If your community is not running its using HTTPS instead of HTTP, you should consider the upgrade, especially if you are hosting your site through STC. The STC web host offers free HTTPS through a free SSL certificate system.
STC has a number of RSS feeds for its publications. With the revamp of the STC website, the RSS feed addresses have been updated. If your community website has links to these feeds, you’ll need to update them.
The STC Rochester Treasurer received a request that appeared to come from the STC Rochester President to transfer funds to a beneficiary. The email was fraudulent and only appeared to come from the STC Rochester President email address. However, the attacker had the names of the president and treasurer correct.
Here’s the message text:
From: NAME <firstname.lastname@example.org>
Date: Mon, 11 Jul 2016 08:51:58 -0600
Subject: TRANSFER REQUEST
TREASURER NAME, I'll need you to process a transfer of 1,900USD to a vendor. Let me know if you are available so i can send you the beneficiary details immediately.
Sent from my iPhone
As a security professional, I’ve seen this type of attack across many industries, but attackers are now targeting small businesses and non-profit organizations.
What Should I do to Keep Safe?
The best defense against this type of attack is having sufficient financial controls/processes in place so that someone cannot inadvertently respond and send any funds. (Note that the funds will not be recoverable.) If you don’t have processes in place to ensure that requests for funds are reviewed before being released, you need to put those processes in place now.
If you do fall victim to an attack, you should notify your local law enforcement and your financial institution. Change your email and banking passwords immediately.
If you receive an unexpected email with an attachment, verify with the sender before opening the attachment. Your antivirus program (and you need one, even if you’re using a Mac) may not detect the attachment as malicious, so you’ll need to scan your computer.
Everyone wants to have a custom email address that fits their personality. That’s fine until your new chapter leader’s email is FuzzyBunnySnuggler25@email.biz, and it doesn’t look entirely professional on your chapter mailings. There are a few options out there to make your community email addresses look professional, and branded to suit your community. The first is using Gmail, and the second is using Email Forwarders in your website’s cPanel.
The first option is to create email accounts dedicated to the job roles of your chapter: president, VP, treasurer, secretary, programs, webmaster, etc. These emails would not be tied to a user, but to the job role. So when one volunteer steps down and the new volunteer fills their place, they have the history of past communications stored in the account. Contacts will be there, as will prior community planning conversations.
Create an Admin Gmail Account
In order to do this, first set up an Admin gmail account. I recommend using your community email@example.com, for example firstname.lastname@example.org for STC-MadeUpCommunity. All of the subsequent accounts you are going to create will use this account as the rescue account, if the password is lost. The recovery email account for the Admin account should be your soon-to-be-created President or Webmaster account.
This Admin account is key. Use it to create a Google Drive and share it with all the leadership role email accounts you are about to create. Then you can store all your community documents on the Admin’s Google Drive, and your documents won’t get lost between changes in command.
Create Role Gmail Accounts
After you create your Admin account, create role accounts for each of your chapter roles. I recommend using a consistent format that brands all of the email addresses together. Create an email naming pattern, such as email@example.com. For example, muc.president@gmail, or muc.treasurer@gmail. When you create the accounts, make the fallback email the Admin account for all of these. Also, I recommend leaving off the cell phone validation since next year the person with the cell phone may not be the role assigned to the email.
Email Forwarders in cPanel
So now you have all these Gmail accounts. The name on the account is branded to match your community nickname, so there is continuity between accounts. What if you want to personalize the email addresses even more by changing the email domain? That can be easily done using the email forwarders built into cPanel.
cPanel is the website toolbox associated with your chapter’s domain. You can manage your website FTP setting, view the file structure of your website, back up your site, and view error logs, among other tasks, in your cPanel. If your chapter is hosted by STC’s hosting solution, you’ll be given cPanel credentials when STC begins hosting. If you’ve lost these credentials, contact firstname.lastname@example.org to retrieve them, along with the website for the STC cPanel host.
Note: SIGs are hosted differently by STC and do not have access to cPanel. However you can contact email@example.com to create email forwarders for your SIG.
One of the easiest to use tools in cPanel is the email forwarder. When you create an email forwarder, it creates what looks like an email address branded with your domain. That forwarder is not an actual account; no email will be stored within it. Instead, when email is sent to that address, it will be seamlessly forwarded on to any other addresses you specify.
Once you open the Forwarders app, you’ll see a list of existing forwarders. If there are none, click Add Forwarder. In the new screen, enter the address to forward. Specify how you want the forwarder to appear, and what real account to forward to, such as the Gmail accounts I described earlier. In my example, I’m using the CAC website, so the domain is cac-stc.org. On your site, it will be whatever your domain is.
Each forwarder can be tied to one email address when you create the forwarder. However, you can add the same forwarder multiple times, and each time specify a different email address. This is handy when multiple people are sharing a job role, such as competition managers or if the president wants to be copied on all event registration emails. Just repeat the process above, entering the same Address to Forward. Then put a different Forward to Email Address value in each time.
Brand your chapter by completing the following tasks, as described above.
Create similarly-branded role accounts in a free email service like Gmail.
Create an Admin account first. Link all further accounts to that Admin account.
Store all the passwords for all the accounts in an encrypted password tool, like LastPass or KeePass.
If you used Gmail, take advantage of their cloud storage, and move your community’s files to the Google Drive owned by your Admin account.
By using role accounts, records of prior communications and contacts are maintained year to year, regardless of the person using the account.
If you want further email customization, sign into cPanel and create custom email forwarders that point to either your new Gmail accounts, or to the email addresses your leaders prefer to use. You do not need to use Gmail accounts for this feature to work.
If your chapter or SIG has found other solutions similar to the ones presented above, please respond in the comments and open a dialogue. These are best practices based on my experiences, but that doesn’t mean they are best practices for everyone.