FIDI NEWS sent to FIDIs Finance Manager asking for an urgent money transfer to a conference supplier. FIDIs Secretary General, Jesse van Sas, says: Our finance department received these emails, which appeared to have been sent by me and looked very legit. Luckily, we have strict payment processes, and payments are only made against approved invoices, and must be verified and co-signed, to avoid such issues. Van Sas adds that its vital for Affiliates to protect themselves, by having clear processes in place, a healthy suspicion of all emails asking for money, and by verifying who the true sender is. Never assume things; always verify, even when emails seem to come from the top, he says. Bell adds: It is difficult to understand that there are people out there who want to cheat you when any opportunity arises. In my case, they targeted a new member of a board, slightly excited at doing something to prove his/her worth. However, if something looks suspicious, especially when it has to do with money, go to the source, double check, and call if necessary. Dont be shy to ask; even if it turns out to be an authentic request, you will have done your due diligence. DEALING WITH PHISHING Microsoft gives some clear steps for identifying and preventing phishing attacks and for what do if an attack on you is successful. HOW DO I KNOW IF ITS A PHISHING MESSAGE? Criminals can use emails, or messages on text, social media or even video games, to get people to reveal their personal information. The best defence, says the organisation, is knowing what to look for, which include: 1. Urgent calls to action or threatening messages Always be suspicious of messages that tell you to click on a link or open an attachment right away. Sometimes, they will tell you to act immediately to claim a prize or avoid a penalty. A false sense of urgency is a common trick W W W. F ID I. O R G FF307 September-November 22 pp16-17 FIDI News.indd 17 of phishing attacks and scams, says Microsoft. They do that so you wont think about it too much or consult with a trusted adviser who may warn you. If a message asks for immediate action, its important to slow down and be safe. 2. First-time senders Getting an email from someone for the first time particularly someone from outside your company can be a useful red flag for a phishing scam. Examine new or infrequent emails carefully to make sure they are from who they claim to be from. 3. Spelling and bad grammar Professional businesses usually have good-quality, well-written content, so the opposite can be a clear sign of a scam. But be careful criminals are getting better and more professional themselves. 4. Generic greetings An organisation that knows and works with you is less likely to begin an email with something like Dear sir/madam. 5. Mismatched domains Watch out for the domain name of your emails. Large businesses usually have their own registered domain name, so make sure the email is from that and not a misspelt or completely different one. 6. Suspicious links and unexpected attachments Hover your mouse over but dont click a suspicious link to check it matches the link in the message. Never open suspicious attachments or visit a website that youre unsure about. WHAT SHOULD I DO IF I GET A PHISHING EMAIL? 1. Never click a link or attachment in a suspicious email. 2. If you are worried that a suspicious email could, in fact, be legitimate, visit the organisations website from your own search, not the email or call them from a number on a membership card, or printed on a bill or statement, and ask them to verify it for you. 3. If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it. 4. Report all suspicious messages see below and delete them, too. HOW TO REPORT A PHISHING SCAM Many email programs, such as Microsoft Office Outlook, have a report message function. This is the fastest way to report and remove suspicious messages. You can report the phishing directly to organisations such as Microsoft, which has a dedicated email phish@office365.microsoft. com. Include the suspicious email as an attachment (dont forward it on). Many governments also have dedicated organisations to which you can report phishing, such as the National Cyber Security Centre in the UK (report@phishing.gov.uk). GORDON BELL, FIDI BOARD MEMBER WHAT SHOULD I DO IF I HAVE BEEN PHISHED? If you think you have fallen for a phishing attack, you should do the following: 1. Record it While it is fresh in your mind, write down as many details as you can. Make a note of any personal details, such as passwords or account numbers, that you have shared. 2. Change your passwords Do this immediately on the accounts affected but also anywhere else you may have used the same password. You should create new and unique passwords for each account. 3. Use multifactor authentication This typically uses text confirmation or additional information, as well as your password. Use for every account where you have this option. 4. Communicate If the attack has affected your accounts at work, school or in other organisations with which you are involved, make sure you tell their IT support department. Alert your bank if you have shared any account or credit card information. 5. Report it If youve lost money or suffered identity theft, report it to local police. If something looks suspicious, especially when it has to do with money, go to the source, double check and call if necessary 17 05/09/2022 16:46