As if times weren’t challenging enough for businesses, companies are now dealing with pandemic-related cyber security threats. These scams are trying to take advantage of the crisis with targeted campaigns that play on people’s fear and sense of urgency, including phishing, business email compromise, spoofs of CDC emails, donation scams, and scams around personal protection equipment.
Smart Business spoke with Jim Altman, Middle Market Pennsylvania Regional Executive at Huntington Bank, about these threats and how companies can protect themselves.
What types of threats are on the rise now?
There has been an increase in business email compromise. For example, a company pays a landscaping company to take care of the property. If a scammer can get enough information about the landscaping company, they might send an email posing as the landscape company to the invoice processing folks saying that the bank account information has changed and provide them a new bank routing and account number that goes to the scammer’s account.
Ransomware has also become a greater issue for companies, but with a new twist. Scammers aren’t just holding the information hostage, they’re now using that information to extort the company by threatening to release information that could tarnish its reputation. It’s a whole second dynamic on ransomware that really revolves around a new disclosure issue. It’s a tremendous change in scammer tactics over the last six to nine months and it’s likely going to get worse.
Another new issue revolves around integrity of data. The rise of misinformation campaigns has made it difficult to discern fact from fiction. That makes it easier to put some inflammatory information out and have it get some legs. It’s something that’s expected to be much more of a concern for businesses.
What weaknesses are scammers exploiting?
Often what’s being exploited in these scams is employees. They often react too quickly and without scrutinizing the message. Prevention, then, is in large part about engaging employees early, making them aware of the threats and asking them to be diligent. Ask them to pause before responding, especially when the request is about the movement of funds.
It’s important that employees are trained to look at where messages are coming from. That means carefully looking at all the information because the difference between a legitimate message and a scam is often one letter. While a lot of the fake domain names were registered around the COVID pandemic, a growing number were registered with just a simple change — taking one ‘t’ out of ‘Pittsburgh,’ for example, to spoof legitimate company websites.
Employees should also use a two factor authentication process — something you have and something you know. Passwords are often the thing you know. Tokens, either hardware based or software based, cover the something you have. This is especially critical when it comes to requests that have to do with money. Confirm any client-requested change directly with the client by calling their contact using a number that’s on file and not by clicking on a link or calling a number that’s in the email.
How can companies protect themselves?
Protection should happen on a number of fronts. In addition to training, companies should make sure they have updated and current operating systems and applications, solid electronic payment processes and a vulnerability and patch management process that has clear policies and procedures around cybersecurity. Large companies should independently assess their security through an independent assessment. Those that are sharing data with third parties, such as in instances where certain responsibilities are being outsourced, companies should assess the security of those partners as well.
It’s also important that companies have checks and balances in all of their processes. Make sure to have segregation of duties, assign only account privileges required for employees to fully handle work tasks. Also consider cybersecurity insurance. It’s a good idea to engage professionals to really look through a policy to find out what it covers if the company is affected by ransomware.
Insights Banking & Finance is brought to you by Huntington Bank