Businesses of all sizes are vulnerable to cyberthreats. More than 52 percent of small business owners surveyed in the City National Small Business Report said cyberattacks pose the largest fraud threat to their company. And while cybersecurity threats are not new, they continue to spread faster and faster.
“In the world of cybersecurity, what's new is the speed at which attacks are deployed and spread," said Stacy Bertrand, manager of information security strategy and metrics at City National Bank. "Most malware isn't new or innovative — we've seen it before. But the pace at which it's spread is much faster than it once was."
One reason for the fast spread of malware and other malicious attacks is the increased inter-connectivity of the so-called "Internet of Things." “Many more devices are connected now, including phones, smart printers and smart refrigerators," Bertrand said. “If everything can be infected, it becomes more difficult to do our jobs."
In addition to increased connectivity, the faster pace of business has also contributed to the spread of cyberattacks. “Business moves faster now, so rather than waiting two days to respond to an email, we now feel like we need to respond in an hour," Bertrand said. “As a result, people may not check and verify before sending critical information."
As cyberattacks continue to spread rapidly, business leaders should be aware of the most prevalent threats.
About 90 percent of large-scale hacks start through some form of phishing, which includes any attempt to trick victims into sharing sensitive information such as passwords, usernames, financial information or credit card details for malicious reasons. In most cases, phishing attackers send emails requesting sensitive information that appear to come from an authentic organization. Phishing can also include emails that ask you to click a link, download a file or send money.
Another form of phishing is called "spear phishing." While phishing attacks go to large groups of people and hackers hope someone will fall for the scam, spear phishing targets a specific individual. Also known as business email compromise, spear phishing emails will be addressed directly to a specific recipient with a personal message that may appear to come from a superior or a representative of a reputable service provider, customer or other institution. This “new wave of old-fashioned social engineering" targets a specific individual to get confidential information or initiate a financial transaction under false pretenses, Bertrand said.
Train employees to always check and verify the sender of an email or a caller is who she says she is before releasing confidential information, Bertrand advised. “Even though it takes a few more minutes, pick up the phone and call the person."
Wire fraud typically happens in two different forms that are often associated with a phishing email. The first is when a fraudster impersonates you to conduct a financial transaction in your name. They may send an email to a colleague asking them to make a payment on your behalf.
The second common scam is when a fraudster impersonates someone you trust to communicate to you. In this case, the criminal might intercept a legitimate wire transfer and ask you to change the wire instructions at the last minute.
Scammers may pose as colleagues, clients or someone else with whom you or your company has done business recently. Their goal is to get your confidential account information and exploit it, or convince you to wire funds to them. In some cases, if they have access to your mail or invoices, they may pretend to be a vendor asking for funds to be wired to a new account.
In either scenario, the money ends up in the wrong hands. Unfortunately with wire fraud, it's difficult to resolve once the wire transfer has taken place because the money becomes untraceable.
Because wire fraud most commonly happens as a result of phishing or spear phishing, look for wire fraud red flags and always utilize at least two sources of verification before initiating a transfer.
Symantec Corporation, a nationally recognized security consulting firm, estimates that one out of every 131 emails contains malware, which is a virus, worm, Trojan horse, ransomware, spyware, adware, scareware or any type of software intended to damage or disable a computer or computer system. Usually, the objective of malware is to steal passwords or intercept or redirect internet traffic, enabling the criminal to access a financial system using the victim's credentials.
A specific malware known as ransomware is one of the newer and more malicious forms of fraud.
"Ransomware occurs when a computer receives a malware infection that encrypts the data and prevents you from using your computer until you pay a fee — or ransom — to the attacker," said Karl Mattson, chief information security officer at City National Bank. Hackers will commonly request payment in bitcoin or another form of cryptocurrency that is difficult or impossible to trace.
Every business needs a cybersecurity plan that helps anticipate and mitigate problems with malware and other hacks. The plan may include regular updates to all computer systems and specific best practices to which employees are required to adhere. Business owners should consider engaging expert consultants and purchasing cybersecurity insurance to avoid potential problems.
There are a few preventative actions you can take to prevent ransomware and limit the impact of an infection. Keeping your computers up-to-date with system patches and antivirus updates is vital.
As an added precaution, utilize one of the many cloud-based services that offer data storage options for a low cost. Storing your data securely in the cloud acts as a buffer against the possibility of losing data to a ransomware infection locking your computer. If you do experience a ransomware situation, you may not need to pay the ransom to retrieve your information if you're able to restore your data from a safe backup.
In all cases, consider contacting law enforcement in the case of a ransomware infection to advise and assist. Digital ransom is a crime that law enforcement does take seriously.
Having an understanding of the various forms of cyberattacks that can hit your business is the first step to avoiding or minimizing such events. You may also consider talking with your bank, cybersecurity company and other business partners to help you create a plan to prevent and mitigate cyberattacks on your business.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.