call, email, or even a mailed letter (scammers are going old-school these days).
All this work may seem like a lot to deal with, but it’s nothing compared to dealing with what security professionals call the “attack pattern.”
a. Your organization receives funding
b. Your organization is infiltrated
c. Your organization is scammed through payment fraud
You know how much work went into getting those funds in the first place, so consider the advice of security folks. They have a saying: there are two kinds of people. People who have secure processes in place, and people who are going to wish they did.