"Phishing" is a term used generally to describe various electronic attempts by a fraudulent actor to masquerade as a legitimate entity in order to acquire sensitive information from an individual, such as a user name, password, credit card number, or Social Security number. While phishing scams often target individuals, nonprofits can likewise suffer. During the first half of 2014, there were 6,271 phishing attacks that targeted the "dot-org" Internet domain name often used by nonprofits, according to a study by the Anti-Phishing Working Group, a consortium of industry groups and international organizations. Popular trademarks or trade names of nonprofits often are used to attract individuals to donate money or provide personal information by serving as means to create a false online identity. This misuse of a trademark or trade name can damage, among other things, a nonprofit's valuable reputation and goodwill. Phishing scams also can harm donor, member, supporter, sponsor, grantor, employee, and other relationships and can cause significant economic harm to a nonprofit.
The typical nonprofit phishing scam involves the following: An individual receives an e-mail, which appears to originate from a well-known nonprofit. The message describes an urgent reason such individual should donate money or provide information to the nonprofit for charitable purposes, either by clicking on a link embedded in the message or by replying to the message with the requested information. The provided link and/or e-mail address URL appears to be associated legitimately with the well-known nonprofit, but in a "phishing" scam, the link or address is actually controlled by the fraudulent actor/scammer. The individual mistakenly gives his or her donation or surrenders his or her own data by mistakenly providing the information requested to the fraudulent actor/scammer.
To minimize the damage, there are several steps that a nonprofit should consider taking immediately after discovering that it has become involved in a phishing scam, both to protect the nonprofit's brand and to protect individuals, who can be a nonprofit's donors, members, supporters, partners, or even employees, from further damage:
- Identify the Scam: Phishing scams can initially be hard to identify. The act of forgery can be very convincing and sophisticated. However, recognizing a phishing attempt can allow a nonprofit to respond more quickly and prevent further damage. Hallmarks of common phishing scams include unauthorized use of a nonprofit's name, trademark, or content (or confusingly similar versions thereof); use of an unofficial, unaffiliated, or unauthorized contact ("From") address that closely resembles the addresses of a well-known nonprofit name; an email or other communication indicating that urgent action or an urgent response is required; a generic greeting to help introduce the request for a response; and other unfamiliar details in a communication that prompts an individual to want to respond to such request.
- Gather Information: If a nonprofit discovers a phishing scam that makes unauthorized use of its name, trademarks, or web content, the nonprofit should first try to determine the scope of the phishing attempt and the type of information sought by the fraudulent actor/scammer. Determining the nature of the information sought will help later with responsive communications to thwart the phishing attempt and warn individuals against the submission of donations or information. In addition, the nonprofit should try to learn the extent to which a phishing scam uses its name, trademark, or content.
- Form a Response Team: Designate a team and/or point person with primary responsibility for dealing with the phishing scam and for collecting necessary information. When possible, collect and maintain records or correspondence related to the fraudulent activity. Such records or correspondence not only can assist with a possible legal response; they also can aid notification and reporting efforts regarding the incident.
- Consider Providing an Email Address for Follow-up: If necessary, consider designating an email address or other contact information that affected individuals can use to contact the entangled nonprofit regarding a phishing scam involving its name, trademark, or content.
- Provide Notice: Post a conspicuous notice on the nonprofit's website (or send a communication providing the notification or a link to the notification). The notification should be specific enough to alert potential victims of the fraudulent activity and include steps to help the affected individuals avoid falling victim to the scam. Depending on the type and severity of the scam, consider sending an email to alert affected individuals (if known) of the fraudulent activity. Such a communication also could remind individuals to take proactive measures to protect their identity and information, such as alerting credit bureaus and/or seeking identity protection services, especially if information was inadvertently provided to the fraudulent actor/scammer.
- Report the Scam to Law Enforcement: Phishing can not only constitute a violation of proprietary rights, it also can be a crime. Report the fraudulent activity to applicable law enforcement authorities and/or to one or more state attorney general offices. Reporting procedures vary based on location and jurisdiction. Confirm instructions for reporting by reviewing the applicable state attorney(s) general website(s). The U.S. Federal Trade Commission also offers a complaint notification process through its website. With such reporting, it is important to provide as much detail as possible. It therefore may be necessary to provide copies of relevant communications and other documentation regarding the phishing scam when possible.
- Notify Nonprofit Employees: When employees are affected or involved, or when employees can assist with alerting affected third parties, consider providing notice to relevant personnel of the fraudulent activity and how to avoid it. Such a communication may include steps to alert other external individuals of the phishing event or provide contact information and other relevant information if a nonprofit's own employees, donors, members, supporters, or others have fallen victim to the phishing scam.
- Notify the Applicable Domain Name Registrar: Many phishing scams operate by creating a domain name that makes confusingly similar use of a well-known trade name or trademark, either to serve as a response address or to operate a fraudulent website. Reputable domain name registrars offer takedown processes to assist with shutting down a fraudulent domain. Complete a search of the fraudulent domain name through a whois.com database to identify the registrar of the domain as well as the name of the person or corporation that has registered the domain. Use this information to contact the registrar and report the fraudulent activity.
- Revisit the Nonprofit's Trademark Portfolio: Many phishing scams can be prevented by maintaining a robust trademark, domain name, or account registration or prosecution practice. Consider registering important trademarks, domain names, and account identifiers that third parties might naturally associate with the nonprofit. Additionally, ensure that the nonprofit's trademarks are registered in important geographic areas, such as the United States, European Union, and other key countries where the nonprofit is or plans to be located, operate, or provide services. Moreover, maintain a robust brand protection and maintenance program in order to better protect and authenticate the nonprofit's online identity.
- Involve Attorneys Early: Addressing a phishing scam requires prompt attention. It is helpful to involve attorneys early in the process to assist with protection, notification, and other remedial or enforcement efforts. Attorneys can provide guidance on the steps listed above and help a nonprofit assess whether further legal action against the fraudulent actor is advisable. Attorneys also can assist with takedown requests and administrative actions, such as actions available under the Uniform Domain-Name Dispute-Resolution Policy (UDRP) or the Anti-cybersquatting Consumer Protection Act (ACPA).