Nonprofit Resources


How to Protect Your Organization from Phishing Email

Email has become one of the most frequently and easily used avenues for hacking and fraud, and the risk of employees falling victim to phishing email is rising.

How many of the following scenarios have you encountered or read about in the news?

  • Accounts payable is sent an email requesting a transfer of funds to an illegitimate account.
  • The Human Resources department receives an email that seems to be from an employee requesting a change in his direct deposit information.
  • Staff members receive an email requesting W-2s for several employees.
  • The CFO emails a lower-level staff member stating he needs a wire transfer processed immediately but that he is in a meeting and unavailable to discuss it.
  • An employee receives an email with a malicious link that infects his computer with malware.
  • An employee receives an email saying her account has been compromised and she should click the embedded link to reset her password.

Situations like these are rampant today. Email is a necessity and provides such convenience that the email risks cannot outweigh the benefit of its use. So what steps should you take to mitigate your organization’s risk of a breach or cyberattack initiated through a phishing email? 

Understand the Risk

Knowing how a phishing email works will help you and your employees be on the alert. This post explains phishing attacks and provides a few key takeaways.

Tighten Up Your Email Security

Sensitive, confidential, and proprietary information should never be sent through email. Not following this rule exponentially increases the likelihood of falling victim to a fraudulent email request. If your leadership team has made it clear to staff that they will never, under any circumstances, email a request for a wire transfer and then a staff member receives such an email, it should raise some red flags!

Be sure to read this post to learn how to make email more secure within your organization.

Train Your Employees

Provide formal, ongoing employee cybersecurity training that includes:

  • How to identify and report suspicious or fraudulent emails and other suspect requests
  • The type of information your organization does and does not allow to be sent by email
  • Descriptions of current cybersecurity threats
Consider Testing

A phishing test helps determine your employees’ ability to identify fraudulent email. You can then use the results to make your employee training more effective and identify users who may need additional education. CapinTech offers a phishing test as part of the Cyber Checkup service.

Plan for Failure

Email has become essential to daily operations and activities. Because of this, it is specifically targeted by fraudsters to gain information or access to assets. And unfortunately, it’s not a matter of if, but when, a user will send sensitive information or click on a bad link. We are only human, and humans make mistakes.

It’s also important to remember that even the best email and spam filtering solutions won’t stop every phishing email from reaching an end user, and the most cognizant employees can still fall victim.

That means planning for the worst is imperative in today’s environment. In many breaches, the fallout is not from the breach itself, but from a weak response — or no response at all.

Develop an incident response plan in conjunction with disaster recovery processes. If there is a ransomware incident as a result of a bad link in an email, can you restore from backups? What happens if a user sends out sensitive information via unsecured email? What if an employee sends funds in response to a fraudulent wire transfer request? How would you respond? Do you need to notify any parties, such as insurance companies, media, forensics companies, customers, or regulatory bodies? Do you have template language for these notifications?

These types of discussions should be held before an incident occurs. Time is of the essence, and you do not want to be in the position of figuring out your plan during the incident.

Stay Vigilant

Addressing phishing is a vital part of cybersecurity at organizations of all sizes, and it needs to be an ongoing process. Understanding the risks, following the steps above, and periodically reviewing your processes and controls will go a long way in helping you reduce your risk from phishing email and respond quickly if a breach should occur.

Authors: Allison Davis Ward, Partner and Kamilla Ben, Manager, CapinTech


Additional Resource:

How Weak IT Controls Can Affect Your Financial Statement Audit E-book

Leave a Comment