Cybercrime does not discriminate between small business and large corporations. All businesses need to be on alert. Hackers have created elaborate phishing tactics and are able to impersonate communications from executive management often seamlessly. We’ve come across to savvy business people who have fallen victim to attempts to gain access to money in the past month. Below are two stories and what could be done to avert a loss:
Example 1 – A Bookkeeper Transfers Funds
A bookkeeper who normally pays invoices or moves money for work receives an email from his boss. In the email, his boss requests he transfer funds as payment for incoming materials needed for a large construction project.
Since deposits for materials are not uncommon, the bookkeeper initiates the transfer as requested. Follow-up emails from his “boss” are uncharacteristic in tone. It doesn’t take long for the bookkeeper to realize he’s been scammed and has sent money to an outside person with no affiliation to the company or vendor they use. In a panic, the bookkeeper contacts the bank and stops the transfer in the nick of time.
Since deposits for materials are not uncommon, the bookkeeper initiates the transfer as requested. Follow-up emails from his “boss” are uncharacteristic in tone. It doesn’t take long for the bookkeeper to realize he’s been scammed and has sent money to an outside person with no affiliation to the company or vendor they use. In a panic, the bookkeeper contacts the bank and stops the transfer in the nick of time.
- Communicate: Make sure your staff is aware of its duty to report suspicious activity. Once the bookkeeper realized he was a victim of phishing, he needed to make management aware. Notifying employees prevents others from falling victim to the same scam.
- Multi-factor approval process: Fund transfers should be approved by multiple people. This simple procedure would have eliminated the situation in Example 1 entirely.
Example 2 – New Employee Buys Gift Cards
A new employee receives an email from what appears to be her boss while working offsite. In the email, the impersonator asks if she will be returning to the office by 4:00 and if she will pick up five gift cards for $100 each.
Having frequently purchased items for her former employer, this employee makes the requested purchase. Upon returning to the office with the gift cards, she learned it was a scam. Further investigation revealed that the originator’s email address was not of her boss, though the body of the email looked legitimate.
Ultimately, she received a refund for the gift cards from the store as they were not used. One of the lessons in this example is not to rely on the abridged version of email addresses ever and to communicate with the company to ensure the request was legitimate.
The aforementioned examples can easily happen in your company. Often, phishing attacks are hard to detect as they tend to be very focused. Fortunately, there are measures you can implement to minimize your risk. They include:
- Stay informed: New phishing scams are developed all the time. It’s easy to fall prey to these if you are not aware of new techniques. Read cyber security articles, train your employees, and have an open dialog.
- Call back: Instruct employees not to provide information over the phone to anyone they are not expecting to call or who they do not know. If a bank or vendor calls for verification of information (bank accounts, employee information, etc.), it should not be provided. Instead, the employee should hang up and call the bank or vendor directly to assess whether it’s a legitimate request.
- Think before you click: Clicking on links in random emails and instant messages is risky. Get in the habit of hovering over links to ascertain if they lead to where they are supposed to. When in doubt, go directly to the source website in lieu of clicking on a dangerous link.
- Security awareness training: Employees should be trained on how to identify phishing emails. Phishing emails often originate from suspicious domains and routinely contain harmful links within the message. These emails often contain broken English and poor grammar.
- Guest access: You can pay for amazing email filtering, but if a client or guest opens attachments sent in an email it can be money down the drain. Set up a guest Wifi and allow guests and staff to access personal items, particularly social media, on their own devices.
Cybersecurity protocol is something every enterprise must stay on top of. It is not a “one and done” type of training. Appoint a team to monitor and train employees on new tactics. You will be glad, and safer, that you did.
