Regarding Escalating Security Incidents
Urgent: Escalating Phishing Attacks Targeting Chapter Members
We are dealing with ongoing security incidents affecting our state chapters, which are resulting in serious financial consequences for our members. Your advice is needed.
The Issue: Our chapter members are being phished with fake emails and text messages. These malicious communications are targeting our members, impersonating chapter leaders by using their specific names and incorporating our organization's details in the subject lines.
Most Recent Example: An incident just happened with a chapter member who sent $500.00 in gift cards to an individual she believed was her chapter president. This type of phishing scam has been previously reported.
Current Strategy: Leaders are continually advised to reinforce the following message with all members:
We are dealing with ongoing security incidents affecting our state chapters, which are resulting in serious financial consequences for our members. Your advice is needed.
The Issue: Our chapter members are being phished with fake emails and text messages. These malicious communications are targeting our members, impersonating chapter leaders by using their specific names and incorporating our organization's details in the subject lines.
Most Recent Example: An incident just happened with a chapter member who sent $500.00 in gift cards to an individual she believed was her chapter president. This type of phishing scam has been previously reported.
Current Strategy: Leaders are continually advised to reinforce the following message with all members:
- Chapter leaders will never solicit gift cards or money via phone or computer.
- Members must call the leader directly to verify the authenticity of any suspicious email or text message request.
If any personal contact information is publicly visible on your websites, it can be collected by external parties. Attackers typically gather details by scraping leadership directories, event announcements, newsletters, PDFs, and social media. Even without direct access, they can guess email formats and use publicly available names and titles to craft convincing impersonation messages.
Here are my recommendations for immediate prevention. Please let me know if you have any questions about implementing these measures.
Kind regards,
Dawn Flanders, Ed.S, Mu Chapter
Here are my recommendations for immediate prevention. Please let me know if you have any questions about implementing these measures.
Kind regards,
Dawn Flanders, Ed.S, Mu Chapter
1. Reduce Publicly Exposed Information
- Remove personal email addresses and phone numbers from public-facing pages whenever possible.
- Use secure contact forms instead of listing direct email addresses.
- Limit leadership directories to names and titles only.
- Review downloadable PDFs or documents and remove personal contact details before posting.
- Remove personal email addresses and phone numbers from public-facing pages whenever possible.
- Use secure contact forms instead of listing direct email addresses.
- Limit leadership directories to names and titles only.
- Review downloadable PDFs or documents and remove personal contact details before posting.
2. Strengthen Member Awareness
- Continue emphasizing that leaders will never request money or gift cards through email or text.
- Include this reminder regularly in all chapter communications.
- Add a clear warning banner on member-only sites or portals.
- Share examples of recent phishing messages so members know what to look out for.
- Continue emphasizing that leaders will never request money or gift cards through email or text.
- Include this reminder regularly in all chapter communications.
- Add a clear warning banner on member-only sites or portals.
- Share examples of recent phishing messages so members know what to look out for.
3. Improve Authentication Signals
- Ensure all official chapter communications come from a consistent, trusted email domain.
- Encourage members to save official leader phone numbers so unfamiliar numbers stand out.
- Use a standardized email signature for all leaders to help members recognize legitimate messages.
- Ensure all official chapter communications come from a consistent, trusted email domain.
- Encourage members to save official leader phone numbers so unfamiliar numbers stand out.
- Use a standardized email signature for all leaders to help members recognize legitimate messages.
4. Implement Technical Protections
- Confirm that DMARC, DKIM, and SPF protections are properly set up for all official email domains.
- Require two-step verification on any shared chapter email accounts.
- Add CAPTCHAs to website forms to help limit automated scraping of information.
- Confirm that DMARC, DKIM, and SPF protections are properly set up for all official email domains.
- Require two-step verification on any shared chapter email accounts.
- Add CAPTCHAs to website forms to help limit automated scraping of information.
5. Establish a Rapid Reporting Loop
- Create a dedicated email address for members to report suspicious messages.
- Ask chapters to forward phishing attempts so you can track trends and identify new tactics.
- Send out alerts to all chapters when new impersonation patterns or scams are spotted.
- Create a dedicated email address for members to report suspicious messages.
- Ask chapters to forward phishing attempts so you can track trends and identify new tactics.
- Send out alerts to all chapters when new impersonation patterns or scams are spotted.
Long-Term Recommendations
- Offer brief, annual cybersecurity training for chapter leaders to help them stay ahead of emerging threats.
- Develop a standardized communication policy for handling financial or urgent requests.
- Move toward a secure, login-protected member directory rather than publicly listing contact information.
- Offer brief, annual cybersecurity training for chapter leaders to help them stay ahead of emerging threats.
- Develop a standardized communication policy for handling financial or urgent requests.
- Move toward a secure, login-protected member directory rather than publicly listing contact information.
