person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

Security Challenge of Remote Work

Personal Devices
While working from home, people do not always use company owned devices. Even before the shift to remote work, employees were bringing their own personal devices for work (the BYOD model).

Now, any employee-owned device needs to be protected. If an employee uses their own smartphone, PC, laptop, or tablet for work, there should be an endpoint security solution on the device. This makes it difficult for a hacker to gain access from the outside.

File Sharing
For many employees, file sharing is a necessity in remote work environments. Sharing data is critical for collaboration, especially, for remote teams, but it is easy for sensitive information to fall into the wrong hands without proper data security. 

Weak Remote Infrastructure
Some companies do not have the right technology in place to support a remote work environment. At minimum, employees should be able to remote into their company workstations and connect to the company network using a VPN.

Companies that lack centralized solutions risk employees using their own workarounds. This is called shadow IT. It presents security risks because the solutions aren't vetted by experts, and there's no centralized management.

Remote Work Security Best Practices
Keeping your remote workers secure requires a combination of technology, policies, and education.

Require a VPN
VPNs allow employees to access the organization's information through an encrypted tunnel. Furthermore, VPNs also provide necessary security while using public networks. By encrypting data flowing over the internet, VPNs make it difficult for hackers to intercept the connection.

Remote workers should be required to connect to your VPN before accessing shared storage drives or remote desktops. This is the equivalent of requiring onsite employees to be connected to your network before accessing company data.

Remote Desktop Connections
Employees can remotely access their in-office PCs using a remote connection application. this is helpful when work PCs have specialized software or data that cannot be accessed on a home computer.

Remote connections require strong security protections. This technology makes it possible to access a PC anywhere in the world. While this means your users can access their PC from anywhere, it also means a hacker anywhere in the world can access that PC. That is why it's critical to authenticate the user before allowing the connection.

Tips for enabling safe remote desktop connections:
  • Require the user to connect to the VPN 
  • Make sure multifactor authentication is enabled for the VPN connection
  • Only grant users access to the PCs they need. Most users only need access to their workstations.
  • Require the user to enter their domain password to connect.
Multifactor Authentication
Enabling multifactor authentication is especially important in remote environments. Adding one additional authentication method can stop 99.9% of attacks.

With MFA enabled, users take an additional step to prove their identity. Typically, the code is sent to the user's smartphone via an MFA app or text message. The MFA app may send a push notification instead. Either way, this occurs after the user enters their username and password.

Combining what the user knows (username/password) with what they have (smartphone), the user is authenticated with a higher degree of certainty.

Approve Personal Devices
If personal devices are being used for work, then the devices should follow your information security policies. For example, you may decide not to allow jailbroken smartphones to access the company network. Personal computers with risky software installed can also be blocked.

Technology exists to enforce this compliance:
  • Mobile Device Managers make sure employee smartphones are secure.
  • Next generation firewalls can evaluate VPN connection requests and block devices with suspicious software.
  • Data Loss Prevention (DLP) tools can stop company info from being downloaded onto personal devices.
The first step is writing personal device use policies. The technology in this space isn't foolproof. All employees should understand what is and isn't acceptable. After creating the policies, make sure you have the technology in place to approve compliant devices and deny non-compliant ones.

Security Awareness Training
Cybersecurity awareness training may be the single most effective tool to prevent breaches. Make sure your annual IT security training covers tips to stay safe when working remotely. All training should include:
  • Phishing Prevention
  • Social Engineering
  • Secure Password Manager
  • Multifactor Authentication
  • Physical Security
  • USB Drive
  • Mobile Device Security
Training for remote users should also include:
  • How to connect to the company network securely
  • How to secure home Wi-Fi networks
  • Public Wi-Fi and public computer security
  • Device compliance requirements
All users should receive training at least once per year, regardless of job function or location.

Review Your Cyber Insurance Policy
In response to the greater risks posed by remote work, cyber insurance providers have increased rates and set stricter requirements for issuing policies. When applying or renewing, make sure to note all your cybersecurity investments. These will help lower premiums and facilitate policy approvals.

Remote Infrastructure Auditing
Remote infrastructures need to go through periodic audits to identify all gaps, loopholes, and vulnerabilities that could potentially be exploited. Once this is know, you can take the necessary steps to solve these and create secure, healthy infrastructure. It's not a one-time job, but an ongoing process.

Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
SECURE REMOTE ACCESS

Employees and vendors may need to connect to your network remotely.

Put your network's security first. Make employees and vendors follow strong security standards before they connect to your network. Give them the tools to make security part of their work routine.

How to Protect Devices

Whether employees or vendors use company-issued devices or their own when connecting remotely to your network, those devices should be secure. Follow these tips- and make sure your employees always change any pre-set router passwords and the default name of your router. And keep the router's software up-to-date; you may have to visit the router's website often to do so.

Consider enabling full-disk encryption for laptops and other mobile devices that connect remotely to your network. Check your operating system for this option, which will protect any data stored on the device if it's lost or stolen. This is especially important if the device stores any sensitive personal information.

Change smartphone settings to stop automatic connection to public Wi-Fi.

Keep up-to-date antivirus software on devices that connect to your network, including mobile devices.

How to Connect Remotely to the Network 

Require employees and vendors to use secure connections when connecting remotely to your network. They should:
  • Use a router with a WPA2 or WPA3 encryption when connecting from their homes. Encryption protects information sent over a network so that outsiders can't read it. WPA2 and WPA3 are the only encryption standards that will protect information over a wireless network.
  • Only use public Wi-Fi when also using a virtual private network (VPN) to encrypt traffic between their computers and the internet. Public Wi-Fi does not provide a secure internet connection on its own. Your employees can get a personal VPN account from a VPN provider, or you may want to hire a vendor to create an enterprise VPN for all employees to use.
What To Do To Maintain Security
  • Include information on secure remote access in regular trainings and new staff orientations.
  • Have policies covering basic cybersecurity, give copies to your employees, and explain the importance of following them.
  • Before letting any device- whether at an employee's home or on a vendor's network- connect to your network, make sure it meets your network's security requirements.
  • Tell your staff about the risks of public Wi-Fi.
Give Your Staff Tools that Will Help Maintain Security

  • Require employees to use unique, complex network passwords and avoid unattended, open workstations.
  • Consider creating a VPN for employees to use when connecting remotely to the business network.
  • Require multi-factor authentication to access areas of your network that have sensitive information. This requires additional steps before logging in with a password- like a temporary code on a smartphone or a key that's inserted into a computer.
  • If you offer Wi-Fi on your business premises for guests and customers, make sure it's separate from and not connected to your business network.
  • Include provisions for security in your vendor contracts, especially if the vendor will be connecting remotely to your network.
 
WHAT TO KNOW ABOUT RANSOMWARE

Someone in your company gets an email

It looks legitimate- but with one click on a link, or one download of an attachment, everyone is locked out of your network. That link is downloaded software that hold your data hostage. That's a ransomware attack.
The attackers ask for money or cryptocurrency, but even if you pay, you don't know if the cybercriminals will keep your data or destroy your files. Meanwhile, the information you need to run your business and sensitive details about your customers, employees, and company are now in criminal hands. Ransomware can take a serious toll on your business.

How it happens
  • Scam emails with links and attachments that put your data and network at risk. These phishing emails make up most ransomware attacks.
  • Infected websites that automatically download malicious software onto your computer.
  • Server vulnerabilities which can be exploited by hackers.
  • Online ads that contain malicious code- even on websites you know and trust.
How to protect your business
  • Have a plan- How would your business stay up and running after a ransomware attack? Put this plan in writing and share it with everyone who needs to know.
  • Back up your data- Regularly save important files to a drive or server that's not connected to your network. Make data backup part of your routine business operations.
  • Keep your security up to date- Always install the latest patches and updates. Look for additional means of protection like email authentication, and intrusion prevention software, and set them to update automatically on your computer. On mobile devices, you may have to do it manually.
  • Alert your staff- Tech them about how to avoid phishing scams and show them some of the common ways computers and devices become infected. Include tips for spotting and protecting against ransomware in your regular orientation and training.
What to do if you're attacked
  • Limit the damage- Immediately disconnect the infected computers or devices from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected.
  • Keep your business running- Now is the time to implement that plan. Having data backed up will help.
  • Contact the authorities- Report the attack right away to your local FBI office.
  • Should I pay the ransom? Law enforcement doesn't recommend that, but it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. However, paying the ransom does not guarantee you get your data back.
  • Notify customers- If your data or personal information was compromised, make sure you notify the affected parties- they could be at risk of identity theft. 
HELPFUL FRAUD PREVENTION TIPS TO SAFEGUARD YOUR BUSINESS

Do Not Share Business Login Information
Grandview Bank will never reach out to customers to request information related to their Business account login. This includes asking for details such as your company ID, passwords, usernames, security pins or token numbers. To keep your data safe and out of the hands of fraudsters, please do not share sensitive information with anyone.

Verbally Confirm: New Payment Instructions
If you receive a request to change payment instructions, call to confirm, using a known number. Never use the email addresses or phone numbers provided in the email request to confirm your new payment instructions.

Be Cautious of Email Scams
Emails- even those from a known sender can sometimes be opportunities for fraudsters to gain access to your sensitive financial information. Phishing is an online scam that targets its victims using email and can lead to malware or email compromise. Be cautious before clicking on links and stay alert for emails that raise red flags including those with excessive typos or grammatical errors.

Verify Correct URL Addresses
Avoid using search engines to find the login for Grandview Bank. Fraudsters can imitate the web address with minor changes to appear legitimate.

Monitor Your Accounts
Make it a consistent practice to carefully review your monthly bank statements and reconcile your accounts daily to monitor for uanuthorized activity. If you find or suspect
unusual activity on your account(s) contact us immediately.

Safeguard Your Business Checks
Keep business checks in a secure location. Avoid leaving payments in unguarded drop boxes or outgoing mail slots. When mailing check paymentsl it is best to drop them off at a secure location.

 
What is CEO Fraud?

CEO Fraud is a scam in which cyber criminals spoof company email accounts and impersonate executives to try and fool an employee in accounting or HR into executing unauthorized wire transfers, or sending out confidential tax information.

Top Four Attack Methods
  1. Phishing- Phishing emails are sent to large numbers of users simultaneously in an attempt to "fish" sensitive information by posing as reputable sources- often with legitimate-looking logos attached. Banks, credit card providers, delivery firms, law enforcement, and the IRS are a few of the common ones. A phishing campaign typically shoots out emails to huge numbers of users. Most of them are to people who don't use that bank, for example, but by sheer weight of numbers, these emails arrive at a certain percentage of likely candidates.
  2. Spear Phishing- This is a much more focused sort of phishing. The cyber criminal has either studied up on the group or has gleaned data from social media sites to con users. A spear phishing email generally goes to one person or small group of people who use that bank or service. Some form of personalization is included- perhaps the person's name, or the name of a client.
  3. Executive Whaling- Here, cyber criminals target top executives and administrators, typically to siphon off money from accounts or steal confidential data. Personalization and detailed knowledge of the executive and the businesses are the hallmarks of this type of fraud.
  4. Within a security context, social engineering means the use of psychological manipulation to trick people into divulging confidential information or providing access to funds. The art of social engineering might include mining information from social media sites. LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel. This can include their contact information, connections, friends, ongoing business deals and more.
Business Identity Theft

What is business identity theft?

When most people think of identity theft, they think of an individual's Social Security or credit card number being stolen. However, identity theft does not just affect individuals. Criminals are targeting businesses of all sizes. Business identity theft involves the actual imitation of the business itself. It can occur through the theft or misuse of key business information, or falsification of business filings and records, and other related criminal activities. Businesses of all types and sizes including sole-proprietor, partnerships, LLCs, trusts, non-profits, and corporations are all targets of business identity theft. Like consumer identity theft, business identity theft can result in potentially disastrous consequences. Identity criminals can steal a business' identity by gaining access to the business' bank accounts and credit cards or by stealing sensitive company information.

What can a business do to prevent and detect business identity theft?

Take the following initial steps to protect your business from business identity theft:
  • Periodically monitor your business and update your business' records by creating an SOSDirect client account. SoSDirect clients can perform searches and submit electronic filings to update the business entity's record, when needed.
  • Criminals target businesses that have been tax forfeited. If your business ceases to conduct business, you should file for a certificate of termination with the Secretary of the State. The certificate of termination must be accompanied by a certification of account status from the Texas Comptroller of Public Accounts indicating that all taxes have been paid and that the entity is in good standing for the purpose of termination.
  • Obtain a commercial credit report for your business.
  • Sign up for electronic notifications with your bank. other creditors, and service providers.
  • Monitor accounts and bills and immediately report any suspicious activity to the originating company.
  • Protect your EIN, account numbers and other personal information.
  • Do not share any sensitive information over email or on any web-based service. 
What to do if you believe your business is a victim of business identity theft?
  • Report the theft to your local law enforcement agency and obtain a police report.
  • Contact banks or credit providers and report the theft.
  • Contact the largest credit reporting agencies and speak with the fraud department to report the crime and view your business credit report.
  • Place a fraud alert on your business accounts.
  • Contact creditors where fraudulent accounts were opened, and request copies of all documentation used to open or access the accounts.
  • Contact the Texas Secretary of State to determine whether any changes have been made to the information on file that will necessitate the filing of any documents.
  • Contact the Texas Comptroller of Public Accounts, IRS, and the Texas Department of Public Safety.
  • Request copies of documents or email messages that were used by criminals to fraudulently open or access your accounts.
Common Scams Every Business Should Know About

Criminals use tax scams to obtain employee and business information for financial gain. The peak time for these scams is tax season, scammers can strike at any time. 

As businesses become increasingly vulnerable to cyber crime and scammers become more sophisticated, it can be difficult for businesses to keep up with the evolving threat landscape. The following are some of the most common business tax scams business owners currently face:
  • W-2 Scams- In a W-2 scam, a scammer contacts a company's HR, payroll or accounting department, posing as an employee or contractor in order to obtain a W-2 form. They can then use the form to file a false tax return to claim a refund.
  • Phishing Scams- Phishing scams involve scammers sending emails or text messages designed to trick taxpayers into thinking they are communicating with officials from the IRS or others in the tax industry. Once the scammer obtains personal or financial information, they can commit identity theft or tax fraud.
  • Telephone tax scams- Scammers may call business owners claiming to be an IRS employee and request payment via wire transfer, gift card or another unusual method. While on the phone, scammers may threaten business owners with arrest or suspension of their business license if the payment is not completed.
  • Charity Fraud- This type of scam entails a fraudster setting up a fake charity whose name or website URL is similar to that of a legitimate charitable organization. Businesses may make what they think are tax-deductible donations only to realize that the charity does not exist.
  • Fraudulent Tax Preparation- Criminals may masquerade as tax preparers to obtain a business's information to commit fraud.
How To Avoid Business Tax Scams
I order to mitigate the risk of falling victim to tax scammers, business owners should take the following precautions:
  • File early. When scammers target a business, they may file a fraudulent tax return early in the hopes of obtaining a refund before the legitimate tax per files their returns. Since the IRS doesn't necessarily alert taxpayers when a return has been filed, business owners may not realize fraud has been committed for weeks or months. The longer business owners wait to file, the broader the window is for scammers to carry out this fraud.
  • Be selective with whom company information is shared. Anyone involved in business deals, opportunities or transactions should be vetted before receiving information related to the company.
  • Verify information requests. Any request for company information should be treated with suspicion until credentials are verified.
  • Dispose of sensitive information properly. While the disposal of sensitive documents such as financial statements, legal reports or tax information- may be time-consuming, tedious and expensive, it's imperative to destroy information properly. Otherwise, business owners may find themselves in jeopardy.
  • Establish policies to keep information safe. Businesses should implement and develop company wide policies to make protecting company information a priority. This can benefit not only employees and customers but also the long-term health of a business.


Proudly serving North Texas for over 130 years.

Who We are