Online Security for PTAs

By Mireira Moran, California State PTA Communications Commissioner

If you receive an email/text or social media message that seems a bit strange – you might be a target of a scam. You may have received an email that seems like it’s from someone on your board, maybe from their actual email address (or something close). If the message asks you to pick up gift cards or make some other financial transaction, be on high alert.

As a non-profit association, PTA can be vulnerable to these types of cybercrimes at all levels. As a PTA leader, you are a person most likely to receive these types of emails, especially if you are the president or treasurer. 

Here are commonly asked questions to help you better understand and deal with the situation. 

Why are they sending these emails?

The goals of these emails are to gain access to your information, often for financial gain. But it may not be obvious at first. 

What should I be watching out for?

  1. Email Phishing – typically from fraudulent or spoofed email messages – appear to come from legitimate sources. The message will usually direct you to a spoofed website or otherwise get you to divulge private information (such as bank account information or account passwords or even ask you to purchase gift cards). The perpetrators then use this private information to commit identity theft or trick you into sending money in some form.
  2. Ransomware/malware –a virus that installs covertly on the victim’s computer system and encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. Often malware is triggered by downloading files or clicking links from untrustworthy sources which appear to be legitimate.

How do the scammers have access to real email addresses?

  1. Spoofing – This usually occurs when spammers gain access to another user’s data and clone their contact list. From there they can replicate any of the contacts’ email addresses. These email addresses will appear to be legitimate. This does not necessarily mean that their email has been “hacked”, the email address may have been forged.   
  2. Fraudulent emails – This is when spammers have access to names but are not able to access accounts. Often you will see the person’s name but when you look at their email address it will be different (example: John Smith <1615168@nonsenseemail.baloney>).

So how should you handle this sort of situation?

  1. If you receive an email from a fraudulent email address, please report it to your email provider immediately and delete the email. This process differs depending on your email provider.  Don’t click on links from people you don’t know.
  2. If you receive an email from an email address you recognize but you suspect it is not the actual person: do not click on any of the links, do not forward to anyone, do not reply to the email. Contact the person another way–call them, text them, email them and alert them to the situation. Delete the email immediately. This is likely email spoofing. If this happens on your PTA email account, send a message to:

How can I prevent this from happening?

Though it is not possible to entirely prevent these things from happening there are a few things you can do to protect yourself, your accounts, and your contacts. 

  2. Always double-check where the email is actually coming from. 
  3. Do not click any links or download any attachments in the suspicious email
  4. If you are in doubt as to the validity of an email, contact the person directly (call/text)
  5. Use anti-virus software on all your devices
  6. Run regular updates on your devices
  7. Establish 2-factor authentication whenever possible
  8. Do not connect to unfamiliar or unsecured Wi-Fi
  9. Do not use the same password for multiple accounts

Beware of Tricky Texts

By California State PTA Treasurer and state office IT Staff

We are no strangers to various scams across the internet — whether it’s through phone calls regarding our car’s extended warranty or emails from princes in faraway countries. Now a new type of scam is becoming commonplace text messages. 

When we log into our bank, we are often given codes to enter or links to ‘tap on’ that are sent via text as part of a 2-factor authentication method. These are one-time use links that validate our identity to help prevent scammers. Beware, more and more scammers are attempting to exploit people by spoofing these validation texts. Read on to learn what you can watch for.

With this kind of scam, you will receive a text message with a link to click on to verify your identity, typically with an accompanying message indicating that some type of action is needed in your account. Often it will be from a bank you don’t use and they are hoping to have guessed your bank correctly. Occasionally that shot in the dark works and it may appear to be from a bank you have an account with. When this happens you could get a call from the scammers themselves, asking for more information to validate your identity (i.e. your login information, or passcodes that have been sent to you).

As with all SPAM and SCAM messages, unless you are expecting this information from your bank, never click on any links or attachments in the messages. While you can always ignore these and delete them, if you are concerned that your account has been compromised, you should immediately reset your account password by logging in through a computer/tablet, not on your cellular device. Never do this through a reset link that you did not request. Lastly, never share a passcode that you are sent via text message from your financial institution. These passcodes are only intended to be entered by you into the webpage that you initiated to receive it from. 

The best rule of thumb when dealing with possible scams like this is to hang up, look up, and call back. Hang up the phone if you receive a call, look up the institution and their correct customer service phone number, and then call the institution that you hold an account with. They will verify if the request for information is valid or if someone is trying to scam you out of your money or gain access to your personal information.