person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

Account Takeover Attack is a type of identity theft that occurs when a cybercriminal gains access to your online account and changes your login credentials to lock you out. Once you cannot log back in, a cybercriminal will use your identity to steal private information or even scam others. You can prevent account takeover attacks by using strong passwords, enabling Multi-Factor Authentication (MFA) and investing in dark web monitoring. According to a recent report, over 77 million adults have experienced account takeovers, with social media accounts being the most hacked.

What makes account takeovers so dangerous?

Account takeovers are very dangerous for individuals and organizations because they can lead to:

  • Stolen personal information
  • Loss of money
  • Vulnerability to identity theft
  • Damaged reputation
  • Compromised data

If a cybercriminal accesses an online account containing personal or customer information, they could use what they find to log in to additional accounts or sell the data to other cybercriminals on the dark web. Because an account takeover locks the victim out of their account, it becomes difficult for a person or company to regain access, retrieve data, recover finances, and repair their reputation.

How individuals can prevent account takeovers

As an individual, you can protect your information and prevent your account from being taken over by following these tips.

Use strong passwords for every account

Create a strong and unique password for each of your online accounts. A strong password contains over 16 characters and a combination of uppercase and lowercase letters, numbers and symbols. The longer and more random a password is, the more protected your account will be from cyber-attacks. When creating a strong password, avoid using common words or phrases, personal information or sequential numbers.

Enable Multi-Factor Authentication (MFA) whenever it’s available

Multi-Factor Authentication (MFA) is an additional security measure that requires users to provide extra proof of identity beyond a username and password. When you enable MFA, you are required to enter additional verification like a PIN, a code from an authenticator app or your fingerprint. Enabling MFA makes it much harder for cybercriminals to access your accounts since it will require them not only to know your username and password but also an additional way to prove your identity – which only you should have access to.

Learn to spot phishing attempts

Many account takeovers result from people falling for phishing attacks. Phishing occurs when a cybercriminal impersonates a person or company the victim knows to persuade them into sharing private information. Most phishing attempts use urgent language, persuading you to act quickly or threatening you if you don’t follow instructions immediately. Often, phishing messages contain spelling and grammatical errors, which you should be able to spot easily, knowing that most companies review emails multiple times before sending them. Check the sender’s email address to verify that the domain matches a reputable company before believing the sender’s identity.

Never click unsolicited links or attachments

If you ever receive an unsolicited email or text message that contains links or attachments, do not click on or download them. Even if a message appears to come from a company with which you have an account, you should go to the official company’s website or app and log in to your account that way instead. An unsolicited link or attachment could contain malware designed by a cybercriminal to steal your private data once installed onto your device.

You can check if a link is safe by hovering over the link, which will give you a preview of the URL, or copying and pasting the link into a URL checker. Check that an email attachment is safe by double-checking the sender’s email address and using antivirus software to scan any attachments.

Use a dark web monitoring tool

You can use a dark web monitoring tool to see if your personal information is on the dark web as part of the internet where cybercriminals can buy and sell any information obtained through malicious activities.

How organizations can prevent account takeovers

There are several ways you and your organization can prevent account takeovers from compromising data and damaging your company’s reputation.

Employing a business password manager

If your organization is not already using a business password manager, this is your sign to start. A business password manager allows your employees to manage and store their passwords safely in a digital vault. Requiring employees to use a password manager within your company ensures they follow best password practices. A business password manager also allows employees to securely share encrypted passwords to collaborate safely. This ensures that passwords are not intercepted by unauthorized users and that login credentials remain secure in each employee’s encrypted digital vault. Password managers can also help enforce MFA by storing MFA codes within a record and auto filling them when a user needs to enter an MFA code on a website or account. Business password managers make storing and sharing passwords secure and convenient for any employee and organization.

Invest in Dark Web Monitoring

Your organization should invest in dark web monitoring to prevent account takeovers. Manager that constantly checks the dark web to see if any records stored in employee vaults match those on the dark web.

Limit the number of login attempts

Set a limit on how many login attempts someone can make to try and access their account. Brute force attacks occur when a cybercriminal guesses login credentials through trial and error, so if someone is given unlimited login attempts, they might eventually access an employee’s account. Since brute force attacks rely on multiple login attempts, limiting the number of attempts to three or four guesses will give employees enough tries in case they made a typo but will prevent potential cybercriminals from accessing an account.

Set up a Web Application Firewall (WAF)

Your organization can set up a Web Application Firewall (WAF), which helps filter traffic between a web application and the internet. By using WAF, your organization is protecting any web applications from potential cyber-attacks, including account takeovers. WAFs identify and block requests from unauthorized traffic and can even detect when cybercriminals’ bots are trying to infiltrate your accounts.

Implement zero trust

Zero Trust is a security framework that assumes every device and account is capable of being compromised. To combat this, every user – both human and machine – needs to constantly verify their identity within an organization through multiple authentication processes. The three core principles of zero trust are to assume breaches will happen, require everyone to verify their identity to access the organization’s network and data and ensure users have least-privilege access. All employee devices used on an organization’s network should be registered and managed to keep track of who is allowed access.

An important aspect of zero-trust solutions is least privileged access which grants employees only the access necessary to do their jobs, thereby helping prevent a data breach from spreading. That way, if one employee’s account is taken over, their limited access will not give cybercriminals as much access to the rest of the organization. For example, if an employee whose account was taken over had access to not only marketing data but also customer information, transactions and social media accounts, the cybercriminal would have access to much more valuable data.

Educating employees on security awareness

Make your employees aware of potential security risks and threats by running phishing tests, which are simulated phishing emails sent company-wide to see how employees react. These tests can help you determine if your organization is prepared for phishing attacks or if employees need further training on security measures. Educating your employees about security threats will protect you and your organization from cyber-attacks in the future.

 

 
 
Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Cybersecurity is no longer just an IT concern. In 2026, a single breach can:

  • Shut down operations for days or weeks
  • Expose sensitive customer data
  • Trigger regulatory fines and lawsuits
  • Permanently damage brand trust

The most dangerous trend? Attacks that look legitimate.

  1.  AI Powered Phishing Attacks Are Harder to Detect

Traditional phishing emails were often easy to spot due to poor grammar or suspicious formatting. In 2026, that’s no longer the case.

What’s Changed:

  • AI now generates perfectly written emails
  • Messages are context-aware, referencing real projects, colleagues, or vendors
  • Phishing emails adapt based on employee responses

Attackers scrape data from LinkedIn, company websites, and data breaches to craft believable messages that bypass both spam filters and human suspicion.

Business Impact:

  • Credential theft
  • Financial fraud
  • Unauthorised access to internal systems

SEO keywords: AI phishing attacks, business email compromise, phishing scams 2026

2. The “rnicrosoft” Scam: A Simple Trick That Still Works

One of the most dangerous scams in 2026 is also one of the simplest: the “rnicrosoft” scam.

What Is the “microsoft” Scam?

The scam exploits a visual trick where the letters “r” and “n” appear together as “m” in certain fonts. As a result:

  • rnicrosoft.com looks almost identical to microsoft.com
  • Logos, emails, and fake websites appear legitimate at a glance

Attackers use this trick to impersonate Microsoft in emails, login pages, invoices, and software update alerts.

 

How the Scam Works:

  1. Employees receive an email claiming to be from “Microsoft”
  2. The sender address or link subtly uses rnicrosoft instead of microsoft
  3. Users are asked to reset passwords, download updates, or verify accounts
  4. Credentials are stolen or malware is installed

Why It’s So Effective in 2026:

  • Microsoft is trusted by almost every business
  • Fonts and mobile screens make detection harder
  • Employees are overloaded and click quickly

Real-World Consequences:

  • Compromised Microsoft 365 accounts
  • Access to emails, Teams, SharePoint, and OneDrive
  • Internal Phishing sent from legitimate employee accounts

3. Look-Alike Domain and Brand Impersonation Attacks

The “rnicrosoft” scam is part of a much larger trend: look-alike domain attacks.

In 2026, attackers register domains that differ by:

  • One letter (rn vs m)
  • Extra characters
  • Slight spelling variations

Examples:

  • paypaI (capital “i” instead of “l”)
  • amaz0n.com (zero instead of “o”)
  • micros0ft-secure.com

Why Companies Should Care:

  • Employees trust familiar brands
  • Vendors and partners can be impersonated
  • Finance teams are common targets

This is especially dangerous in invoice fraud and payment redirection scams.

4. Deepfake Voice and Video Scams Target Executives

Deepfake technology has advanced dramatically, and in 2026 it is being actively used in cybercrime.

Common Scenarios:

  • Fake CEO voice calls requesting urgent payments
  • Video messages from “executives” authorizing access
  • AI-generated voicemail instructions

These attacks prey on urgency and authority, making employees hesitate to question them.

Departments Most at Risk:

  • Finance
  • HR
  • Legal
  • Executive assistants

5. Ransomware is , Smarter, and More Targeted

Ransomware attacks in 2026 are no longer random. Attackers:

  • Research companies before attacking
  • Steal data before encrypting systems
  • Threaten public leaks if ransom isn’t paid

Many attacks now exploit:

  • Unpatched software
  • Stolen credentials from phishing scams
  • Remote access tools

Small companies are often targeted because attackers assume weaker defenses.

6. Supply Chain and Vendor Attacks Are Increasing

Instead of attacking a company directly, cybercriminals increasingly target:

  • IT service providers
  • Software vendors
  • Cloud platforms

Once compromised, attackers gain access to multiple businesses at once.

This makes vendor risk management a top priority for 2026.

7. Employees Remain the Weakest Link and the First Line of Defense

Despite advanced tools, human error remains the #1 cause of breaches.

Common mistakes include:

  • Clicking malicious links
  • Reusing passwords
  • Ignoring security warnings
  • Trusting familiar brand names like Microsoft

The “rnicrosoft” scam works precisely because it exploits this trust.

How Companies Can Protect Themselves in 2026

1. Train Employees on Visual Scams

Security awareness training must now include:

  • Look-alike domains
  • Font-based scams (like rn vs m)
  • Mobile email risks

2. Enforce Multi-Factor Authentication (MFA)

Even if credentials are stolen, MFA can stop attackers.

Focus on:

  • Microsoft 365
  • Email systems
  • VPNs
  • Admin accounts

3. Monitor and Block Look-Alike Domains

Companies should:

  • Register similar domains to their own
  • Monitor for impersonation domains
  • Block known malicious domains at the network level

4. Verify Financial Requests Out-of-Band

Any payment or sensitive request should be verified via:

  • A phone call
  • A known internal channel
  • A second approver

Never rely solely on email or voice messages.

5. Keep Systems Updated

Many attacks succeed simply because patches were delayed.

Regular updates reduce exposure to:

  • Ransomware
  • Zero-day exploits
  • Credential theft

 

Account Takeover Fraud via Impersonation of Financial Institution Support

The FBI warns of cyber criminals impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. The cyber criminals target individuals, businesses, and organizations of varied sizes and across sectors. In ATO fraud, cybercriminals gain unauthorized access to the targeted online financial institution, payroll, or health savings account, with the goal of stealing money or information for personal gain.
 
HOW IT WORKS
 
The cyber criminal impersonates the financial institution' staff or website, to obtain access to the account. Cyber criminals usually gain access to accounts through social engineering techniques- including texts, calls, and emails- or through fraudulent websites
SOCIAL ENGINEERING
  • A cyber criminal manipulates the account owner into giving away their login credentials, including multi-factor authentication (MFA) code or One-Time Passcode (OTP), by impersonating a financial institution employee, customer support, or technical support personnel. The cyber criminal then uses login credentials to log into the legitimate financial institution website and initiate a password reset, ultimately gaining full control of the accounts.
  • Social engineering methods include contacting account owners via fraudulent text messages, calls, or emails to trick the email recipient into providing their login credentials. In some instances, the cyber criminal states there are fraudulent transactions on the financial account and may link to a phishing website that the account owner believes will report the fraud or prevent additional fraudulent transactions.
  • In some instances, cyber criminals impersonating financial institutions reported to the account owner that their account information was used to make fraudulent purchases , including firearms The cyber criminal convinces the account owner to provide information to a second cyber criminal impersonating law enforcement, who then convinces the account owner to provide account information.
PHISHING DOMAINS/WEBSITES
  • The cyber criminal uses a phishing website that looks like the legitimate online financial institution or payroll website to trick the account owner into giving away their login credentials. Believing the phishing website is the legitimate one, users enter their login credentials into the fraudulent site, unknowingly providing them to cyber criminals. 
  • Cyber criminals may also use a technique called Search Engine Optimization (SEO) poisoning. SEO poisoning refers to cyber criminals purchasing ads that imitate legitimate business ads to increase the prominence of their phishing websites by making them appear more authentic to customers who use a search engine to locate the business' website. When users click on the fraudulent search engine ad, they are directed to a sophisticated fraudulent phishing site that mimics the real website, tricking users into providing their login information. 
Once the impersonators have access and control of the accounts, the cyber criminals quickly wire funds to other criminal-controlled accounts, many of which are linked to cryptocurrency wallets; therefore funds are disbursed quickly and are difficult to trace and recover. In some cases, including nearly all social engineering cases, the cyber criminals change the online account password, locking the owner out of their own financial account(s).
STAY PROTECTED
Stay vigilant against ATO Fraud attempts by following these tips.
  • Be careful about the information you share online or on social media. By openly sharing information like a pet's name, schools you have attended, your date of birth, or information about your family members, you may give the scammers information they need to guess your password or answer your security questions.
  • Monitor your financial accounts on a regular basis. Watch for irregularities, such as missing deposits or unauthorized withdrawals, wire transfers, or expenditures.
  • Always use unique, complex passwords. Enable two-factor authentication or MFA on any account possible. Never disable it. 
  • Use Bookmarks or Favorites for navigating to login websites. Avoid clicking on Internet search results or advertisements. MFA will not protect you if you land on a fraudulent login page. Carefully examine any email address, URL, or spelling in unsolicited correspondence.
  • Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees wo call you; don't trust caller ID. Hang up, verify the correct number and call it yourself. Companies generally do not contact you to ask for your username, password, or OTP.
WHAT TO DO IN CASE OF AN ATO INCIDENT
  1. Contact Your Financial Institution-Contact your financial institution as soon as Fraud is recognized to request a recall or reversal. 
  2. Reset or Revoke Compromised Credentials- Reset all credentials and passwords that may have been exposed during the intrusion, including user and service accounts, compromised certificates, or other "secret" credentials. If you use the compromised password for other online accounts, change your password on those sites too. 
  3. Notify the Impersonated Company- Notify the company that was impersonated of the method the cyber criminals used to target the account owner The company may be able to warn others to watch out for the scam and take proactive measures like requesting phishing pages be taken down.
 
 
 
Smishing: Definition, examples, and how to stay safe
Smishing, short for SMS phishing, is a a type of social engineering scam carried out through text messages. Just like in other types of scams, smishers exploit people's trust and the urgency created by quick, official-looking phone messages. Scam texts are instantly visible, easy to interact with, and leave almost no room to verify the sender before the victim is prompted to click on the malicious link contained within. Once they do, though, their identity and financial information can be stolen and exploited by bad actors.
 
Smishing meaning and definition
What is smishing? Smishing combines SMS (short message service) with phishing to describe a cyberattack delivered as a text message. Instead of phone calls (vishing) or emails (traditional phishing), smishing scams arrive as a phone text impersonating a trusted company or individual- like your bank, a delivery services provider, a government agency, or a friend- to trick you into clicking a malicious link and revealing your sensitive information.
 
A smishing message typically asks you to:
  • Verify suspicious account activity
  • Track or reschedule a "missed" delivery
  • Confirm your shipping address or other personally identifiable information
  • Respond with "yes" or call the sender back
  • Pay unpaid taxes or bills
  • Claim a refund, prize, or reward
How smishing works?
Smishing scams come in different forms, but they all start with an unsolicited urgent text message that may look either personal oro official depending on the purpose.
 
Common smishing stages include:
  • Obtaining the victim's contact details. Most of the time, these can be looked up online on public data brokers and people-search websites, but many scammers go to great lengths to buy leaked datasets on real people from dark web websites.
  • Impersonating trusted institutions or people. Scammers carefully choose whom to impersonate to sound credible. These include banks, government agencies, postal services, or even your employer or business partner.
  • Creating urgency. Smishing messages mimic official and urgent communication from authorized senders that cant be easily ignored and demand prompt action, for example, "Your account will be locked unless you verify immediately".
  • Include a malicious link or phone number to call back. These are used to take the victim to spoofed websites and "call centers" that steal sensitive information, such as payment card details and digital account credentials, or to download malware to the victim's device.
  • Requesting personal information. Whether on a malicious website or on the phone with the scammer,  you'll be required to enter or share your personal information under credible excuses. Once you do this, these  details will be stolen and potentially exploited for the scammer's financial gain.
  • Monetization- The ultimate stage of a smishing attack where scammers exploit your information- withdraw money from your bank account, make fraudulent purchases, commit identity theft, or sell the data to other scammers.
Why smishing is dangerous
There are many contributing factors that make smishing so dangerously effective.
On average, SMS texts have an astounding 98% open rate- much higher than emails, which linger at around 2-3% at best. This makes scammers' exploits all the more effective when done through this medium.
 
At the same time, sending out smishing messages is automated and fairly cheap, so attackers are able to send out massive amounts of fraudulent messages at a low cost. At such a scale, smishing attacks are capable of producing dramatic financial results for minimal cost to the scammer.
 
Because people are used to short informal texts as well as occasional SMS-based communication rom brands, they may overlook red flags that would stand out in an email or phone call. Older and less tech-saavy people are particularly vulnerable to this type of attack, as they might not recognize a threat.
 
Finally, smishing scams are getting more convincing, adapting to what works best with millions of victims worldwide. 
 
How to recognize a smishing scam
If you see an unsolicited text message that raises your suspicion, here are the warning signs to confirm it's smishing:
 
The sender's number is generic, unfamiliar, or looks spoofed. It may display a generic company name like "Delivery Services" or just be a phone number. You can double-check by verifying the official contact details of the sender's alleged company online.
 
There's a link you're prompted to click or a request to respond to the message with "yes" or "no". The link typically disguised via link shortener or has extra characters and words uncommon for the real company's website. In some cases, you'll be asked to copy and past the link URL in your browser.
 
The message creates urgency and asks you to act immediately. Tere might be alarming language, a deadline for your action, and threats in case you don't respond.
 
The message contains typos, weird grammar, or language that feels off for official branded communication.
 
How to protect yourself from smishing
Smishing scammers prey on easy targets that show low cybersecurity awareness, act impulsively, or are driven by fear, curiosity, or greed. 
  • Verify information independently. For example, if you get a fraud alert from your bank, contact the phone number on the back of your payment card to verify if it was compromised.
  • Keep your phone updated and enable spam filters. Install the latest security  patches to make sure no software loophole can be exploited by scammers. Many smartphones and carriers support spam filters that can block smishing text automatically.
  • Never respond to texts with your personal information, be it PINs, one-time verification codes, credit card data, or account credentials.
  • Report suspicious texts to your carrier and/or local regulatory and anti-frau d bodies so they can maintain an up-to-date database of scammers' phone numbers and domains.
What to do if you fall for a smishing scam
If you think you've been scammed by smishers, act immediately to minimize the potential damage. 
  • Stop interacting with the text, don't click any links or reply.
  • Take a screenshot of the text and the sender's ID for further scam reporting.
  • Block the sender and report the text as spam by copying and forwarding it to 7726 (SPAM), then delete the message.
  • If you clicked the link in the smishing message and entered your credentials, change them for all the affected accounts, including reused passwords.
  • If you shared your financial details or banking account login with the scammers, contact your bank to set up fraud alerts and disable and reissue any affected payment cards.
  • If you sent money to the scammers, you may be able to dispute the transaction as fraudulent. 
  • In case the smishing text impersonates a real company, you may contact this company directly and file an impersonation report with them.
  • If your personal data has been stolen, monitor your bank account, email, and credit card for suspicious activity.
  • Run a trusted antivirus to detect any potential malware that could have been installed on your device.
Cyber Guidance for Small Businesses
 
Role of the CEO
Cybersecurity is about culture as much as it is about technology. Most organizations fall into the trap of thinking the IT team alone is responsible for security. As a result, they make common mistakes that increase the odds of a compromise. Culture cannot be delegated. CEOs play a critical role by performing the following tasks:

  1. Establish a culture of security. Make it a point to talk about cybersecurity to direct reports and to the entire organization. If you have regular email communications to staff, include updates on security program initiatives. When you set quarterly goals with your leadership team, include meaningful security objectives that are aligned with business goals. Security bust be an "everyday" activity, not an ocasional one. For example, set goals to improve the security of your data and accounts through the adoption of MFA, the percentage of systems you have fully patched, and the percentage of systems that you back up.
  2. Select and support a "Security Program Manager". This person doesn't need to be a security expert or even an IT Professional. The Security Program Manager ensures your organization implements all the key elements of a strong cybersecurity program. The manager should report on the progress and roadblocks to you and other senior executives at last monthly, or more often in the beginning.
  3. Review and approve the Incident Response Plan (IRP). The Security Program Manager will create a written IRP for the leadership team to review. The IRP is your action plan before, during and after a security incident. Give it the attention it deserves in "peace time" and involve the leaders from across the organization, not just the security and IT functions. There will be no time to digest and refine it during an incident. PRO TIP: Invoke the IRP even when you suspect a false alarm. "Near misses" drive continuous improvements. Never let a near miss go to waste!
  4. Participate in tabletop exercise drills. The security Program Manager will host regular attack simulation exercises called table top exercises. These exercises will help you and your team build reflexes that you'll need during an incident. Make sure your senior leaders attend and participate.
  5. Support the IT leaders. There are places where the support of the CEO is critical, especially where the security program needs the help of every staff member. Take ownership of certain efforts instead of asking the IT to persuade busy staff that they must enable MFA. Instead, make the MFA announcement to your staff yourself and keep track of the progress. Personally follow up with people who have not enabled MFA. Doing so creates a culture of security from the top.
 
Role of the Security Program Manager
The Security Program Manager will need to drive the elements of the security program, inform the CEO of progress, and roadblocks, and make recommendations. These are the Security Program Manager's most important tasks:
 
  1. Training. All staff must be formally trained to understand the organization's commitment to security, what tasks they need to perform (like enabling MFA, updating their software, and avoiding clicking on suspicious links that could be phishing attacks, and how to escalate suspicious activity.
  2. Write and maintain the IRP. The IRP will spell out hat the organization needs to do before, during, and after an actual or potential security incident. It will include the roles and responsibilities for all major activities and an address book for use should the network be down during an incident. Get the CEO and other leaders to formally approve it. Review it quarterly and after every security incident or "near miss".
  3. Host quarterly tabletop exercises. A TTX is a role-playing game where the organizer presents a series of scenarios to the team to see how they would respond. A common scenario involves one employee discovering their laptop blocked by ransomware. 
  4. Ensure MFA compliance. The most important step an organization can make is to ensure that all staff use MFA to log into key systems, especially email. While this task is also listed under the IT section below, multiple people must review the MFA status regularly.
Role for the IT Lead

  1. Ensure MFA is mandated using technical controls, not faith. Some organizations have instructed their users to enroll in MFA, but not all users complete that task. There are often MFA gaps for recently onboarded staff and for people who have migrated to a new phone. You'll need to regularly look for non-compliant accounts and remediate them. Verify , verify, verify.
  2. Enable MFA for all system administrator accounts. System administrators are valuable targets for attackers. You might assume that they would reflexively enroll in MFA. Yet Microsoft reports that around half of Azure Active Directory global administrators use MFA. In many compromises, attackers were able to get a foothold on the system administrator's account, and from there they had complete access to all the company's assets.
  3. Patch. Many attacks succeed because the victims were running vulnerable software when a newer, safer version was available, Keeping your systems patched is one of the most cost effective practices to improve your security posture. 
  4. Perform and test backups. Many organizations that have fallen victim to ransomware either had no backups or had incomplete/damaged backups. It's not enough to schedule all important systems to have a regular backup. It's critical to regularly test partial and full restores. You'll have to pick a cadence for the backups (continuous, hourly, weekly, etc.). You'll also want to write a plan for the restoration. Some organizations experiencing ransomware attacks found that the time to restore their data was significantly longer than expected, impacting their business.
  5. Remove administrator privileges from user laptops. A common attack vector is to trick users into running malicious software. The attacker's jon is made easy when users have administrator privileges. A user who lack administrator privileges cannot install software, and this type of attack won't work.
  6. Enable disk encryption for laptops. Modern smartphones encrypt their local storage, as do Chromebooks. Windows and Mac laptops, however, must be configured to encrypt their devices. Given how many laptops are lost or stolen each year, it's important to ensure your laptop fleet is protected. 
 
 
 
HOW TO PREVENT BUSINESS IDENTITY THEFT
 
Protecting your business from identity theft requires a proactive and multi-faceted approach, encompassing both digital and physical security measures, as well as employee training and vigilance.
 
Here's a breakdown of key strategies:
1. Safeguarding sensitive information
  • Protect Your EIN and Other Business Identifiers: Your Employee Identification Number (EIN) is as sensitive as a Social Security Number for individuals. Treat it with the utmost care, similar to your business's physical address and legal name, as these pieces of information are all a thief needs to impersonate your business.
  • Limit Access to Sensitive Data: Implement strict controls over who has access to sensitive company information, customer data, and financial records. The principal of least privilege should be applied, giving employees only the minimum access necessary for their jobs.
  • Secure Documents and Systems: Store sensitive paper documents in locked cabinets and implement password protection for electronic files.
  • Secure Payment Processing: Work with banks or processors to ensure you're using trusted and validated anti-fraud services, and isolate payment systems from less secure programs.
2. Cybersecurity best practices
  • Robust Cybersecurity Policies: Establish comprehensive cybersecurity policies that outline best practices for employees, including password management, data protection, and acceptable use of company resources.
  • Employee Training and Education: Regularly educate your employees on identifying and avoiding common cyber threats, like phishing, malware, and social engineering scams. Highlight red flags like unusual email addresses, suspicious links, and urgent requests for information.
  • Strong Passwords and Multi-Factor Authentication (MFA): Enforce strong password policies and enable MFA on all business accounts, particularly for admin accounts and remote workers. MFA providers an extra layer of security by requiring more than just a password for authentication.
  • Regular Software Updates and Patch Management: Ensure all operating systems, software, and applications are regularly updated to protect against vulnerabilities.
  • Antivirus and Malware Protection: Install and maintain updated antivirus and anti-malware.
  • Monitor Business Filings: Periodically check your business registration information with the Secretary of State's office (or equivalent state agency) to ensure no unauthorized changes have been made.
  • Review Account Statements Regularly: Scrutinize bank and credit card statements for suspicious transactions and immediately report any unauthorized activity.
4. Physical Security
  • Secure Physical Premises: Implement measures like locked offices and file cabinets to protect physical documents and hardware.
  • Secure Mailboxes: Consider using a locked mailbox for incoming business mail to prevent theft.
  • Securely Dispose of Sensitive Information: Shred or destroy documents and records containing sensitive information before discarding them. Make old computer hard drives unreadable before disposal.
5. Other important considerations
  • Separate Business and Personal Finances: Maintain separate accounts and credit cards for your business and personal use to better track and detect fraudulent activity.
  • Vet Third-Party Vendors: Ensure that vendors and partners who handle your business data have adequate security measures in place.
  • Business Insurance: Consider obtaining business insurance coverage that specifically covers losses resulting from business identity theft.
  • Seek Expert Advice:  If needed, consult with cybersecurity experts or legal professionals to develop and implement robust security strategies. 
By proactively implementing these measures, businesses can significantly reduce their vulnerability to identity theft and cyber fraud.
Technology Frauds for your Business to Avoid
 
Businesses of all sizes are increasingly targeted by fraudsters using sophisticated technology to execute their schemes. Here are some of the latest technology frauds businesses should be aware of and actively work to avoid:
 
AI-Powered Scams:
  • Deepfakes: AI is used to create highly realistic fake audio and video to impersonate individuals like executives or vendors, leading to scams like CEO fraud where employees are tricked into transferring funds based on fake instructions.
  • Enhance Phishing & Smishing: AI helps generate convincing phishing emails and text messages, making them more personalized, grammatically correct, and harder to detect, 
 
Business Email Compromise (BEC):
  • Impersonation: Fraudsters impersonate trusted individuals like CEOs, vendors, or suppliers through email to manipulate employees into making payments or providing sensitive information.
  • Sophisticated Tactics: Scammers use AI to mimic writing styles and exploit real-time data for more convincing and timely requests, making them harder to identify.
Ransomware Attacks
  • Data Encryption: Attackers encrypt valuable business data and demand a ransom payment (often in cryptocurrency) to restore access.
  • Vulnerability: Small businesses are particularly vulnerable due to potentially less robust cybersecurity measures.
Digital Payment Fraud: 
  • Fake Invoices: Fraudsters create realistic-looking fake invoices for goods or services that were never ordered or delivered, often containing subtle discrepancies in payment details to trick businesses into making payments.
  • Account Compromise: Scammers gain unauthorized access to digital wallets or payment platforms through phishing attacks, manipulating payment logins or setting up recurring fraudulent payments.
Tech Support Scams:
  • Impersonation: Scammers  pose as representatives of well known tech companies (e.g., Microsoft) to trick employees into granting remote access to company computers or paying for fake support services.
  • Remote Access: Gaining remote access allows scammers to steal sensitive information, install malware, or compromise business systems.
Other Notable Frauds:
  • Online Marketplace Scams: Fake profiles and listings on platforms like Facebook Marketplace can lead to scams where businesses pay for goods or services they never receive.
  • Fake Job Offers: Scammers create fraudulent job postings, especially for work-from-home positions, to recruit individuals as money mules, where they unknowingly participate in laundering illegal funds.
  • Cryptocurrency Scams: With the rise of cryptocurrencies, scams like fake investment schemes and "rug pulls" are targeting businesses and individuals alike.
Key Prevention Strategies:
  • Employee Education: Train employees to recognize signs of phishing, BEC, deepfakes, and other social engineering tactics.
  • Robust Cybersecurity: Implement and regularly update security measures like firewalls, antivirus software, intrusion detection systems, and multi-factor authentication (MFA).
  • Verification Protocols: Establish strict procedures for verifying financial requests, invoices, and any communication that seems suspicious.
  • Secure Payment Processes: Enforce secure payment processes and educate staff on safe digital payment practices.
  • Continuous Monitoring: Monitor for fraudulent payments, unusual account activity, and potential data breaches.
  • Incident Response Plan: Develop a plan for responding to cyberattacks and data breaches.
By implementing these practices and staying vigilant against emerging threats, businesses can significantly reduce their risk of falling victim to technology-enabled fraud.
 
 
 



Proudly serving North Texas for over 130 years.

Who We are