Business Cybersecurity Tips

Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.

Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

Here are some common investment scams, and how to spot them.

Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

Here are some common investment scams, and how to spot them.

Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.

Assemble a team of experts to conduct a comprehensive breach response, Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.

• Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
  
• Consult with legal counsel. Tall to your legal counsel. Then, you may consider hiring outside legal counsel with privacy and data security expertise. They can advise you on federal and state laws that may be implicated by a breach.

The goal of the cybercriminal is to steal funds, redirect paychecks, or otherwise affect funds of the targeted victim.

 

In one specific type of scam, cyber criminals buy ads that masquerade as legitimate companies to misdirect victims searching for a specific website through popular search engines such as Google, Yahoo, or Bing. The search engine may return a fraudulent website URL that is very similar to the legitimate website, or slightly misspelled, or re-directed to another website with the URL that appears legitimate.

 

When victims click on the fraudulent search engine ad, they are directed to a sophisticated phishing site that mimics the real website, tricking victims into providing their login information. Cyber criminals then capture victims' credentials as they access the fraudulent site. 

 

If the account requires multi-factor authentication, cyber criminals may utilize social engineering to obtain the One-Time Passcode (OTP). For example, cybercriminals pretend to be a bank employee or technical personnel and requests the victim to provide their phone number via fraudulent website's chat box. The cybercriminal then contact the victim while pretending to be the bank employee/technical support and ask for the OTP.

 

If the account is a corporate account which requires two individuals to authorize a transaction (dual control) then, cyber criminals may utilize social engineering in a similar manner as above, and insist that the second individual go to the same website, and/or go to the open browser of the first individual to complete the transaction. Cybercriminals then use the captured credentials to gain full access to the victim's financial account. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employer payroll account, health savings account, or retirement account is accessed, the cybercriminal can change the direct deposit information in the real site and redirect funds. If cyber criminals gain access to full personally identifiable information (PII) for victims, they can also create new account relationships, including loans or accounts that defraud victims. 

 

To remain on guard against ATO, follow the tips below:

• Be careful about the information you share online or on social media. By openly sharing things like a pet's name, schools you've attended, your date of birth, or information about your family members, you can give scammers all the information they need to guess your password or answer your security questions.
• Monitor your financial accounts on a regula basis for irregularities, such as missing deposits.
• Always use unique complex passwords, enable two-factor authentication on any account that allows it, and never disable it.
• Use Bookmarks or Favorites for navigating to login websites rather than clicking on Internet search results or advertisements. Multi-factor authentication will not protect you if you land on a fraudulent login page. Carefully examine the email address, URL, and spelling in any correspondence.
• Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees who call you; don't trust caller ID. Offer to call them back after you look-up the phone number yourself. Remember that companies generally do not contact you to ask for your username, password, or OTP.

 

• Impersonating IRS Phone Scams: Callers claim to be IRS employees, say that you owe money and it must be paid as soon as possible via gift cards or a wire service. The real IRS will not call and demand immediate payment. In general, they will send a notice or bill via the mail.
• Phishing, Email and Malware Scams: Cybercriminals will attempt to get valuable data via unsolicited emails, text messages, or fake websites that prompt users to click a link and open attachments to share personal or financial information or to release malware or spyware into a computer system.
• Dishonest Tax Firms: Tax preparation companies with little or no credibility open and close quickly during peak tax season. These businesses might not have secure systems, allowing cybercriminals to easily access your information.

 

10 Cybersecurity Tips to Protect Your Small Business Data

The first step in securing your business is knowing what data you have. Start by identifying all connected devices, including desktop computers, laptops, smartphones, printers, and the applications your business relies on. This inventory gives you a clear picture of your digital infrastructure, enabling you to implement the proper measures to protect your data.

 

Over time, you've amassed a treasure trove of data that cybercriminals would love to exploit:

 

Customer Details: This includes emails, phone numbers, birth dates, and all email lists for marketing or sales records. Imagine losing all your customer emails or having them fall into the hands of scammers.

Website: Your website may contain email addresses, support ticket records, online reviews, and customer transactions. These can be exploited for identity theft or creating fake websites.

Social Media: Social media accounts hold data such as usernames and public profile information. Scammers can create fake profiles to send spam or malicious links or to impersonate you.

Invoices: Invoices contain your bank account details and customer contact information, which can be used for scams.

Payment Processing: Online checkouts are targets for stealing customer banking and personal information.

Inventory Data: If you maintain lists of your current stock.

Orders: If you hold on to customer information such as recent sales, payment details, email addresses, personal addresses, and phone numbers.

 

You can protect all this data by following basic security practices. Here are some foundational principles:

 

Keep Work Computers for Work Only: Avoid using business devices for personal activities, as this increases the risk of exposure to malware.

Uninstall Unused Programs and Disable Unused Accounts: To minimize potential vulnerabilities, regularly review and remove unnecessary programs or accounts.

Know who's using what and why: Ensure employees have unique login credentials and restrict administrative rights to only those who need them.

Guard Against Physical Theft, too. Remember to consider the risk of physical theft. Set up remote wiping, which allows you to delete data on a lost or stolen device remotely.

 

Every business is unique, but there are a few things all employees can do to secure the business infrastructure. 

Today, antivirus software is essential. But how do you choose the best one for your needs? Start by assessing your needs and selecting software that protects all your devices from spyware, ransomware, and phishing scams. Look for a software that provides both protection and cleaning capabilities to restore your devices to their pre-infected state.

 

After selecting the proper antivirus, keep it updated to defend against the latest threats and to patch any vulnerabilities.

 

Additionally, remember to secure your mobile devices, such as smartphones and tablets, as these are sometimes overlooked. However, a vulnerable device can be an open door for hackers to access your network and other devices storing information. Encourage your employees to password-protect their devices, install security apps, and encrypt their data to prevent information theft, especially when using public networks.

 

*Regularly update your systems: Ensure that your operating system, applications, and antivirus software are always up-to-date on all devices, not just laptops and computers.

*Upgrade your operating system: Common operating systems like Microsoft Windows and Apple's macOS often release updates with improved security features and bug fixes. Enable automatic updates to keep your devices protected against the latest vulnerabilities.

*Remember to update all your devices and your website, too: Make sure that payment machines, security systems, and any internet-enabled smart devices are running on the latest software versions. Enable automatic updates when possible. Don't forget to update website platforms such as WordPress or Squarespace, as well as their plug-ins and third party extensions. When you log in to the administrator section of your website, set up automatic updates for your website and plug-ins to keep your digital space secure.

 

Regular backups are the key to protecting your data against ransomware attacks. In the event of an attack, you can wipe out infected computers, reset them to factory settings, and restore data from backups, eliminating the need to pay the ransom.

 

Consider using external hard drives for backups, as they provide a secure off-site location for your data. While cloud backups are convenient, physical backups offer additional security against cyber threats.

 

Your passwords should be at least ten characters long and contain a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using predictable passwords like names, birthdays, or common patterns. If you have numerous accounts, consider using a password manager. It can assist you in creating and securely storing complex passwords, making it easier to manage multiple strong passwords without needing to remember each one.

 

Employees often reuse passwords across multiple accounts or choose simple, easy-to guess passwords. This practice makes it easy for hackers to gain access to multiple systems if they crack one password. Tall to them about the risks of this practice.

5. Implement 2 Factor Authentication (2FA)

 

Two-factor authentication adds an extra layer of security by requiring additional verification steps beyond a username and password. For example, after entering your password, you might need to input a unique code sent to your phone. This added step makes it significantly harder for criminals to access your accounts, even if they have your credentials.

 

Set it up on:

*Logins for important business accounts, such as bank accounts and emails.

*Accounts that store your payment information, such as eBay, Amazon, and PayPal

*Social media accounts, including Facebook, Instagram, Twitter, and LinkedIn

*Any specific industry or business-related software

 

Public Wi-Fi networks, such as those in airports, hotels, or cafes are often unsecured and vulnerable to attacks. Hackers can position themselves between you and the connection point through Man-in-the-middle attacks. Instead of your data going directly to the hotspot, it goes to the hacker, who then sends it to the hotspot. This allows them access to anything you send over the internet, such as emails, bank statements, credit card information, login details for websites, and more. Essentially, they can access your systems as if they were you. Hackers commonly distribute malware and create fake connection points to exploit these unsecured connections.

 

One of the things a VPN does is encrypt your data traffic. This means that even if an attacker intercepts your data, they won't be able to decipher it because it will appear as a bunch of gibberish to them. Since hackers typically target easy victims, once they see that you have a VPN set up, they are likely to move on to the next unprotected victim.

 

Phishing messages often disguise themselves as communications from legitimate companies like banks, courier services, or government departments. These messages may include links to fake websites that look almost identical to the real ones, aiming to trick people into entering their bank details.

 

Sometimes, phishing emails include attachments that appear to be invoices or documents. When opened, these attachments can install malware on your computer without your knowledge.

 

Scams that target small businesses include:

 

*Impersonation Scams: Criminals may call pretending to be from government agencies, energy or telecommunications providers, banks, or the police and ask for sensitive information about your business to commit fraud.

 

*Invoice Scams: Involves receiving a fake invoice via email from what seems to be a legitimate supplier. Another version is receiving a request to cancel a recent payment or update bank account details, directing the business to make the payment to a new, fraudulent account.

 

• CEO Scams: Also known as 'CEO phishing' this scam involves an urgent fund transfer request appearing to be from a senior executive, such as the CEO or CFO, in hopes of prompting immediate action without verification.

 

The average person has dozens of accounts needed for access to both personal and business websites, applications, and systems. Account takeover attacks (as the name suggests) attempt to gain access to those accounts, allowing the attacker to steal data, deliver malware, or use the account's legitimate access and permissions for other malicious purposes.

 

 

For an account takeover attack to occur, the attacker needs access to the target account's authentication information- such as a username and password combination. Attackers can obtain this information in various ways, including:

• Credential stuffing: Credential stuffing attacks use bots to automatically attempt to log in to a user account using a list of common or breached passwords. These attacks are possible because many user accounts are protected by weak or reused passwords- a major security issue.
• Phishing: User credentials are a common target of phishing attacks, which often use malicious links to direct a user to a fake page for a service, allowing the attacker to collect their login credentials.
• Malware: Malware infections on a user's computer can steal passwords in various ways . These include dumping authentication information from browser or system password caches or recording a user's keystrokes as they authenticate to an account.
• Application vulnerabilities: Users are not the only entities with accounts on an organization's systems and networks. Applications also have accounts, and an attacker can exploit vulnerabilities in these accounts to take advantage of their access.
• Stolen cookies: The cookies stored on a user's computer can store information about their login session  to allow access to an account without a password. With access to these cookies, an attacker can take over a user's session.
• Hardcoded passwords: Applications commonly need access to various online accounts to perform their role.. Sometimes, passwords  to these accounts are stored in application code or configuration files, which may be exposed or otherwise leaked.
• Network traffic sniffing:: While most network traffic is encrypted and secure, some devices still use insecure protocols, such as Telnet. An attacker who can view this unencrypted network traffic can extract login credentials from it.