We are in a day and age where cyber crime is around every turn. Every other day I seem to be notified that companies I’m connected with have had a security breach. Did you know that the biggest way that scammers are getting our information is through phishing schemes? What is a Phishing scheme? It is when an e-mail is sent to you to try to get you to click and give away valuable information about yourself. They get very tricky. Show of hands if you’ve fallen for a phishing e-mail? (Just kidding, I wouldn’t make you raise your hand, we’ve all done it. Hopefully only once.)
As I work hard to train up my young children in a technology-driven world, I am establishing technology boundaries, good technology habits and talking to them about how they can keep themselves safe. It is challenging to do this when schools are creating fundraisers that are teaching our children it is okay to send spam, okay to click spam, and okay to teach other people that it is okay to click spam. As parents, we must voice our concerns when we encounter such fundraisers and encourage schools to take cyber safety and security very seriously. Raising money through fundraising efforts is essential for schools, but we must partner together to create better and safer alternatives.
I chatted with Scott Carlson, a cyber security expert with Kudelski Security, who recently encountered this at the school where his children attend. Here are 5 bad practices we need to discourage in our schools when it comes to school fundraising.
Bad Practice #1: Rewards for Behavior
First, let’s promise a child a reward to go online (Make Money FAST, Here’s how!)
Now in this particular notification from the teacher to EVERY PARENT, there was urgency “Time Sensitive Information”
Then, in the photo of the paper attached (and also sent home) was this amazing sentence
Bad Practice #2 – Directly asking people to “reply-All”
Asking a child to send spam.. “to anyone awesome” is just reply-all or personal spam.
We teach our children, parents, and grandparents not to click on links they don’t recognize and to ignore schemes and spam. We fail over and over at phishing drills at major enterprises. Maybe this really isn’t spam, so I wonder what the email will look like that my child’s awesome family will get now that we have the hook?
Bad Practice #3 – Emotion in the subject line
A subject line based on emotion urging you to click is the phishing test first level fail scenario, and we have all seen many phishing emails over the years asking us to “Please help” and then some money laundering, sales opportunity, poor children scenario follows.
If grandma made it this far, OF COURSE she a wants to help you be part of something awesome. There’s kids involved here, there’s a personal email directly to grandma involved here, and there’s now emotion evolved here. People LOVE being awesome, but also FOMO too. The perfect combination.
The only thing is, you might not have seen the page to click on, or grandma probably didn’t see this because Gmail auto-sorted it into SPAM, which I appreciate Google for doing (Thanks Google!) because it turns out that the company actually sends these emails AS SPAM.
Bad Practice #4 – Spoofing the School Name from a generic mailbox.
It appears that any school that sends out this particular fundraiser comes from info@site.com with the name of the sender updated. This is bad email practice 101. They could have at least auto-generated a subdomain. Most major internet providers now filter senders and domains and do not allow you to randomize the sender name with the sender domain.
The above email is actually the one that my child got after they registered, but the email that went to grandma is from my kids name was also from the info@site.com mailbox.
Bad Practice #5 – Redirected clickable nonsense links
Including links in the email that have no actual connection with the organization that you are raising money for except to mention their “school code” in the URL. We can’t even think anything other than “this is spam” if you take even a second to look at the URL. The registration URL seems to be to an authentication page with the school URL.
The Link that goes to Grandma contains a redirect
Most of us know that these are all unique links to the recipient and allow us to see click-through statics and tracking of grandma and knowing if she clicked on the link, etc. It’s still a random link with gibberish in it that has no URL that compares to the school.
So if we look at the above, I have to admit that this company has combined excitement with FOMO (Fear of Missing Out), with a captive family audience. It is the perfect combination to raise money in. Unfortunately it also teaches our kids bad cyber hygiene, and it also teaches our families that it is still okay to click on links they recommend as long as they come from someone they know. This is phishing and spam 101, and I’d like it to stop.
So, what do we do? If you receive flyers like this, please take a moment to talk to your principal or parent-teacher organization and find other ways to raise money. Maybe even go back to the traditional bake sale. It is likely that there are organizations out there that have branded portals for your school that actually use good security, SSL certificates that have aliases on them, and send email addresses and links that are recognizable. Let’s reward the programs that promote good cyber hygiene and raise money rather than the ones that keep teaching us the wrong things about the internet.
We live in a world where cyber security is an absolute must. Let’s partner together with our schools to make sure good habits are being taught in our homes and in our schools. Have you encountered this type of fundraising? Have you talked to your school about its dangers?
