The 8/25/2011 FTM Arts Law blog post (HT Musical America) reports on a recent notice from the Internal Revenue Service (IRS) alerting the public about a recent identity theft scam directed toward performing arts groups where the crooks attempted to gather information through bogus forms. All of the advice in the blog post is spot on so take it to heart but what I’m curious about is why the crooks went to that much trouble to begin with.
Website security should be no joke for nonprofit performing arts groups but in actuality, most sites are woefully unprepared to detect a cybercrook who intends to use your online presence for nefarious purposes. I’m not here to give any would-be crooks a leg up but here’s one way bad guys can catch nonprofit performing arts groups with their pants down based on a classic phishing scam.
- The crooks insert a page within your current site designed to look and function like a donation form.
- They send out an email message based on your organization’s current email blast template with an emergency message that without immediate donations, the group will have to cancel an upcoming concert/miss payroll/etc. A call to action button directs the user to the phony donation page at your real site.
- The phony donation page harvests as much personal info as possible until the arts org realizes the vulnerability and removes the page.
Potential problems such as this scenario are compounded by the fact that a number of arts groups who are fortunate enough to receive free web hosting, support and related design assistance as an in-kind gift might learn the hard way that free may ultimately end up costing you a lot more than a provider who will supply the same amount of attention, time, and diligence as they do toward all of their clients.
Hopefully, you noticed the use of the word “detect” as opposed to “prevent” in the second paragraph. It’s important to note that it’s nearly impossible to prevent a determined crook from abusing your site but the second, and equally important, line of defense is detection so that in the event that your site is compromised, you’ll know about it ASAP and have an opportunity to begin purging any trace of the intrusion from your directories.