It's Surprising To See The Thieves Go To That Much Trouble

The 8/25/2011 FTM Arts Law blog post (HT Musical America) reports on a recent notice from the Internal Revenue Service (IRS) alerting the public about a recent identity theft scam directed toward performing arts groups where the crooks attempted to gather information through bogus forms. All of the advice in the blog post is spot on so take it to heart but what I’m curious about is why the crooks went to that much trouble to begin with.

Website security should be no joke for nonprofit performing arts groups but in actuality, most sites are woefully unprepared to detect a cybercrook who intends to use your online presence for nefarious purposes. I’m not here to give any would-be crooks a leg up but here’s one way bad guys can catch nonprofit performing arts groups with their pants down based on a classic phishing scam.

  1. The crooks insert a page within your current site designed to look and function like a donation form.
  2. They send out an email message based on your organization’s current email blast template with an emergency message that without immediate donations, the group will have to cancel an upcoming concert/miss payroll/etc. A call to action button directs the user to the phony donation page at your real site.
  3. The phony donation page harvests as much personal info as possible until the arts org realizes the vulnerability and removes the page.

Potential problems such as this scenario are compounded by the fact that a number of arts groups who are fortunate enough to receive free web hosting, support and related design assistance as an in-kind gift might learn the hard way that free may ultimately end up costing you a lot more than a provider who will supply the same amount of attention, time, and diligence as they do toward all of their clients.

Hopefully, you noticed the use of the word “detect” as opposed to “prevent” in the second paragraph. It’s important to note that it’s nearly impossible to prevent a determined crook from abusing your site but the second, and equally important, line of defense is detection so that in the event that your site is compromised, you’ll know about it ASAP and have an opportunity to begin purging any trace of the intrusion from your directories.

About Drew McManus

"I hear that every time you show up to work with an orchestra, people get fired." Those were the first words out of an executive's mouth after her board chair introduced us. That executive is now a dear colleague and friend but the day that consulting contract began with her orchestra, she was convinced I was a hatchet-man brought in by the board to clean house.

I understand where the trepidation comes from as a great deal of my consulting and technology provider work for arts organizations involves due diligence, separating fact from fiction, interpreting spin, as well as performance review and oversight. So yes, sometimes that work results in one or two individuals "aggressively embracing career change" but far more often than not, it reinforces and clarifies exactly what works and why.

In short, it doesn't matter if you know where all the bodies are buried if you can't keep your own clients out of the ground, and I'm fortunate enough to say that for more than 15 years, I've done exactly that for groups of all budget size from Qatar to Kathmandu.

For fun, I write a daily blog about the orchestra business, provide a platform for arts insiders to speak their mind, keep track of what people in this business get paid, help write a satirical cartoon about orchestra life, hack the arts, and love a good coffee drink.

Related Posts

Leave a Comment