Corporate fraud is big business during the holidays as crooks are counting on you and your staff being distracted during the hustle and bustle of the season and year-end preparations. Our friends at KnowBe4, leaders in security awareness and training, remind us the importance to be on guard and security aware at all times.
Common Cause of Fraud
Human error. 90% of all breaches come from social engineering attacks, the art of human deception and manipulation. Most business security breaches occur when a staff member accidently falls prey to an “ishing” scam: phishing, vishing, smishing and quishing.
Scams: The Big Four
1. Phishing (email scams) – Criminals use bogus schemes, impersonating your CEO, coworkers, vendors or other known individuals to trick you into compromising your business accounts.
For example, a vendor sends you a bill with notification that there is a change of address or change in bank information for submitting payments. You are asked to remit your payment to the new account information provided in the email. If you follow the instructions, you may be sending your payments to a crook's account unknowingly until the real vendor contacts you about your missing payments.
Another example, you may receive an email claiming to be from a vendor wishing you a happy holiday. The email may include a link to register for a free vendor gift. Clicking the link may lead you to a fake website aimed to steal any information you submit.
2. Vishing (voice/phone scams) - A crook creates a fabricated scenario to trick you into giving them personal or company account information.
For example, a criminal pretends to be a trusted vendor and needs certain details to confirm your identity. If you comply, the criminal caller can use that data to conduct other malicious activities, such as identity theft or account takeovers.
Another form of vishing involves physical security whereas a criminal poses as a trusted vendor and requests access into your building where they might install malware on your computer or access your network internally.
3. Smishing (text scams) – Fraudulent messages pretending to be from reputable companies asking you to reveal personal information, such as credit card numbers or other personal information.
For example, you receive a text from your bank about an issue with your business account. The message tells you to click the link to resolve the issue. If you click the link and enter your account user information, the crook can use your data to take over your bank account.
4. Quishing (QR Code scams) – Fake QR codes used to spread malware or steal your personal or business information.
For example, you receive an email from Microsoft announcing your authentication is expiring soon and you need to scan the QR code to re-authenticate your account to avoid being locked out.
A criminal may also target your employees, impersonating your HR manager, for example, and announce new employee benefits for the upcoming year. Employees are directed to scan the QR for quick access to their personal documents. If they scan the code, they may be downloading malware on their computer or giving the hacker access to your network where they can steal company data or take over your accounts.
Be On Guard for Scams Targeting Your Business
Know the signs of social engineering:
- Pressure to act quickly
- Enticing offers and notifications stirring your curiosity
- Requests for account changes or confirmation
- Fear alerts about account fraud, shipping disruptions, software upgrades and payment errors
Verify, Verify, Verify
Slow down and check sources:
- Verify vendors by calling them directly (using their directory listing, not the number provided in the message) to confirm the message you received.
- Examine the email sender address, website URL and all links carefully before sharing any information or sending any payments.
- Is the subject or message causing a strong emotional reaction?
- Who is sending this message? Is it from a known email address or has the address slightly changed?
- Are there misspellings, fuzzy pictures, QR codes and links in the message?
- Where does the link direct me? Hover over the link to see the real URL. Examine it closely to determine if it’s a link to a trusted source. Unintelligible links are red flags.
- Can I 100% confirm the source of information is legitimate?
Set Up Dual Controls for Online Transactions
Establishing layers of approval for conducting online transactions can help your team detect suspicious activity before you complete a transaction.
For example, you may assign one employee to input the information for an outgoing ACH transaction and then assign another employee or supervisor to approve the transaction before payment is submitted.
Dual controls protect against human error:
- Once you authorize an online transaction, it becomes nonrefundable.
- If you authorize a fraudulent transaction, it is nearly impossible to get the money back.
Regularly back up data, update systems and use security measures
Research shows millions of malware variants roaming around the internet, infecting everything from phones, to computers, tablets and home networks. AI is increasing these threats exponentially.
- Antivirus and malware detection software must be used at all.
- Use strong passwords and multi-factor authentication.
- Patches and updates should be applied to computer operating systems, anti-malware, security tools, and day-to-day applications regularly. Older computers and operating systems are more vulnerable to hacks, so invest in periodic maintenance and purchase of computers and technology tools.
- Use a secure Wi-Fi connection and change the password regularly to avoid a potential hack into your network.
- Educate staff on common scams and red flags.
Train Your Staff To Recognize And Report Suspicious “Ishing”
All staff should know the protocol in case of a security incident. Equally as important as recognizing a scam is knowing what to do if an incident occurs. Resolution is all about time, says KnowB4. The sooner a threat is detected and reported, the better the chances for lessening the damage.
If you authorize a wire transfer or electronic payment to a fraudulent account, it’s nearly impossible to get the money back. Once a criminal gains access to your account, they move quickly to withdrawal your money before you can stop it.
It’s important for you to move quickly to stop further damage:
- Teach staff to report all potential or suspected security incidents immediately and to whom.
- Regularly monitor your bank accounts and financial statements to detect discrepancies and suspicious activity.
- Contact your bank immediately if you suspect fraud on your personal or business accounts. The sooner they are notified, the quicker they can act to lock your accounts and protect against further damage.
Keep your guard up and stay alert of security threats to your organization.
Information in this article is provided, in part, by KnowBe4. This article is intended for information purposes only. The information provided does not constitute professional or legal advice. To learn more about Security Awareness and Training, visit https://www.knowbe4.com/