More and more nonprofits are reporting a security breach in their digital marketing security. This article, from Wired Magazine, chronicles a common plague that we’ve seen multiple nonprofits find themselves battling: fraud attacks.
Fraud attacks can happen on many fronts.
Facebook pages, as noted in the piece from Wired, can be targets for fraudsters to take over your organic social program, posting as your organization. Fraudulent posts can range from the offensive to the scammy.
Donation pages can be targets for fraudsters to test stolen credit cards. Earlier this week we heard from a tech lead at a nonprofit who had discovered thousands of fraud attempts running through their donation platform (they use an extremely popular nonprofit digital marketing suite and have high standards for their AVS settings).
Nonprofits are an easy target for cyberattacks.If you’re a nonprofit marketer—how do you prevent fraud (or, at least, be prepared for it if it happens)?
Information security education
If you’re reading this and you’re a marketer, do not roll your eyes. You need a baseline understanding of security practices. Our friends at Tech Impact have oodles of resources to get you up to speed. Pro tip: We recommend committing to a security training schedule and regimen, so that your team can stay on top of what’s happening. The Wired article illustrates how a nonprofit can fall victim to social engineering and phishing scams. You must train your staff on the ins and outs of these cyber attacks (saying this is earning me major cred with our IT staff, btw).
Perform a security audit
Nonprofits need to prioritize security for online marketing, including documentation of your security processes and workflows, standardized password management protocols (for the love, no more shared user accounts), and implementation of SSL on your website. That’s scratching the top layer. We’re betting an espresso and a conversation with your tech team will help. If you need additional help, check out the NTEN Community Forum.
Better user management
Attacks are compounded when nonprofits leave old employees, contractors, and partners as admins of their accounts. An old employee or contractor doesn't have to be disgruntled. If their accounts are compromised, any page or account linked to the compromised account is in trouble. Establishing user management practices can enhance your control, and therefore make your program more secure.
Enable, where possible, Multifactor Authentication (MFA)
Also referred to as Two Factor Authentication (2FA), this practice is now commonplace recommendations with many tech applications. You may have seen MFA options suggested in your own use of Facebook, Gmail and other common apps. Google offers some pretty sweet 2FA tools and options. And Facebook improved their MFA in 2018. Read more here and here.
Educate yourself on your donation page security
14.2 million credit cards were exposed in 2017. Nonprofit donation pages are easy targets, optimized to the fewest decisions possible, which might mean loose security standards. As marketers, you should be aware of the security settings and protocols you’ve enabled on your eCRM, including AVS (Address Verification System) and CVV (Card Verification Value) settings, velocity control, and testing the use of CAPTCHA or reCAPTCHA.
Ask your eCRM for protocols on fraud escalation
When and if you’re attacked, the last thing you want is to submit a ticket and wait to be contacted. If nothing else, there’s a piece of mind in knowing how your eCRM handles the urgency of fraud attacks.These are baby steps. But they do work.
And they are important, for you to be aware of how to handle similar situations.
Want to go deeper?