Your work is vital. We are raising funds to support it.
Do any of you have a really great online resource you use to teach your nonprofit employees and volunteers, or to teach seniors or teens, how to avoid phishing? Or a presentation you've used that you would be willing to share?
-=-=-=-=-=- Jayne Cravens Author, The LAST Virtual Volunteering Guidebook
Do you go over that web site information with the seniors, or teens, one-on-one? Or in a class? Or just say, "Hey look at this link."? And how do you measure success and know it's making a difference?
Phishing is a specific category of threat. But because it uses delivery methods similar to conventional malware, I make it part of a more comprehensive presentation on security and Best Practices.
I use that website (and others) as a resource for myself. As with any training, I adjust the content to match the needs of the group or individuals. For example, volunteers don’t have to worry about phony banking sites if they have no access to the organization’s bank accounts and the organization has blocked access to banking sites from their computers. But the accounting staff will receive a much different presentation placing great emphasis on on-line banking. If the audience is seniors, teens or whatever, I adjust accordingly.
Since the training can be summed up in the sentence “Don’t fall for anything suspicious”, and the perpetrators of phishing scans are very adept at making their attacks appear trustworthy, effectiveness isn’t as easily tested or measured as it is with training that involves specific knowledge or procedures. In addition, about 5% to 20% of the individuals will violate the recommendations within 24 hours, for an assortment of reasons. (As consulting network administrator, I see the firewall and security logs that backup that statement.) For that reason, a comprehensive security program will also include a perimeter firewall and enterprise-grade Internet security software that can block most of the malicious websites and e-mails associated with phishing.
But even with limited effectiveness, the training has value:
-Included in a comprehensive, general security program, training and other steps to protect against phishing will add little additional cost.
-The more receptive members of the audience will be better prepared to escape overwhelming financial loss.
-The organization will now have a permanent record of having provided the training. So if a user ignores recommendations, falls for a scam and loses his life savings, he is less likely to succeed at suing the organization for facilitating the loss.
"For example, volunteers don’t have to worry about phony banking sites if they have no access to the organization’s bank accounts and the organization has blocked access to banking sites from their computers. "
But many nonprofits want to help their clients and volunteers to better understand the Internet and avoid phishing and other scams, scams that might not put the nonprofit at risk but very much put their clients at risk.
So, still looking for great resources, those that talk to people who aren't tech savvy and need more than "Don't fall for anything suspicious." If your nonprofit works with seniors or teens in particular, and has done these trainings, would love to see your favorite resources or even the presentation you use.
“But many nonprofits want to help their clients and volunteers to better understand the Internet…”
Exactly! Even among organizations of similar size and purpose, the policies and practices set by management can vary over a wide range. So no one approach or speech is going to work.
That’s why I can’t simply read a script. I use on-line references such as the one I listed earlier to create an outline and then I adjust the content on-the-fly to match the needs of the organization and audience, whatever they might be. I also check a few security websites each morning in order to have information on the latest threats and vulnerabilities. And I have to keep it within budget.
But then, I’m an IT professional and I’m expected to meet those standards. If all the organization wants is to provide ad-hoc exposure to a subject for purposes of general education rather than guaranteed protection of organizational assets, then one can be a lot more casual about the content. Searching a few websites and YouTube videos will probably provide enough material. But it’s still a good idea to check on the latest threats before giving the presentation. If someone in the audience asks questions, you want to be prepared. J
I wish I had a quick fix for you but I have to operate in the real world. Organizations want to protect their volunteers et al, but training budgets are limited. And some of the members of the audience can’t understand or won’t follow the advice. And many non-profits have a high turnover of personnel. Can they afford to pay someone to repeat the presentation over and over, constantly making changes to match new threats? They do what they think is best. I work with what I’m given.
While on vacation this past week I was checking my email every evening. I received an email from my credit card company and this was no surprise because when my spending pattern changes, they let me know they noticed it.
I clicked on the link to confirm the purchase was confirmed by me and received an warning message.
Yes, the email that arrived with perfect timing had fooled me, an "Internet Consultant", who would have told you prior to this that no phisher was going to catch me...!!
The point of this embarrassing story is that organizations should have a "NO UNVERIFIED CLICKING" policy for any link received in an email. That means they must look at and be sure they understand what it is they are clicking on. If there is any doubt, they need to get help with the verification.
Users (including me) need a strict policy or a near-death experience before they can be expected to be every vigilant.
Yeah, I've had a few close calls too. The "bad guys" on the large phishing operations are well funded and very professional. Gone are the days of broken English and similar easy giveaways.
I received an e-mail supposedly from Smith-Barney a few months ago. It had the right fonts, the right logo and perfect English asking me for account information. Fortunately I don't have an account with S-B so I was able to spot the scam :)
Compounding the problem is the constant probing of users for unnecessary personal information. They have become far too willing to give phone numbers and other information to places like Facebook and Yahoo because they are told it will improve their security and privacy. Right. Sure.
So far, my security software seems to be catching the user slip-ups when it comes to phishing.
What the security software does NOT seem to detect are products that, once planted on a computer, provide remote access for the bad guys via remote control or VPN. The attacks are completely invisible to the users. Since these are relatively legitimate products, the anti-malware utilities largely ignore them. I spotted one VPN attack entirely by accident. I was troubleshooting an unrelated problem and happened to notice that a SonicWall VPN .DLL was loaded and running in the background. (Suspicious, since the organization had no firewall.) Based on the installation date, it seems that the bad guys had been able to read every document on that computer (and shared network folders) for several months.
The best defense I've found is to make sure that users log in without administrator credentials so that the products can't be installed.
And if you find yourself looking for free remote control utilities, be very careful. Watch out for products with man-in-the-middle designs, allowing access to several computers and made in Russia.
You bring up a good point. If something has been installed on your computer and is then involved in "unwanted activity", it would be nice to have a program that could detect that and alert you. Do you know of anything like that?
I am thinking about software that could stay memory resident or just be run from time to time as the user prefers. It would keep a list of applications that it has seen and that the user has reviewed and marked as "ok". But it could also bring up a report as needed to review the activity of all applications so anything that is doing more than was expected could be noted. And of course, the systems with which it was communicating (domain or IP address) could be seen.
Close this window