Like all organisations, the MS Society regularly receives hacking attempts. At the end of last year, we told you about some simple steps we’ll be taking to reduce the risk of criminals accessing the personal data we hold on people's behalf. By the end of February, we’ll be introducing an extra layer of security to all MS Society email accounts, called Multi-Factor Authentication (MFA).
Cyber-criminals and account details
Cyber-criminals are becoming more sophisticated, so it’s now harder to spot a ‘phishing’ email from a fraudster due to poor spelling and grammar. If you fall for a phishing email, and accidentally divulge your account log-in details (by replying with this information, or following a link to a bogus website and inputting it there), the criminal can get into your account. And they can then access all the restricted personal information you hold there, and impersonate you to target all of your contacts with more phishing emails.
Any serious data breach must be reported to the Information Commissioner’s Office (ICO), and can result in reputational damage and a fine. It also diverts considerable MS Society staff effort to manage these situations. Most importantly, finding out that their data has been accessed by criminals can be worrying for individuals and cause them to lose trust in the organisation.
What is Multi-Factor Authentication (MFA)?
MFA is the most important defence we currently have available against unauthorised account access by fraudsters. You may already use it to log into your bank account online. It verifies that the person accessing the account really is you more reliably than via a password alone.
MFA is effective against unauthorised access to your account because it doesn’t just require something you know (your username and password). It also requires something you have (your mobile phone) to allow you to log in. A short numerical code is sent to your mobile phone. You then enter this code on the device you use to access your MS Society email as an additional part of the log-in process.
MFA therefore makes it considerably harder for fraudsters to access your account – even if they have stolen your username and password via a phishing attack.
Cyber-criminals will usually target the low-hanging fruit. By introducing MFA to all of our user accounts, we make it much less likely that we will be targeted by criminals – the extra work means it’s just not worth the effort.
What do I need to do?
We want all our volunteers with MS Society email addresses to start using MFA as soon as possible. In our next email we’ll give you simple instructions on how to switch it on for your MS Society email account, and where to access help if you need it.
In preparation for switching on MFA, you just need to have your mobile phone number to hand, and the device you use to access MS Society email. It’s a straightforward process, and only takes a few minutes. Once MFA has been activated, your mobile phone number will only be used to send you your unique code when you log in and for no other purpose.
Thanks in advance for your support and co-operation in protecting MS Society data. Look out for more information in our next email.