person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

SECURE REMOTE ACCESS

Employees and vendors may need to connect to your network remotely.

Put your network's security first. Make employees and vendors follow strong security standards before they connect to your network. Give them the tools to make security part of their work routine.

HOW TO PROTECT DEVICES

Whether employees or vendors use company-issued devices or their own when connecting remotely to your network, those devices should be secure. Follow these tips- and make sure your employees and vendors do as well:

Always change any preset router passwords and the default name of your router. And keep the router's software up-to-date; you may have to visit the router's website often to do so.

Consider enabling full-disk encryption for laptops and other mobile devices that connect remotely to your network. Check your operating system for this option, which will protect any data stored on the device if it's lost or stolen. This is especially important if the device stores any sensitive personal information.

Change smartphone settings to stop automatic connections to public Wi-Fi.

Keep up to date anti-virus software on devices that connect to your network, including mobile devices.

HOW TO CONNECT REMOTELY TO THE NETWORK

Require employees and vendors to use secure connections when connecting remotely to your network. They should:

Use a router with WPA2 or WPA3 encryption when connecting from their homes. Encryption protects information sent over a network so that outsiders can't read it. WPA2 and WPA3 are the only enrcryption standards that will protect information sent over a wireless network.

Only use public Wi-Fi when also using a virtual private network (VPN) to encrypt traffic between their computers and the internet. Public Wi-Fi does not provide a secure internet connection on its own. Your employees can get a personal VPN account from a VPN service provider, or you may want to hire a vendor to create an enterprise VPN for all employees to use.

WHAT TO DO TO MAINTAIN SECURITY

Train your staff:
  • Include information on secure remote access in regular training and new staff orientations.
  • Have policies covering basic cybersecurity, give copies to your employees, and explain the importance of following them.
  • Before letting any device- whether at an employee's home or on a vendor's network- connect to your network, make sure it meets your network's security requirements.
  • Tell your staff about the risks of public Wi-Fi.
GIVE YOUR STAFF TOOLS THAT WILL HELP MAINTAIN SECURITY:

  • Require employees to use unique, complex network passwords and avoid unattended, open workstations.
  • Consider creating a VPN for employees to use when connecting remotely to the business network.
  • Require multi-factor authentication to access areas of your network that have sensitive information. This requires additional steps beyond logging in with a password- like a temporary code on a smartphone or a key that's inserted into a computer.
  • If you offer Wi-Fi on your business premises for guests and customers, make sure it's separate from and not connected to your business network.
  • Include provisions for security in your vendor contracts, especially if the vendor will be connecting remotely to your network.

Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
Ransomware

Someone in your company gets an email.

It looks legitimate- but with one click on a link, or one download of an attachment, everyone is locked out of your network. That link downloaded software that holds your data hostage. That's a ransomware attack.

The attackers ask for money or cryptocurrency, but even if you pay, you don't know if the cyber criminals will keep your data or destroy your files. Meanwhile. the information you need to run your business and sensitive details about your customers, employees, and company are now in criminal hands. Ransomware can take a serious toll on your business.

How it Happens

Criminals can start a ransomware attack in a variety of ways:

  • Scam emails with links and attachments that put your data and network at risk. These phishing emails make up ransomware attacks.
  • Server vulnerabilities which can be exploited by hackers.
  • Infected websites that automatically download malicious software onto your computer.
  • Online ads that contain malicious code- even on websites you know and trust.
How To Protect Your Business

  • Have a plan- How would your business stay up and running after a ransomware attack? Put this plan in writing and share it with everyone who needs to know.
  • Back up your data- Regularly save important files to a drive or server that's not connected to your network. Make data backup part of your routine business operations.
  • Keep your security up to date- Always install the latest patches and updates. Look for additional means of protection, like email authentication, and intrusion prevention software, and set them to update automatically on your computer. On mobile devices, you may have to do it manually.
  • Alert your staff- Teach them how to avoid phishing scams and show them some of the common ways computers and devices become infected. Include tips for spotting and protecting against ransomware in your regular orientation and training.
What To Do If You're Attacked

  • Limit the damage- Immediately disconnect the infected computers or devices from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected.
  • Contact the authorities- report the attack right away to your local FBI office.
  • Keep your business running- Now's the time to implement the plan. Having data backed up will help.
  • Should I pay the ransom?- Law enforcement doesn't recommend that, but it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. However, paying the ransom does not guarantee you get your data back.
  • Notify customers- If your data or personal information was compromised, make sure you notify the affected parties- they could be at risk of identity theft. 

How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!

Technology Topic of the Month

Account Takeover


What is Account Takeover

Account Takeover (ATO) fraud involves a criminal gaining unauthorized access to a user's account and using it for some type of personal gain.


What is Account Takeover Fraud?

Account takeover fraud can involve any type of online account, social media, and online banking accounts. Commonly targeted accounts are those from which a criminal can steal money. For example, a hacker might gain access to an online banking account and send funds to their own account. A fraudster could take over a social media account and invent a reason to request money from family and friends of the victim.


Difference Between Account Takeover and Identity Theft

With account takeover, the fraudster is using an existing account, whereas in identity theft, they would open up a new account while posing as the victim.


How Do Criminals Get Credentials In the First Place?


Data Breaches

A data breach is when a list of usernames (and potentially accompanying passwords) is leaked. These lists go on sale on the black market, meaning any number of criminals could be using them at the same time.


If a username and password for one account is known, hackers can use automated systems to try the same combination on a list of popular online platforms. This is referred to as credential stuffing, and is the reason it's so important to use a different password for every account.


Phishing Scams

These attacks may occur via email, over the phone, or via text message. The fraudster is trying to get you to hand over your login information. A phishing email might pose as a customer support message that persuades you to click a link to a phishing site (a fake website designed to phish for information). Here, you are prompted to enter your login information, which is then stolen by criminals.


Phone Scams

An example of an account takeover scam initiated over the phone is an iteration of the tech support scheme.


For example, the criminal poses as a Microsoft representative and persuades you that your computer has a virus and needs to be fixed. You hand over remote access to your device, and the criminal can access any accounts you have credentials stored for. They may purport to be "testing" accounts and access them in plain sight, or they could remote access to install spyware.


Spyware

Specific types of malware downloaded onto your device from malicious email links or attachments could expose your credentials. Some spyware takes regular images of your computer sessions, while key loggers record every keystroke, exposing your usernames and passwords.


Hacking Over Unsecured Wife

Many people think nothing of logging in to free Wi-Fi while at a cafe', mall, hotel, or airport. But these networks are often unsecured and represent a great opportunity for hackers to steal your information. A common attack over these networks is a man in the middle attack in which the hacker intercepts the contents of your internet traffic.


What are Attackers Trying To Do?

Here are some of the different things that criminals can get up to once they have access:

  • Credit Card Fraud- Credit Card details for use in credit card fraud.
  • Merchant Account Fraud- With access to bank account, an attacker can transfer funds to another account, among other things.
  • Re-sell credentials: Username and password combinations may be posted for sale on the black market.
  • Take out loans: Access to financial accounts can be used to take out loans and even mortgages in the victim's name.
  • Monetary requests: By taking over a victim's social media account, the attacker can pose as the victim and make requests to family and friends for money.

* Once a criminal has access to an account, they usually very quickly try to lock the real user out by changing the password, recovery email, two-factor authentication settings, and security questions and logging out of other devices.


Business Email Imposters

A scammer sets up an email address that looks like it's from your company- then the scammer sends out messages using that email address. This practice is called spoofing, and the scammer is what we call a business email imposter.

How to Protect Your Business

Use email authentication- When you set up your business email, make sure the email provider offers email authentication technology. That way, when you send an email from your company's server, the receiving servers can confirm that the email is really from you. If it's not, the receiving servers may block the email and foil a business email imposter.

Keep your security up to date- Always install the latest patches and updates. Set them to update automatically on your network. Look for additional means of protection, like intrusion prevention software, which checks your network for suspicious activity and sends you alerts if it finds any.

Train your staff- Teach them to avoid phishing scams and show them some of the common ways attackers can infect computers and devices with malware. Include tips for spotting and protecting against cyber threats in your regular employee training and communications.
BUSINESS EMAIL COMPROMISE

Business email compromise (BEC)- also known as email account compromise (EAC)- is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business- both personal and professional. 

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so that she can email out right away.
  • A home buyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands- or even hundreds of thousands- of dollars were sent to criminals instead.

HOW CRIMINALS CARRY OUT BEC SCAMS

A scammer might:
  • Spoof an email account or website. Slight variations on legitimate addresses fool victims into thinking fake accounts are authentic.
  • Send spear phishing emails. These messages look like they're from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests. Malware lets criminals gain undetected access to victim's data, including passwords and financial account information.
Step 1- Identifying a Target
Organized crime groups target businesses in the U.S. and abroad by exporting information available online to develop a profile on the company and its executives.

Step 2- Grooming
Spear phishing emails and/or phone calls target a victim company's officials (typically in the financial department).

Perpetrators use persuasion and pressure to manipulate and exploit employee's human nature.

Grooming may occur over a few days or weeks.

Step 3- Exchange of information
The victim is convinced they are conducting a legitimate business transaction. The unwitting victim is then provided wiring instructions.

Step 4- Wire Transfer

Upon transfers, the funds are steered to a bank account controlled by the organized crime group.

HOW TO PROTECT YOURSELF

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Don't click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company's phone number on your own (don't use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
  • Be especially wary if the requester is pressing you to act quickly.





Proudly serving North Texas for over 130 years.