A Note about Kiva and Phishing for National Cyber Security Awareness Month

October is National Cyber Security Awareness Month, so we thought this would be a good time to talk about staying secure online. While the Internet makes Kiva’s work possible by connecting borrowers and lenders around the world, unfortunately it is also a popular tool for scammers to reach a broad audience.

One type of online scam, called phishing, is an attempt to collect personal or financial information. Phishing attacks come from scammers disguised as legitimate businesses or organizations, asking recipients to send an email response containing their personal or financial information.

From time to time, we unfortunately hear about phishing emails from scammers offering loans from companies impersonating Kiva or Kiva Zip. Phishing attacks might also target Kiva lenders, asking for confirmation of account information and other personal info. Whenever we become aware of a phishing attack using Kiva’s name, we report it to the U.S. government’s database of phishing emails so that they can investigate, and ideally shut the operation down.

That said, because Kiva is a well-known brand name for microfinance loans, and because people behind these scams change email addresses often, we aren’t able to prevent them from sending out more false emails.

While we can’t stop scammers from sending fake emails using Kiva’s name, we can try to raise awareness about phishing and how commonly it occurs.  Here are some steps you can take to avoid being a victim of a phishing attack:

  • Do not send personal or financial information in an email, or by entering this info on a web page you arrived at by following a link received in an email. Be aware that Kiva will never ask for your account passwords.
  • If you receive an email claiming to be from Kiva, check the sender’s email address to make sure it comes from a kiva.org email address. Occasionally scammers are able to send spam appearing to be from an official domain, but any email that asks you to respond to an email address that does not end with @kiva.org, @volunteers.kiva.org, or @fellows.kiva.org, is false. Check the details and spelling too – for instance, make sure that email addresses or URLs contained in an email end with “.org” instead of “.com” or “.net.”
  • If you are unsure whether an email request is legitimate, do not respond to the contact info provided in the email you received. Instead, forward the email to contactus@kiva.org and our Community Support team can verify whether it is legitimate.
  • If you think you may have fallen victim to a phishing scam, change the passwords associated with your Kiva account and all other online accounts (email, banking, PayPal, etc.) as soon as possible, and watch for unauthorized changes to your accounts.
For more information on phishing and other online security issues, visit the National Cyber Security Alliance's website.

Have questions for Kiva? Send them our way at blog@kiva.org.

About the author

Carolyn Bills

Carolyn Bills joined the Kiva legal team in June 2013. She previously worked as a transactional attorney at the law firm of Nixon Peabody LLP. Originally from Cincinnati, Ohio, she moved to the San Francisco Bay Area to attend Stanford Law School after completing her undergraduate studies at the Ohio State University. Carolyn’s interest in international outreach began to develop during a semester of studying and volunteering in Toledo, Spain. After law school, she also spent some time as an organic farmer at a nonprofit organization in Corfu, Greece. She is looking forward to seeing more of the world in the course of her work with Kiva.