Business owner reviews cybersecurity on phone and laptop

October 21, 2020

Top Cybersecurity Threats to Your Mid-Sized Business

The COVID-19 pandemic and resulting focus on working remotely has created new opportunities for cyberfraudsters who pose serious threats to your company's finances, operations and reputation.

The FBI in March reported it was seeing an increase in pandemic-related fraud schemes and warned Americans to look out for fake emails related to stimulus checks and public health information, among other scams.

Cybersecurity experts also noted how scammers have become even more cunning in targeting employees in specific roles.

“There's been an obvious shift," said Brian Fricke, chief information security officer at City National Bank, where business clients have reported a wide range of fraudulent activity in the past several months. “Before the pandemic, it was more of a shotgun approach to see whom they could catch," he said, whereas now cybercriminals are doing more research and targeting employees who work remotely.

While news headlines tend to focus on major corporate cybersecurity breaches, softer targets, like small and mid-sized businesses, often fall victim to fraudsters as well.

Keep reading to understand the cybersecurity threats affecting your mid-sized business today, and how you can support your employees in protecting sensitive data.

Thank you for subscribing!
Error. This is not a valid email address. Please try again.
Error. Please make sure all fields are properly filled out and try again.
Subscribe to Our Newsletter

Targeting Your Employees

While traditional cyberattacks focus on company infrastructure, criminal hackers are now exploiting remote connectivity and often gaining entry though employee email, Fricke said.

“Business email compromise is one of the great milestones in an attacker's approach because once they have been able to gain access to a business email account, they can glean more information" by observing internal procedures and better understanding how your business operates, he said.

What might a hacker learn from an employee's mailbox?

“If the attacker were to gain access to the right employee's email account they could directly request and approve wire requests," Fricke noted.

Fraudsters also may alter information on wire requests, launch an attack on another client or the bank itself and continue to identify high-value targets, he said.

Email Compromise: What does it look like?

Among the numerous cyberscams that City National's business clients have reported recently, the most common include:

  • Fraudsters using an employee's hacked email account to send a wire transfer request that looks like it had originated inside the company, or criminals purporting to be vendors and requesting changes in wire instructions for future payments.

  • Criminal hackers using employee email to send a fraudulent ACH request.

  • Fraudsters sending a forged PDF letter to a company's customer asking that a payment be redirected to a different bank. In this case, the customer fortunately recognized the scam and notified the hacked company, Fricke said.

"Most people aren't looking for phishing attacks from those they consider trusted senders. So when a client's email account gets compromised, it is more difficult to recognize the fraud," Fricke said.

How can you and your employees learn to recognize a suspicious sender?

It's tricky, but these messages often arrive out of the blue and appear to come from company insiders whose names you don't necessarily recognize.

They may open with greetings such as, "Hi, I'm Sally from the help desk," said Barbara Allen-Watkins, president and CEO of cybersecurity training firm BAW Consulting Services and a former City National Bank senior vice president. This is often the case with spearfishing emails.

Spearfishing emails are a popular attack type that targets specific workers or executives. Once an email account is compromised in this way, thieves can send out legitimate-looking invoices, wire requests, W-2 information and updated payment instructions.

“The purpose of spearfishing is to reach those people who have the credentials or the access authority that the hackers need in order to gain access to the system and get as much data as they can," said Allen-Watkins.

"Cybersecurity threats are becoming more and more sophisticated, and handling all this remote access is one of the biggest cybersecurity challenges facing companies today," she noted, suggesting that mid-sized companies may want to divert revenue-generating capital to cybersecurity plans and efforts during this unusual time.

How to Protect Your Company's Data

Every company should have a cyber-incident response plan, said Allen-Watkins.

"If you have a plan in place, you and your employees will know exactly what you're going to do if an attack happens. You'll be able to recover faster, and it'll cost you less money," she explained.

Some key red flags and responses to cybercrime that you should communicate to your employees include:

  • Looking for unanticipated changes in payment information or communications, such as new wire instructions, account numbers or emails or new requests for advanced payments and direct deposits.

  • Watching for anomalies, like an unexpected phone call from a client or supplier who usually communicates by email.

  • Understanding that any random, unsolicited email asking you to click a link, download a file or provide login credentials — user names and passwords — or other sensitive information is likely a scam.

  • Helping the company secure the greater information system by using multi-factor authentication for account logins.

  • Calling to verify any unexpected changes made to client or vendor email accounts, phone numbers or payment instructions, and looking for misspellings in websites, email addresses and hyperlinks. For instance, employees should know to hover their cursor over email and website links to make sure they match the domain from the business that purportedly sent the message.

At the same time, Allen-Watkins recommended that companies hire third-party consulting firms to conduct cyber risk assessments. These assessments could help companies identify security gaps and make recommendations on proper tools to have in place to detect, deflect and destroy viruses.

From there, she suggested that firms obtain cyberfraud liability insurance and develop a cybersecurity training protocol. “Training employees is an ongoing process," she noted.

Along the same lines, City National's Fricke suggested that every company develop a written information security program that includes a breach response plan, network security controls and the appropriate software tools and backup processes to combat ransomware.

Companies should look at state and federal cybersecurity laws, Fricke said, and at readily available guides, such as the National Institute of Standards and Technology cybersecurity framework, that provide best practices on guarding against, detecting, responding to and recovering from cyberthreats and attacks.

At the very least, executives and other employees should exercise caution when handling emails, texts or calls prompting them to click on links, download or open files or provide sensitive information.

“You have to stay vigilant, right? Most of the time there's some call to action," Fricke said. “If it sounds too good to be true, it probably is."

If cybercriminals do breach your security systems, contact your financial institution right away, audit all accounts to look for any other fraudulent activity, follow any response plan you have put in place and file a report with the FBI's Internet Crime Complaint Center.

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.

Thank you for subscribing!
Error. This is not a valid email address. Please try again.
Error. Please make sure all fields are properly filled out and try again.
Subscribe to Our Newsletter