person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

10 TIPS TO PREVENT BUSINESS IDENTITY THEFT IN YOUR ORGANIZATION

Business identity theft is the act of impersonating an organization for fraudulent activities. 

How do they do it? Organizations are full of useful, sensitive information like; 
  • Tax numbers,
  • Bank account numbers and details,
  • Employment identification numbers,
  • Employees' or CEOs' names
And even when just one single piece of information can be used for fraudulent activities, like the ones listed below, the game becomes even easier.
  • Website defacement or hijacking. Where the attacker completely alters the appearance of a website or modifies information such as contact details, payment-related URLs, just to name some. Even worse, the attacker creates a phony website that looks like yours to attract the victims via typsquatting (i.e., using a miss-typed version of your name or URL) or hi-jacking attacks.
  • Trademark ransom. When your brand or logo is stolen and registered as an official trademark. The cyber criminal will ask you for a ransom for releasing it.
  • Financial and tax fraud. When hackers request and obtain a loan or a credit card using your organization's name (financial fraud) or submit fraudulent tax returns using your organization's name to get government refunds (tax fraud).
HOW DOES BUSINESS IDENTITY THEFT HAPPEN?

Cyber criminals can be very creative in finding ways to get hold of an organization's information. They don't even need to make a lot of effort. Often the information they're after is already available in a mailbox or online. Among the most used tactics, we find:
  • Spyware and malware. Hackers infect an organization's device(s) with malware to get hold of information, such as a finance departments employee's account credentials. The attackers use the credentials to initiate wire transfers to their foreign bank accounts. Fraudulent wire transfers have been plaguing many U.S. businesses. 
  • Man-in-the-middle attack. The attackers intercept a conversation or data transfer (e.g., credentials, bank account numbers, IRS numbers) between two parties in transit, which enables them to observe and steal info from the parties without their knowledge. This way, the attacker can manipulate the sending party's data before it moves onto the receiving party. This method was used by a cyber criminal group that managed to steal millions from medium and large European companies just by monitory payment requests.
  • Social engineering. In other words, by manipulating an individual to reveal specific confidential information that the cyber criminal can the use for fraudulent activities. The attacker could use an email or a phone call to pose as a government agency or CEO. They'll then push the victim to share the sensitive information they're after. 
10 TIPS TO PROTECT YOUR BUSINESS FORM
CORPORATE IDENTITY THEFT

1. PROTECT YOUR IT SYSTEMS. Set up a firewall. Restrict access to your network, systems and other IT resources. Use a virtual private network (VPN). Monitor and report suspicious activities. Install updates.
2. IMPLEMENT SOPHISTICATED MULTI-FACTOR AUTHENTICATION (MFA). Location-based MFA authentication.
3. SHIELD YOUR PASSWORDS. Use strong passwords. Store password hashes only. Use a password manager.
4. FACILITATE YOUR IDENTITY'S VERIFICATION AND CONFIRMATION. Sign your emails. Sign your files and codes. Prove your users your website is legit and encrypt your data transfer.
5. SECURE YOUR WEBSITE AND DATA. Back up your website and data regularly. Scan your website for malware. Keep your software and devices up to date.
6. KEEP CLOSE TABS ON WHO USES YOUR ACCOUNTS (AND THEIR ACTIVITIES). Regularly review your bank and credit card statements for fraudulent activity. Implement a strong access control system.
7. REGISTER YOUR TRADEMARK. Trademark your name and log in all states and/or countries where you operate.
8. DISPLAY YOUR TRADEMARKED LOG IN YOUR CUSTOMERS' INBOXES. Adopt brand indicators form message identification. Add a verified mark certificate.
9. ENSURE COMPLIANCE WITH PRIVACY AND SECURITY REGULATIONS. 
10. EDUCATE YOUR EMPLOYEES. Show them free videos. Get your employees certified. Use free and paid online courses and resources available on the internet.

Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
Ransomware

Someone in your company gets an email.

It looks legitimate- but with one click on a link, or one download of an attachment, everyone is locked out of your network. That link downloaded software that holds your data hostage. That's a ransomware attack.

The attackers ask for money or cryptocurrency, but even if you pay, you don't know if the cyber criminals will keep your data or destroy your files. Meanwhile. the information you need to run your business and sensitive details about your customers, employees, and company are now in criminal hands. Ransomware can take a serious toll on your business.

How it Happens

Criminals can start a ransomware attack in a variety of ways:

  • Scam emails with links and attachments that put your data and network at risk. These phishing emails make up ransomware attacks.
  • Server vulnerabilities which can be exploited by hackers.
  • Infected websites that automatically download malicious software onto your computer.
  • Online ads that contain malicious code- even on websites you know and trust.
How To Protect Your Business

  • Have a plan- How would your business stay up and running after a ransomware attack? Put this plan in writing and share it with everyone who needs to know.
  • Back up your data- Regularly save important files to a drive or server that's not connected to your network. Make data backup part of your routine business operations.
  • Keep your security up to date- Always install the latest patches and updates. Look for additional means of protection, like email authentication, and intrusion prevention software, and set them to update automatically on your computer. On mobile devices, you may have to do it manually.
  • Alert your staff- Teach them how to avoid phishing scams and show them some of the common ways computers and devices become infected. Include tips for spotting and protecting against ransomware in your regular orientation and training.
What To Do If You're Attacked

  • Limit the damage- Immediately disconnect the infected computers or devices from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected.
  • Contact the authorities- report the attack right away to your local FBI office.
  • Keep your business running- Now's the time to implement the plan. Having data backed up will help.
  • Should I pay the ransom?- Law enforcement doesn't recommend that, but it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. However, paying the ransom does not guarantee you get your data back.
  • Notify customers- If your data or personal information was compromised, make sure you notify the affected parties- they could be at risk of identity theft. 

How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Technology Topic of the Month

Account Takeover


What is Account Takeover

Account Takeover (ATO) fraud involves a criminal gaining unauthorized access to a user's account and using it for some type of personal gain.


What is Account Takeover Fraud?

Account takeover fraud can involve any type of online account, social media, and online banking accounts. Commonly targeted accounts are those from which a criminal can steal money. For example, a hacker might gain access to an online banking account and send funds to their own account. A fraudster could take over a social media account and invent a reason to request money from family and friends of the victim.


Difference Between Account Takeover and Identity Theft

With account takeover, the fraudster is using an existing account, whereas in identity theft, they would open up a new account while posing as the victim.


How Do Criminals Get Credentials In the First Place?


Data Breaches

A data breach is when a list of usernames (and potentially accompanying passwords) is leaked. These lists go on sale on the black market, meaning any number of criminals could be using them at the same time.


If a username and password for one account is known, hackers can use automated systems to try the same combination on a list of popular online platforms. This is referred to as credential stuffing, and is the reason it's so important to use a different password for every account.


Phishing Scams

These attacks may occur via email, over the phone, or via text message. The fraudster is trying to get you to hand over your login information. A phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). Here, you are prompted to enter your login information, which is then stolen by criminals.


Phone Scams

An example of an account takeover scam initiated over the phone is an iteration of the tech support scheme.


For example, the criminal poses as a Microsoft representative and persuades you that your computer has a virus and needs to be fixed. You hand over remote access to your device, and the criminal can access any accounts you have credentials stored for. They may purport to be "testing" accounts and access them in plain sight, or they could remote access to install spyware.


Spyware

Specific types of malware downloaded onto your device from malicious email links or attachments could expose your credentials. Some spyware takes regular images of your computer sessions, while key loggers record every keystroke, exposing your usernames and passwords.


Hacking Over Unsecured Wife

Many people think nothing of logging in to free Wi-Fi while at a cafe', mall, hotel, or airport. But these networks are often unsecured and represent a great opportunity for hackers to steal your information. A common attack over these networks is a man in the middle attack in which the hacker intercepts the contents of your internet traffic.


What are Attackers Trying To Do?

Here are some of the different things that criminals can get up to once they have access:

  • Credit Card Fraud- Credit Card details for use in credit card fraud.
  • Merchant Account Fraud- With access to bank account, an attacker can transfer funds to another account, among other things.
  • Re-sell credentials: Username and password combinations may be posted for sale on the black market.
  • Take out loans: Access to financial accounts can be used to take out loans and even mortgages in the victim's name.
  • Monetary requests: By taking over a victim's social media account, the attacker can pose as the victim and make requests to family and friends for money.

* Once a criminal has access to an account, they usually very quickly try to lock the real user out by changing the password, recovery email, two-factor authentication settings, and security questions and logging out of other devices.


Business Email Imposters

A scammer sets up an email address that looks like it's from your company- then the scammer sends out messages using that email address. This practice is called spoofing, and the scammer is what we call a business email imposter.

How to Protect Your Business

Use email authentication- When you set up your business email, make sure the email provider offers email authentication technology. That way, when you send an email from your company's server, the receiving servers can confirm that the email is really from you. If it's not, the receiving servers may block the email and foil a business email imposter.

Keep your security up to date- Always install the latest patches and updates. Set them to update automatically on your network. Look for additional means of protection, like intrusion prevention software, which checks your network for suspicious activity and sends you alerts if it finds any.

Train your staff- Teach them to avoid phishing scams and show them some of the common ways attackers can infect computers and devices with malware. Include tips for spotting and protecting against cyber threats in your regular employee training and communications.
BUSINESS EMAIL COMPROMISE

Business email compromise (BEC)- also known as email account compromise (EAC)- is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business- both personal and professional. 

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so that she can email out right away.
  • A home buyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands- or even hundreds of thousands- of dollars were sent to criminals instead.

HOW CRIMINALS CARRY OUT BEC SCAMS

A scammer might:
  • Spoof an email account or website. Slight variations on legitimate addresses fool victims into thinking fake accounts are authentic.
  • Send spear phishing emails. These messages look like they're from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests. Malware lets criminals gain undetected access to victim's data, including passwords and financial account information.
Step 1- Identifying a Target
Organized crime groups target businesses in the U.S. and abroad by exporting information available online to develop a profile on the company and its executives.

Step 2- Grooming
Spear phishing emails and/or phone calls target a victim company's officials (typically in the financial department).

Perpetrators use persuasion and pressure to manipulate and exploit employee's human nature.

Grooming may occur over a few days or weeks.

Step 3- Exchange of information
The victim is convinced they are conducting a legitimate business transaction. The unwitting victim is then provided wiring instructions.

Step 4- Wire Transfer

Upon transfers, the funds are steered to a bank account controlled by the organized crime group.

HOW TO PROTECT YOURSELF

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
  • Be especially wary if the requester is pressing you to act quickly.
SECURE REMOTE ACCESS

Employees and vendors may need to connect to your network remotely.

Put your network's security first. Make employees and vendors follow strong security standards before they connect to your network. Give them the tools to make security part of their work routine.

HOW TO PROTECT DEVICES

Whether employees or vendors use company-issued devices or their own when connecting remotely to your network, those devices should be secure. Follow these tips- and make sure your employees and vendors do as well:

Always change any preset router passwords and the default name of your router. And keep the router's software up-to-date; you may have to visit the router's website often to do so.

Consider enabling full-disk encryption for laptops and other mobile devices that connect remotely to your network. Check your operating system for this option, which will protect any data stored on the device if it's lost or stolen. This is especially important if the device stores any sensitive personal information.

Change smartphone settings to stop automatic connections to public Wi-Fi.

Keep up to date anti-virus software on devices that connect to your network, including mobile devices.

HOW TO CONNECT REMOTELY TO THE NETWORK

Require employees and vendors to use secure connections when connecting remotely to your network. They should:

Use a router with WPA2 or WPA3 encryption when connecting from their homes. Encryption protects information sent over a network so that outsiders can't read it. WPA2 and WPA3 are the only enrcryption standards that will protect information sent over a wireless network.

Only use public Wi-Fi when also using a virtual private network (VPN) to encrypt traffic between their computers and the internet. Public Wi-Fi does not provide a secure internet connection on its own. Your employees can get a personal VPN account from a VPN service provider, or you may want to hire a vendor to create an enterprise VPN for all employees to use.

WHAT TO DO TO MAINTAIN SECURITY

Train your staff:
  • Include information on secure remote access in regular training and new staff orientations.
  • Have policies covering basic cybersecurity, give copies to your employees, and explain the importance of following them.
  • Before letting any device- whether at an employee's home or on a vendor's network- connect to your network, make sure it meets your network's security requirements.
  • Tell your staff about the risks of public Wi-Fi.
GIVE YOUR STAFF TOOLS THAT WILL HELP MAINTAIN SECURITY:

  • Require employees to use unique, complex network passwords and avoid unattended, open workstations.
  • Consider creating a VPN for employees to use when connecting remotely to the business network.
  • Require multi-factor authentication to access areas of your network that have sensitive information. This requires additional steps beyond logging in with a password- like a temporary code on a smartphone or a key that's inserted into a computer.
  • If you offer Wi-Fi on your business premises for guests and customers, make sure it's separate from and not connected to your business network.
  • Include provisions for security in your vendor contracts, especially if the vendor will be connecting remotely to your network.
VENDOR SECURITY

Our Business Vendors May Have Access to Sensitive Information

Make sure those vendors securing their own computers and networks. For example, what if your accountant, who has all your financial data, loses his laptop? Or a vendor whose network is connected to yours gets hacked? The result: your business data and your customer's personal information may end up in the wrong hands- putting your business and your customers at risk.

HOW TO MONITOR YOUR VENDORS

Put it in writing

Include provisions for security in your vendor contracts, like a plan to evaluate and update security controls, since threats change. Make the security provisions that are critical to your company non-negotiable.

Verify compliance

Establish processes so you can confirm that vendors follow your rules. Don't just take their word for it.

Make changes as needed

Cybersecurity threats change rapidly. Make sure your vendors keep their security up to date.

HOW TO PROTECT YOUR BUSINESS

Control access

Put controls on databases with sensitive informaiton. Limit access to a need-to-know basis, and only for the amount of time a vendor needs to do a job.

Safeguard your data

Use properly configured, strong, encryption. This protects sensitive information as it's transferred and stored.

Secure your network

Require strong passwords: at least 12 characters with a mix of numbers, symbols, and both capital and lowercase letters. Never reuse passwords, don't share them, and limit the number of unsuccessful log-in attempts to limit password-guessing attacks.

Use multi-factor authentication

This makes vendors take additional steps beyond logging in with a password to access your network- like a temporary code on a smartphone or a key that's inserted into a computer.
DO YOUR PART #BECYBERSMART

5 WAYS TO BE CYBER SECURE AT WORK

Businesses face significant financial loss when a cyber attack occurs. Cyber criminals often rely on human error- employees failing to install software patches or clicking on malicious links- to gain access to systems. From the top leadership to the newest employee, cyber security requires the vigilance if everyone to keep data, customers, and capital safe and secure.

SIMPLE TIPS

1. TREAT BUSINESS INFORMATION AS PERSONAL INFORMATION. Business information typically includes a mix of personal and proprietary data. While you may think of trade secrets and company credit accounts, it also includes employee personally identifiable information (PII) through tax forms and payroll accounts. Do not share PII with unknown parties or over unsecured networks.

2. DON'T MAKE PASSWORDS EASY TO GUESS. As "smart" or data-driven technology evolves, it is important to remember that security measures only work if used correctly by employees. Smart technology runs on data, meaning devices such as smartphones, laptop computers, wireless printers, and other devices are constantly exchanging data to prevent data breaches. Take proper security precautions and ensure correct configuration to wireless devices in order to prevent data breaches.

3. BE UP TO DATE. Keep your software updated to the latest version available. Maintain your security settings to keep your information safe by turning on automatic updates so you don't have to think about it and set your security software to run regular scans.

4. SOCIAL MEDIA IS PART OF THE FRAUD TOOL SET. By searching Google and scanning your organization's social media sites, cyber criminals can gather information about your partners and vendors, as well as human resources and financial departments. Employees should avoid oversharing on social media and should not conduct official business, exchange payment, or share PII on social media platforms. 

5. IT ONLY TAKES ONE TIME. Data breaches do not typically happen when a cyber criminal has hacked into an organization's infrastructure. Many data breaches can be traced back to a single vulnerability, phishing attempt, or instance of accidental exposure. Be wary of unusual sources, do not click on unknown links, and delete suspicious messages immediately.
BUSINESS EMAIL COMPROMISE

Business email compromise- also known as email account compromise- is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business- both personal and professional.

In a BEC scam, criminals send an email that appears to come from a known source making a legitimate request, like in these examples:
  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as an employee reward. She asks for the serial numbers so she can email them out right away.
  • A home buyer receives a message from his title company with the instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands- or even hundreds of thousands- of dollars were sent to criminals instead.

HOW CRIMINALS CARRY OUT BEC SCAMS

A scammer might:
  • Spoof an email account or website. Slight variations on legitimate addresses. (john.kelly@examplecompany.com) vs. john.kelly@examplecompany.com) fool victims into thinking fake accounts are authentic.
  • Send spearphishing emails. These messages look like they're coming from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests. Malware also lets criminals gain undetected access to a victim's data, including passwords and financial account information.
HOW TO REPORT

If you or your company fall victim to a BEC scam, it's important to act quickly.

  1. Contact your financial institution immediately and request that they contact the fi where the transfer was sent.
  2. Next, contact your local FBI field office to report the crime.
  3. Also file a complaint with the FBI's Internet Crime Complaint Center (IC3).
HOW TO PROTECT YOURSELF

  1. Be careful with the information you share online or on social media. By openly sharing things like pet names, schools you attend, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  2. Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  3. Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  4. Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you. 
  5. Set up two-factor authentication on any account that allows it, and never disable it.
  6. Verify payment and purchase requests in person if possible by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
  7. Be especially wary if the person requesting is pressing you to act quickly.
 

Proudly serving North Texas for over 130 years.

Who We are