With more organizations working remotely these days, the risks of cybercrimes have skyrocketed. Proactive associations can take three simple steps to reduce the chances of being taking advantage of by financial scammers and cybercriminals.
When the pandemic first struck, associations had to react quickly. Large, in-person events were canceled, membership dropped due to global economic forces, and many transitioned staff to remote work. These massive shifts in the landscape required groups to remake themselves almost overnight. In hindsight, it’s easy to see how all this necessary, urgent change opened the door for financial scammers and cybercriminals to find new opportunities to profit in the association space.
Now that most association employees aren’t in the same building anymore, many of the common-sense protections from financial theft and fraud aren’t as effective or practical. If an accounting team member gets an email wire transfer request from the association president, verifying the request is no longer as simple as walking down the hall and asking. Now, an email reply is the path of least resistance, which can play right into the hands of a fraudster.
Similarly, with no office phones, staff are sometimes reluctant to call a colleague’s personal cell phone to ask a question. Instead, Outlook messaging is favored by many organizations. As more of our communication becomes electronic, an observant cybercriminal has more opportunities to access sensitive data. They can insert themselves in financial transactions to steal money or impersonate your organization to steal from your members, which can irrevocably damage your reputation.
Despite this dangerous environment, there are effective, no-cost protections associations can implement to avoid financial scams and other cybercrimes. Here are three of the most impactful:
Formalize Your Financial Approval and Validation Processes
Most associations have a process for approving a financial transaction, with named individuals granted approval authority and multiple approvers needed for transactions over a certain dollar amount. Putting these processes in writing, ensuring they are communicated to all staff, and reinforcing them will help make them stick in employees’ minds. Another best practice is utilizing your existing accounting or bill-paying software to enforce approval processes (i.e., where an approver has to log in and click an “I approve” button within a website) to make it increasingly hard for the bad guys to hack your accounting processes.
Scammers often impersonate C-level executives, using social engineering techniques like instilling a sense of urgency, asking for favors, requesting discretion, or being overly demanding to squash any challenges to their requests.
Association employees also must follow the approval process and validate the identity of the person issuing the approval. For example, if a small association allows its president to solo-authorize transactions up to $30,000, an email from the president shouldn’t be all that’s required. Emails can be faked with spoofing and phishing, or even perfectly impersonated with a business email compromise (BEC). The recipient should have some way to validate that email came from the president. This can be accomplished by a phone call, a text message to a known cell phone number, or any other communication that exists entirely outside of the email system. Remember: Microsoft Teams is part of Microsoft 365 and is not technically separate from Microsoft 365 email.
Implement Multi-Factor Authentication Wherever Possible
As more accounting and bill-paying applications are made available with generic internet access (instead of requiring it be on the association’s network or a virtual private network), it becomes easier for cybercriminals to gain unauthorized access. Credential harvesting through phishing emails, combing the dark web for known username/password combinations from prior breaches, or simply brute-force guessing passwords can allow a bad guy to log in to a user’s account in Microsoft 365, Bill.com, and other externally accessible services. This allows the attacker to perform BECs, manipulate invoices, damage your reputation with your members and donors, or access bank credentials to steal money from your association.
When appropriately implemented, multi-factor authentication is an incredibly effective (and usually no-cost) technique to stop these sorts of threats in their tracks. The hack’s difficulty goes from “guessing a password” to “guessing a password while simultaneously having access to the victim’s phone,” which is next to impossible. When hackers realize MFA is involved, they typically give up on password guessing and move on to different targets.
Foster a Culture of Security Over Immediacy
We all know the stereotype: the demanding C-suite personality that wants things done their way, immediately, and with no questions asked. Those individuals are often revered for carrying out tasks, but they also instill a culture of bypassing processes and other safeguards that keep associations safe from cybercrime. Suppose a leader sends email requests to initiate wire transfers and expects them done immediately, without proper approval or validation processes. That plays right into the hands of fraudsters.
Scammers often impersonate C-level executives, using social engineering techniques like instilling a sense of urgency, asking for favors, requesting discretion, or being overly demanding to squash any challenges to their requests. If your association has a culture where this is normalized, then scammers will likely succeed. However, by promoting a culture that honors validation processes, scammers’ requests won’t hold up to scrutiny, and you’ll avoid becoming another victim.