Safeguarding the Kingdom: Avoid Being a Target for Cyberfraud
With the Internet becoming a common business tool, middle market companies are increasingly seen as ripe targets for cyberfraud.
Company leaders must realize that while customers and employees enjoy the ease of transferring funds, taking orders, and making payments online, the use — or misuse — of the Internet can imperil an entire organization.
Many small to midsize companies are too busy running their businesses to fine-tune their security configurations, install the latest updates, or consider if they have enough security protections for their operations.
A study by Guardian Analytics and the Ponemon Institute showed that 20 percent of the companies surveyed now conduct all of their banking transactions online, potentially exposing themselves to cyberfraud.
“The convenience of working online makes doing business easier, but the cyberenvironment presents a whole new world of risks,” says Nicole Rackov, a cyberfraud investigator with Comerica Bank Fraud Services. “If a cybercriminal breaks into your company’s computer system, they can compromise online bank accounts, financial records, and intellectual property.”
Criminals target companies with sophisticated “social engineering” techniques like phishing — masquerading as a trusted source, e.g., what appears to be an email from a friend — to trick victims into divulging information. A recent twist on this scam targets unsuspecting business owners who aren’t aware their company email accounts have been hacked. A cybercriminal poses as a legitimate vendor and sends the business an email or invoice requesting that payment be mailed to a different address than is on file. The email includes language that creates a sense of urgency, not giving the business time to contact the vendor and verify the changes. Unfortunately, the payment ends up in the hands of a cybercriminal.
A similar scam called “vishing” uses voicemail purportedly from a financial institution to instruct the victim to enter private information to “reactivate” a “disabled” account. “Spear phishing” has the same intent, but targets victims with what appears to be a familiar connection — say, a “follow-up call” from somebody claiming to be a trade show exhibitor offering a free trial of the latest business software.
“Your employee probably wouldn’t think twice about accepting such an offer, especially if they had just attended that show,” Rackov says. “But when they download the ‘free trial,’ they may have just exposed the company’s network to criminal activity.
“By enticing an unsuspecting employee to click on an infected email attachment, accept a fake friend request, or visit a compromised website, the cybercriminal can install malware on the company-owned computer and effectively receive the keys to the kingdom. Once installed, the malware can track the keystrokes used to enter passwords or even see the pages an employee visits as he or she browses the company network.”
Limiting the Risk
Rackov recommends that companies minimize the number and restrict the function of computers that are used for the organization’s online banking.
“Consider using a stand-alone computer that is not connected to the company network,” she says. “For automated clearinghouse and wire transfer payments, use a ‘dual control’ process where one person authorizes the creation of the payment file and another authorizes its release from a separate computer.”
Rackov stresses that employees should not be permitted to access their personal social media accounts from company-owned computers.
“There are too many opportunities to click on bad sites or ads and unknowingly install malicious software and spyware,” she says. “If your business uses social media, manage it from a dedicated computer.”
Companies’ adoption of BYOD (Bring Your Own Device), which reduces capital investment by letting employees use their own laptop or tablet for work, requires particular attention.
“My first recommendation is that employees should treat all public Wi-Fi networks, such as those in cafes or airports, as a security risk,” Rackov says. “Also, make sure employees have access to a virtual private network (VPN) that requires an additional layer of authentication.”
Rackov says the best ways to protect against cybercrime are the simplest: Never share user IDs or passwords, install a firewall and malware detection software, and never open suspicious emails or links. The cost of having a knowledgeable IT person on staff or on call to install and maintain security systems is well worth it compared to the potential cost of a security breach.
“Security is like profit — it’s not an option,” Rackov says. “And nothing is more important than the security of your data, which is the lifeblood of your business. How you handle and protect that data is central to the security of your business and the privacy that customers, employees, and partners expect.”
For more information, contact Comerica Bank Fraud Services:
Teresa Thornton, Senior Vice President, 248.371.6822 or firstname.lastname@example.org
Nicole Rackov, Vice President, 248.371.6127 or email@example.com
Comerica Bank. Member FDIC. Equal Opportunity Lender.
This material has been distributed for general educational/informational purposes only, and should not be considered as accounting, tax or legal advice or recommendations by Comerica Bank, its affiliates or subsidiaries.