In recent weeks, we've seen an increase in the number of Pitchero customers reporting phishing attacks at their club.
Pitchero is introducing extra functionality to help keep you and your members safe online. Here's an overview of what we are doing, as well as the precautions you and your members should take online.
What is Phishing?
‘Phishing’ is the term used to describe attempts to trick someone into revealing information like personal details, passwords, or bank details that will be used against them.
According to web hosting company 123 Reg, malicious phishing attacks worldwide rose 47% in the first quarter of 2021, compared to last year.
These growing concerns serve as a reminder for us all to be vigilant and take the necessary precautions.
Examples of Phishing attempts
Here are two examples of phishing attacks reported to us at Pitchero - and how to protect against them.
1. Emails from Pitchero
A common phishing tactic is to email you, pretending to be a company - in this case, Pitchero.
Their goal is to get your personal information by encouraging you to reply, or click a link to activate a malicious programme on your computer.
So, how do you know it's us?
General emails from Pitchero will always be from email.pitchero.com - i.e) firstname.lastname@example.org.
If you’re in touch with a member of staff from Pitchero directly, the sender address will be @pitchero.com.
We will never ask for personal information or login credentials for your Pitchero user account - don’t reply, supply them or click any links!
Customers should not share a Pitchero user account with another member/club official. Every member can have their own account with their own email address.
If you are unsure if the email you received is from a genuine member of the Pitchero team, please email email@example.com with more info and our Support Team can help.
2. Scam emails via club's Contact page
Here's an example:
Phishing techniques using a club website’s contact form is something we've seen more of in the last few weeks.
This is how it goes…
1. A scammer gets the name of a key contact (like Chair or President) listed on a club’s website
2. They then contact other contacts listed on the same page via the contact form pretending to be a senior club official asking questions or including links
3. The goal is to get you to reply and open up a conversation, usually leading to them asking you to send money or other personal information
How can we stop this from happening?
The only way to stop this from happening completely is to remove the email addresses from the profiles of your club officials within the Staff & Officials section of your control panel. But, this means you will be unable to receive enquiries from genuine people, such as new members or potential sponsors.
If you are allowing emails to be sent to officials via the contact form, it's vital that everyone is on the look-out for potential scammers.
If in doubt, either ignore the email or make contact with the person via other trusted methods, such as phone or text, to verify the email (don't use any other contact details provided in the suspected phishing email).
How is Pitchero combating phishing?
We use the reCAPTCHA service on the contact page of all club websites behind the scenes to protect sites from spam and abuse. It aims to tell human website visitors and bots apart.
We have also amended the design of the contact form message received by club officials - so if a club official gets a notification (screenshot below) then it’s even clearer where it’s come from in the subject line and content.
The red box is a visual prompt as a reminder that the recipient's email has not yet been shared.
We've recently added a rate limit to the contact page of two messages per 5 minutes; which is quite an aggressive stance against bot activity.
To decipher that, rate limiting is a cap on how often someone can repeat an action in a certain time period – for instance, a malicious bot contacting lots of club officials using the same contact form.
While everyone, including clubs, is open to phishing and other cybercrime, there are ways of reducing its impact.
One other way that we are keeping you & your members safe online is through the use of SSL certificates...
An SSL certificate is a form of security that is added to domains to ensure that private information entered on the website remains private. If the website has an SSL certificate, the visitor should see a secure padlock next to the web address bar, and the website should be served on 'https://'.
We continue to take our security measures very seriously. If you or your members have any concerns, please do get in touch.
In the meantime, please continue to take care online and ensure that your members are wary of communication they receive that is out of the ordinary.
Image credit: Ninja / fishing rod by Tumisu on Pixabay.