We recently had a customer report being tricked into sending money to the wrong place. We have seen an increase in the amount of this kind of activity since the pandemic began. I think the hackers realize that in the current environment companies are readjusting to a remote workforce. They are exploiting gaps in communications because of the loss of in personal interaction. This is creating new targets of opportunity.
Companies and employees (through both business and personal activity) are producing a wealth of information for hackers to gather every day. They then use this knowledge to craft targeted attacks against employees.
How can companies protect themselves? We have examined several of these attacks and they are very well crafted. Here are some of our suggestions to protect yourself.
- Educate your employees! People tend to be the weakest link in any security system. You should have routine training in security and loss prevention for all employees, especially for those in the C suite (prime targets).
- Treat all email as insecure. Hackers often impersonate a trusted associate by collecting information about the company and employees, then crafting an email, when opened launches the attack. A common hack sets up a forwarding rule that sends a copy of your email to the attacker’s email address. Now the attacker learns more about your daily operation which they use for further attacks.
- Have established procedures. Create procedures for any communications requesting a change in procedure (financial or otherwise) such as the following:
- Call the company / person in question using a previously known phone number. The call should preferably be made by someone who deals with the company / person in question on a regular basis so they can validate the contact. Verify the requested change. Ask for specific supporting information.
- Don’t click on links or call numbers provided in the email. These often activate the attack or direct you to a very authentic looking web site that collects more data or launches an attack.
- Don’t respond to the email via email until you’ve established that the request is legitimate. If the request is a hack, you will have confirmed the hacker’s information and advanced the attack.
- Never provide any passwords, account numbers, personal information, or other information via email. Each new piece of information is an additional weapon to be used against you.
- Be suspicious of any emails requiring urgent action. Hackers will try to trick you into hasty action before you have had a chance to think about it.
- Question any unsolicited or out of character communications. Why is John (who is a stockperson) asking for the accounts payable person’s name, phone number, or email? Why is my customer suddenly unable to accept checks when you can still scan or deposit via ATM? Why does my supplier suddenly have a new web address?
- Look for grammatical or spelling errors. Attacks are often initiated overseas and the attacker may lack the nuances of your local dialect. Check the writing style. If you have been corresponding with the sender in the past, you probably have a sense of their writing style.
These attacks often come when key people are sick or on vacation or when somebody new starts with the company. Attackers know a lot of people are working remotely these days and may not have access to the people or files that would help them deflect the attack.
Your IT department should be leading the effort to prevent these attacks, but each of us plays an important role in security. A chain is only as strong as its weakest link.