Tim Ebner is former senior editor of Associations Now in Washington, DC.
Email and telephone “spoofing” scams, which mimic a legitimate person or business, are on the rise. Often these attacks target online member directories where members’ contact information can be used to deceive.
Member directories are common on association websites, whether they’re members-only directories for the association community or public ones that help professionals or businesses make connections with potential customers.
Packed as they are with member information, online directories can quickly become prime targets for cyber criminals, especially if they lack proper safeguards.
Recently, the Association of Certified Fraud Examiners fell victim to a so-called spear-phishing attack. In a letter addressed to members, a group of cybercriminals crafted a phony but legitimate-looking request for bids that appeared to come from ACFE directly.
“These cyber criminals were doing a broad search of our directory and getting the information they needed to conduct an attack,” says Director of Membership Ross Pry.
Email and telephone “spoofing” scams, which mimic a legitimate person or business, are on the rise, but Pry says that doesn’t mean associations must fall victim. Preventing an attack “takes a coordinated effort between the association and [its] members,” he says. “And when an attack does happen, don’t be afraid to have a conversation with members.”
We want to protect our members’ information online, but we also want to make it as easy as possible for them to connect.
—Ross Pry, Association of Certified Fraud Examiners
A few preventative measures can help safeguard members’ personal information online. Pry suggests a two-tier approach: a public database with limited member information, plus a members-only directory where more data is stored behind a password and protected by two-factor authentication.
At ACFE, members must opt in to be included in a public directory where consumers can go to find an anti-fraud professional. This resource provides phone numbers and email addresses only. More detailed information is listed in the member directory, which requires a username and password to access. Members may opt out, and those who are listed may customize the information that appears there.
“We’ve found directories have to be a balance of control,” Pry says. “First and foremost, we want to protect our members’ information online, but we also want to make it as easy as possible for them to connect.”
Even with protections built in, breaches or phishing attacks can occur. “Keep an open line out there, so members can report something,” Pry says. “In some cases, incidents were discovered because a member alerted us.”
When an attack does happen, he says, raise a warning flag to members. A proactive communications strategy will help mitigate the damage.
“We just had someone post a warning that chapters were being targeted for an email spear-phishing scam,” Pry says. “Fortunately, our membership base is pretty savvy with this sort of thing—they are a naturally suspicious group—and that’s a good thing because you want them to alert you to certain types of activities.”