As cyber threats become more varied and sophisticated, attackers may try to scam your members—and they may pose as you to do it. Here are some precautionary steps to take.
About a month ago, something funny started happening with my cellphone. Random people started calling me and asking why I was flooding their phone with robocalls.
Turns out, I had become a pawn in a “neighborhood spoofing” scam, whereby robocallers use local phone numbers to conceal their identity in the hopes of duping unsuspecting victims. This style of spoofing, according to The New York Times, is on the rise largely because phone companies can’t stop it, at least for now. New FCC rules due out in November [PDF] will give them the power to proactively block robocallers.
Then, two weeks ago, I came close to falling victim to another cyber scam—this one a sophisticated spear-phishing attack. An email from an association executive whom I had previously interviewed contained a legitimate-looking link to a Google document. Luckily, I didn’t click, and I was later notified by the sender that the link was malware.
And last week, many Airbnb users fell victim to a fake GDPR-themed scam asking them for password and credit card information.
If these stories sound familiar to you, it’s because cyber criminals are getting savvier about how they construct spoofing and scamming attacks. They’re using social-engineered data—information collected from your digital footprint and networks—to trick people into clicking, downloading, or directly handing over personally identifiable information.
These new tactics should concern you not just as a potential scam victim, but also because your members could be taken in by con artists posing as you. The last thing you want is for your members to become victims of a cyber attack because they clicked on an email they thought came from your association.
Just ask the Association of Certified Fraud Examiners about that. ACFE has 85,000 members worldwide, and they can usually see fraud coming. But that doesn’t mean the association or its members are immune to cyber attacks, and just recently, scammers struck.
Members received an email, apparently from ACFE, asking them to join a team that would help the government to detect fraud—which was, in fact, a fraud. The email had many of the telltale signs of a phishing attack, including misspellings and grammar errors. Some attacks include fake email addresses or URL links (always hover over and spot-check a link before clicking).
“Recent attacks have talked about our industry or ripped off some of the language from our mission,” says Ross Pry, director of membership for ACFE. “These attacks are getting more sophisticated, and the emails are getting more believable, which just makes safeguarding your members even tougher.”
ACFE quickly posted the fake message to its website and alerted members to the incident. “It’s helpful for members to see the language that’s used. There were misspellings and grammar issues, like missing periods. It helps them to understand the style and variety of attacks.”
The attack may have been facilitated by ACFE’s online directory of certified fraud examiners. It can help people find and contact an examiner, but it’s also a popular way for scammers to target ACFE members.
“It’s a tough situation, and one we’ve been discussing, because we want to promote our members to the general public,” Pry says. “But the downside is that individuals can harvest this information for scams. Right now, it’s a delicate balance between how much information we can and should provide” publicly.
To spot a scam early, Pry says ACFE listens to members, who are encouraged to report incidents by phone, email, or online chat. “Thankfully, because of the nature of our association and membership, most of our members have been forthright in figuring out that these things are scams,” he says.
Have you trained your members to spot and report cyber attacks? What are some ways you’re helping to safeguard members? Leave your comments in the thread below.