The COVID-19 pandemic and resulting focus on working remotely has created new opportunities for cyberfraudsters who pose serious threats to your company's finances, operations and reputation.
The FBI in March reported it was seeing an increase in pandemic-related fraud schemes and warned Americans to look out for fake emails related to stimulus checks and public health information, among other scams.
Cybersecurity experts also noted how scammers have become even more cunning in targeting employees in specific roles.
“There's been an obvious shift," said Brian Fricke, chief information security officer at City National Bank, where business clients have reported a wide range of fraudulent activity in the past several months. “Before the pandemic, it was more of a shotgun approach to see whom they could catch," he said, whereas now cybercriminals are doing more research and targeting employees who work remotely.
While news headlines tend to focus on major corporate cybersecurity breaches, softer targets, like small and mid-sized businesses, often fall victim to fraudsters as well.
Keep reading to understand the cybersecurity threats affecting your mid-sized business today, and how you can support your employees in protecting sensitive data.
While traditional cyberattacks focus on company infrastructure, criminal hackers are now exploiting remote connectivity and often gaining entry though employee email, Fricke said.
“Business email compromise is one of the great milestones in an attacker's approach because once they have been able to gain access to a business email account, they can glean more information" by observing internal procedures and better understanding how your business operates, he said.
What might a hacker learn from an employee's mailbox?
“If the attacker were to gain access to the right employee's email account they could directly request and approve wire requests," Fricke noted.
Fraudsters also may alter information on wire requests, launch an attack on another client or the bank itself and continue to identify high-value targets, he said.
Among the numerous cyberscams that City National's business clients have reported recently, the most common include:
"Most people aren't looking for phishing attacks from those they consider trusted senders. So when a client's email account gets compromised, it is more difficult to recognize the fraud," Fricke said.
How can you and your employees learn to recognize a suspicious sender?
It's tricky, but these messages often arrive out of the blue and appear to come from company insiders whose names you don't necessarily recognize.
They may open with greetings such as, "Hi, I'm Sally from the help desk," said Barbara Allen-Watkins, president and CEO of cybersecurity training firm BAW Consulting Services and a former City National Bank senior vice president. This is often the case with spearfishing emails.
Spearfishing emails are a popular attack type that targets specific workers or executives. Once an email account is compromised in this way, thieves can send out legitimate-looking invoices, wire requests, W-2 information and updated payment instructions.
“The purpose of spearfishing is to reach those people who have the credentials or the access authority that the hackers need in order to gain access to the system and get as much data as they can," said Allen-Watkins.
"Cybersecurity threats are becoming more and more sophisticated, and handling all this remote access is one of the biggest cybersecurity challenges facing companies today," she noted, suggesting that mid-sized companies may want to divert revenue-generating capital to cybersecurity plans and efforts during this unusual time.
Every company should have a cyber-incident response plan, said Allen-Watkins.
"If you have a plan in place, you and your employees will know exactly what you're going to do if an attack happens. You'll be able to recover faster, and it'll cost you less money," she explained.
Some key red flags and responses to cybercrime that you should communicate to your employees include:
At the same time, Allen-Watkins recommended that companies hire third-party consulting firms to conduct cyber risk assessments. These assessments could help companies identify security gaps and make recommendations on proper tools to have in place to detect, deflect and destroy viruses.
From there, she suggested that firms obtain cyberfraud liability insurance and develop a cybersecurity training protocol. “Training employees is an ongoing process," she noted.
Along the same lines, City National's Fricke suggested that every company develop a written information security program that includes a breach response plan, network security controls and the appropriate software tools and backup processes to combat ransomware.
Companies should look at state and federal cybersecurity laws, Fricke said, and at readily available guides, such as the National Institute of Standards and Technology cybersecurity framework, that provide best practices on guarding against, detecting, responding to and recovering from cyberthreats and attacks.
At the very least, executives and other employees should exercise caution when handling emails, texts or calls prompting them to click on links, download or open files or provide sensitive information.
“You have to stay vigilant, right? Most of the time there's some call to action," Fricke said. “If it sounds too good to be true, it probably is."
If cybercriminals do breach your security systems, contact your financial institution right away, audit all accounts to look for any other fraudulent activity, follow any response plan you have put in place and file a report with the FBI's Internet Crime Complaint Center.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.