Online Security for PTAs

By Mireira Moran, California State PTA Communications Commissioner

If you receive an email/text or social media message that seems a bit strange – you might be a target of a scam. You may have received an email that seems like it’s from someone on your board, maybe from their actual email address (or something close). If the message asks you to pick up gift cards or make some other financial transaction, be on high alert.

As a non-profit association, PTA can be vulnerable to these types of cybercrimes at all levels. As a PTA leader, you are a person most likely to receive these types of emails, especially if you are the president or treasurer. 

Here are commonly asked questions to help you better understand and deal with the situation. 

Why are they sending these emails?

The goals of these emails are to gain access to your information, often for financial gain. But it may not be obvious at first. 

What should I be watching out for?

  1. Email Phishing – typically from fraudulent or spoofed email messages – appear to come from legitimate sources. The message will usually direct you to a spoofed website or otherwise get you to divulge private information (such as bank account information or account passwords or even ask you to purchase gift cards). The perpetrators then use this private information to commit identity theft or trick you into sending money in some form.
  2. Ransomware/malware –a virus that installs covertly on the victim’s computer system and encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. Often malware is triggered by downloading files or clicking links from untrustworthy sources which appear to be legitimate.

How do the scammers have access to real email addresses?

  1. Spoofing – This usually occurs when spammers gain access to another user’s data and clone their contact list. From there they can replicate any of the contacts’ email addresses. These email addresses will appear to be legitimate. This does not necessarily mean that their email has been “hacked”, the email address may have been forged.   
  2. Fraudulent emails – This is when spammers have access to names but are not able to access accounts. Often you will see the person’s name but when you look at their email address it will be different (example: John Smith <1615168@nonsenseemail.baloney>).

So how should you handle this sort of situation?

  1. If you receive an email from a fraudulent email address, please report it to your email provider immediately and delete the email. This process differs depending on your email provider.  Don’t click on links from people you don’t know.
  2. If you receive an email from an email address you recognize but you suspect it is not the actual person: do not click on any of the links, do not forward to anyone, do not reply to the email. Contact the person another way–call them, text them, email them and alert them to the situation. Delete the email immediately. This is likely email spoofing. If this happens on your PTA email account, send a message to:

How can I prevent this from happening?

Though it is not possible to entirely prevent these things from happening there are a few things you can do to protect yourself, your accounts, and your contacts. 

  2. Always double-check where the email is actually coming from. 
  3. Do not click any links or download any attachments in the suspicious email
  4. If you are in doubt as to the validity of an email, contact the person directly (call/text)
  5. Use anti-virus software on all your devices
  6. Run regular updates on your devices
  7. Establish 2-factor authentication whenever possible
  8. Do not connect to unfamiliar or unsecured Wi-Fi
  9. Do not use the same password for multiple accounts