Online Security for PTAs: What You Need to Know

You may have received an email appearing to be from someone on your board — or that even has their actual email address — asking for some sort of financial transaction, but it wasn’t actually from them.

As a non-profit association, PTA can be vulnerable to these types of cyber crimes at all levels. PTA leaders are most likely to receive these types of email, especially if you are the president or treasurer.

Here are a commonly asked questions to better help understand and deal with the situation.

Why are they sending these emails?

The goals of these emails are to gain access to your information, often for financial gain.

There are two main ways they can do this:

  1. Email Phishing – typically from fraudulent or spoofed email messages appearing to come from legitimate sources, usually direct you to a spoofed website or otherwise get you to divulge private information such as bank account information or account passwords or even ask you to purchase gift cards. The perpetrators then use this private information to commit identity theft or trick you into sending money in some form.
  2. Ransomware/malware – a virus that installs covertly on the victim’s computer system and encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. Often malware is triggered by downloading files or clicking links from untrustworthy sources which appear to be legitimate.

How do they have access to these email addresses?

  1. Spoofing – This usually occurs when spammers gain access to another user’s data and clone their contact list. From there they can replicate any of the contacts’ email addresses. These email address will appear to be legitimate. This does not necessarily mean that their email has not been “hacked.”
  2. Fraudulent emails – This is when spammers have access to names but are not able to access actual email accounts. Often you will see the person’s name in the “from” line, but when you look at their email address it will be different (example: John Smith <1615168@nonsenseemail .bs>).

So how should you handle this sort of situation?

  1. If you receive an email from a fraudulent email address, please report it to your email provider immediately and delete the email. This process differs depending on your email provider.
  2. If you receive an email from the address of someone you know but you suspect it is not from that actual person, do not click on any of the links, do not forward to anyone, do not reply to the email. Doing so just increases the likelihood that someone will click on the link or divulge financial information. Please delete immediately. This is likely email spoofing.

How can I prevent this from happening?

Though it is not possible to entirely prevent these things from happening, there are a few things you can do to protect yourself, your accounts, and your contacts:

  1. Use anti-virus software on all your devices
  2. Run regular updates on your devices
  3. Establish two-factor authentication whenever possible
  4. Do not connect to unfamiliar or unsecure Wi-Fi
  5. Do not use the same password for multiple accounts
  6. Do not click any links or download any attachments in the suspicious email
  7. NEVER SHARE FINANCIAL INFORMATION IN AN EMAIL

Click here to return to the blog homepage.

Best Practices for Handling Phishing and Ransomware

Both email-phishing scams and crypto ransomware/malware are increasingly common and can have devastating impacts on businesses and non-profit associations of all sizes. As a non-profit association, PTA can be vulnerable to these types of cyber crimes at all levels and, in fact, we have heard reports of email-phishing scams happening to local leaders.

Email-phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your PTA treasurer or president, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information such as bank account information or account passwords. The perpetrators then use this private information to commit identity theft or trick you to wire money.

Ransomware/malware is a virus that installs covertly on the victim’s computer system and encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. Often malware is triggered by downloading files or clicking links from untrustworthy sources which appear to be legitimate.

If you get an email from a fellow PTA officer asking to wire funds, do not send money.

Establish communication “backchannels” such as text message or phone calls to verify the authenticity of the request. Additionally, remember to keep your personal and PTA computer systems and firewalls up-to-date to minimize the potential for viruses to inflect your system with malware.

Additional Resources: