Nonproft Phishing Scams: How to fight back
By Rick Christ
May 9, 2005
Authorities are investigating an alleged phishing scam targeting the United
Way. The web domain 'uniteways.org', registered to a French company, had a
site operating for at least a week that was soliciting donations. Uniteways.org
has no affiliation with the United Way, and no apparent nonprofit status or
legitimate reason for soliciting funds in the U.S.
The site is no longer operating. Yet another deceptively close domain, unitedways.org, hosts a generic search screen. According to "Whois," the online registry of domains, unitedways.org is registered to NameRealtors.com of Miami Beach.
Phishing is a scam that attempts to trick online users into giving up personal financial information at phony sites that look like the legitimate sites. Popular phishing schemes purport to be Paypal or traditional banks. Phishers send out emails purporting to be from the financial institution, stating that the user's account has been put on hold pending the "confirmation" of certain financial data. While identity fraud is still a bigger problem offline than online, phishing is a major source of online fraud.
Prompt action by the United Way, including discovery, reporting to authorities, and an announcement on their web site, helped minimize the damage. We became aware of the problem by reading an article in our local paper which quoted our local United Way office.
Many nonprofits would be tempted to hide such news, either out of shame or the misplaced fear that frightened donors would stop giving online to the real nonprofit as well. But denial of a crime helps only the criminals. Donors need confidence in the online financial system, and prompt prosecution of scam artists builds confidence.
What else can nonprofits do? Here's a short list:
- Register the domains that might easily be confused with yours. Had the United Way registered "uniteways.org" this scam wouldn't have worked. Register the .com and possibly the .net derivatives of your .org name as well. Buy the ones that are so close to yours a typical donor might be confused.
- Those that won't sell to you need to be monitored carefully. While there are legitimate organizations that may have the same initials as yours, you should check with the owners of closely named sites and make sure they are legitimate. It might be wise to offer reciprocal links to each other's sites. "Are you looking for the ABC Society? Click Here" could be placed on both sites and redirect confused web surfers.
- To check who owns a domain name, go to www.netsol.com
and click on the "whois" link at the top. Enter the domain name in question
and the system will display the current administrative and technical contacts
for that domain.
- Open a channel of communication with whoever gets email and phone calls from your donors. If they report concerns, act on them immediately.
- Report suspected phishing scams or other possible fraudulent behaviour
to local law enforcement and to the Federal
Trade Commission (in Canada, contact the CRTC).
This type of theft is a violation of state law, just like passing bad checks,
and of federal law, since it involves parties likely to be across state
lines from each other.
- If you ever use links in an email or elsewhere that don't point to your main site name, reassure donors with at least one link to a page on donor security at your main site.
- Using Google's advanced search features, you can search on your full name in
quotes, as well as your URL, to see those sites that mention you or link to you. Unfortunately, linking to your site requires no permission and can not be stopped. However, if your organization's name is trademarked and the offending site is using your name, you can send a cease and desist letter to the owner of the site.
This article was first published by NP Advisors.com
and is reprinted with permission.
