Criminals have a reliance on tricking victims to get access to account information, like passwords. This is known as social engineering, and is also called a “confidence crime.” These come in many forms:
Do Not Take the Bait of These Phishermen
- A phishing email that targets a specific person is known as spear-phishing. A spear-phishing email looks like an email that might come from a legitimate company to a specific person. For example, a thief might send a fake email to a company’s employee who handles money or IT. It looks like the email is from the CEO of the company, and it asks the employee for sensitive information, such as the password for a financial account or to transfer funds somewhere.
- Telephones are used for phishing, too, also called “vishing,” which is a combination of phishing and voicemail.
- Fake invoices are also popular among hackers and scammers. In this case, a fake invoice is sent to a company that looks like one from a legitimate vendor. Accounting pays the invoice, but the payment actually goes to a hacker.
- Another scam is when a bad guy leaves a random USB drive around the office or in a parking lot. His hope is that someone will find it, get nosy, and insert it into their computer. When they do, it releases malware onto the network.
- Cyber criminals also might try to impersonate a vendor or company employee to get access to business information.
- If someone calls, if you get an email, if the doorbell rings, or if someone enters your office, always look at it with suspicion.
Be thoughtful about security:
- Set up all bank accounts with two-factor authentication. All web-based email accounts should have two factor authentication. This way, even if a hacker gets your password, they still can’t access your accounts.
- Train staff to be careful about what they post on social media, such as the nickname the CEO goes by in the office.
- Do not click any link inside of an email. These often contain viruses that can install themselves on your network.
- Any requests for money or other sensitive data should be verified over the phone or in-person. Never just give the information in an email.
- All money transfers should require not one, but two signatures.
- Make sure all employees are fully trained to recognize a phishing attempt. Also, make sure to stage phishing simulation attempts to make sure they are following protocol.
- Help people understand the importance of looking out for things like a new email address for the CEO or Kathy in accounting suddenly signing her name Kathi.
- Also, teach staff to report any uncharacteristic behaviors with long-time vendors or even fellow coworkers.
I once presented a security awareness program to a company that was almost defrauded. They hired me because of an email accounting had received from the CEO. The CEO sent a nice proper letter to accounting requesting payment be made to a specific known vendor.
A number of things were wrong with the email. First and foremost, like I mentioned, the email was nice and proper. Apparently the CEO isn’t all that nice, is somewhat of a bully, and all his communications are laden with profanity. So the red flags, where the fact that the email was nice. Imagine.
Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.