Podcast: Nonprofit Cybersecurity for the Holidays with Matthew Eshleman

What scams are circulating and how can you protect yourself and your organization?

Nonprofit Cybersecurity expert and Community IT CTO Matt Eshleman runs through common scams and new tactics that we are seeing at nonprofits and simple steps you and your staff can take at this time of year to be better protected.

Listen to Podcast

Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.

Takeaways on Nonprofit Cybersecurity for the Holidays

Common scams

“Your package couldn’t be delivered” … this email tries to get you to click on a link or respond in some way, using social engineering/helpfulness/urgency to trick you into helping a colleague or sorting out a problem with a package. These emails or texts try to get you to click on the link, give your login, or otherwise interact with the fake package delivery scammer.

“The Executive Director needs to purchase holiday gift cards for staff” … a variation on the “gift card” scam oriented towards the end of the year, holiday parties, gifts for donors or volunteers… these emails or texts try to get you to click on the link, give your login, or actually purchase the cards. Gift cards are an attractive scam to hackers, because once they have the code, the victim’s money is gone. A quick and immediate scam.

Pop-up “your computer has been compromised, call this number” scam … often the pop-up can’t be closed (you should shut down and log back in, and alert someone on your actual IT help desk team.) This scam tries to get you to interact with a fake help desk and handing over login credentials, allowing the “help desk” to install monitoring on the system, or handing over payment information. Often the fake help desk will retarget the victim regularly to continue to “help.” This scam can be initiated by clicking on a link in a phishing email, or opening a document with a fake link, or a fake QR code.

New Scams

Spam bombs… followed by a helpful call from “the IT help desk” ... this scam will inundate your inbox with hundreds to thousands of spam email an hour. Even if you have good inbox protections, they can be overwhelmed with volume. This scam tries to get the victim anxious at the spam attack and relieved when “the help desk” notices an increase in spam and reaches out to help. This scam tricks the victim into interacting with a fake help desk and handing over login credentials, allowing the “help desk” to install monitoring on the system, or handing over payment information.

AI deep fake voice and video scams… growing in presence as the tools to create deepfakes become more available and affordable. In addition to giving a fake contact number for the “help desk” the scammers may provide AI generated audio or video that matches what the victim expects their regular contact to sound and look like.

Protections Against Holiday Scams

Stay suspicious, particularly at the end of the day before a holiday break and the week before that break. Take9 has some good training and advice on taking a pause before you respond or click. Scammers use urgency to try to get you to use work-arounds, particularly when you are trying to close your laptop for the day and go do holiday activities!

Be particularly suspicious of in-bound calls and new contact information at any time of year, but particularly around the holidays. Do not give your log in credentials or other information to someone who called or texted you, claiming to be from IT or your bank. Always check through your previously documented processes, or end the interaction and initiate a new conversation your regular way, using a number on file or going to an official website you have used before.

Review your incident response plan, particularly your phone tree, before the holidays. Make sure you know who to call to report a suspicion or problem, and make sure that your point of contact has a substitute for when they are out of the office for the holidays. Who is “on call”? Check that you have no single points of failure in your response plan. Now is probably not the time to re-write your response plan, just to review it and remind staff of the process.

Have strong cybersecurity already in place. Strong passwords, MFA requirements, physical MFA keys for staff who are particularly targeted like your Executive Director and CFO, staff training on the importance of cybersecurity to protect your organization – maybe even a quick training on holiday scams to watch out for … taking proactive steps will give you peace of mind during your holidays.

Do not be tricked into using a work-around. Someone you usually interact with will understand your process and will not pressure you into just doing a different thing at 5pm on a Friday “because the regular person has gone home.” Always use your established procedures. The regular people you work with can wait until the next business day, even/especially if that is after the holidays.

Do report something, using your incident response plan. If you did click on something suspicious at 5pm on a Friday, you don’t want to leave it to the hackers for the entire long weekend or holiday break to be in your system. Use your response plan to report it immediately to the person on call for your cybersecurity.

Community IT seeks to provide trusted advice and guidelines for nonprofit cybersecurity safety around the holidays. If you have questions on cybersecurity assessments, staff training, incident response plans, or other cybersecurity topics, reach out and schedule a conversation or assessment with Matt.

Presenters

Photograph of Matthew Eshleman, a cybersecurity expert at CommunityIT, providing insights into cybersecurity resources.

As the Chief Technology Officer at Community IT, Matthew Eshleman leads the team responsible for strategic planning, research, and implementation of the technology platforms used by nonprofit organization clients to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how nonprofit tech works and interoperates both in the office and in the cloud. With extensive experience serving nonprofits, Matt also understands nonprofit culture and constraints, and has a history of implementing cost-effective and secure solutions at the enterprise level.

Matt has over 23 years of expertise in cybersecurity, IT support, team leadership, software selection and research, and client support. Matt is a frequent speaker on cybersecurity topics for nonprofits and has presented at NTEN events, the Inside NGO conference, Nonprofit Risk Management Summit and Credit Builders Alliance Symposium, LGBT MAP Finance Conference, and Tech Forward Conference. He is also the session designer and trainer for TechSoup’s Digital Security course, and our resident Cybersecurity expert

Matt holds dual degrees in Computer Science and Computer Information Systems from Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.

He is available as a speaker on cybersecurity topics affecting nonprofits in addition to nonprofit cybersecurity for the holidays, including cyber insurance compliance, staff training, and incident response. You can view Matt’s free cybersecurity videos from past webinars here.

Carolyn Woodard is currently head of Marketing and Outreach at Community IT Innovators. She has served many roles at Community IT, from client to project manager to marketing. With over twenty years of experience in the nonprofit world, including as a nonprofit technology project manager and Director of IT at both large and small organizations, Carolyn knows the frustrations and delights of working with technology professionals, accidental techies, executives, and staff to deliver your organization’s mission and keep your IT infrastructure operating. She has a master’s degree in Nonprofit Management from Johns Hopkins University and received her undergraduate degree in English Literature from Williams College.

She was happy to have this podcast conversation with Matt Eshleman about nonprofit cybersecurity for the holidays.

Ready to get strategic about your IT?

Community IT has been serving nonprofits exclusively for twenty years. We offer Managed IT support services for nonprofits that want to outsource all or part of their IT support and hosted services. For a fixed monthly fee, we provide unlimited remote and on-site help desk support, proactive network management, and ongoing IT planning from a dedicated team of experts in nonprofit-focused IT. And our clients benefit from our IT Business Managers team who will work with you to plan your IT investments and technology roadmap if you don’t have an in-house IT Director.

We constantly research and evaluate new technology to ensure that you get cutting-edge solutions that are tailored to your organization, using standard industry tech tools that don’t lock you into a single vendor or consultant. We don’t treat any aspect of nonprofit IT as if it is too complicated for you to understand. When you are worried about recovering from a cybersecurity incident, you shouldn’t have to worry about understanding your provider.

If you have questions about nonprofit cybersecurity for the holidays, incident response planing, or business continuity, you can learn more about our approach and client services and contact us here.

We think your IT vendor should be able to explain everything without jargon or lingo. If you can’t understand your IT management strategy to your own satisfaction, keep asking your questions until you find an outsourced IT provider who will partner with you for well-managed IT.

If you’re ready to gain peace of mind about your IT support, let’s talk.

Transcript coming soon

Photo by Wicked Monday on Unsplash