These days there is no shortage of scam calls, phishing e-mails, and bad actors trying to steal what’s yours. They’ve managed to creep into every corner of our business and personal lives – our computers, our phones, our front porches, and our inboxes. So, how do you protect your business from these financial predators? To keep it simple – stay educated and diligent.
Scams change constantly. New technology is developed, new scammers are trained, and current events from as recently as yesterday are exploited. Therefore, one of the best things you can do to protect your business is to keep your employees up to date on current scams. There are businesses that provide cybersecurity training to organizations based on your company’s needs.
Staying diligent involves many technology-based solutions. First, protect your physical devices by following five simple practices:
- Don’t connect to public Wi-Fi when you intend to access sensitive business information on the web.
- To ensure you have control over that first item, don’t allow your devices to automatically join unfamiliar Wi-Fi networks.
- Disable automatic Bluetooth pairing on your phone, which can allow bad actors to sync up with your phone without you noticing.
- Don’t borrow phone chargers from strangers or use USB public charging stations, which can be loaded with malware.
- Keep the software and operating system on your computers up to date. Updates often fix known security vulnerabilities and should be made as soon as they’re available.
Second, protect your online presence by implementing a strong password policy for your employees. Businesses should strongly consider utilizing a password manager for their employees. The password manager should be protected with multi-factor authentication and a long password or passphrase. Twelve characters is long enough for a perfectly random password, but human-created passwords must be more than 18 characters to evade hackers. The good news is that passphrases are just as strong as long, random-character passwords and are likely easier to remember. Examples of good passphrases might be: Ilikedaffodilsinspringtime or Today,Ihadanomeletteforbreakfast.
Suggest your employees use the How Secure is My Password? tool at Security.org to check the strength of their passwords.
Unfortunately, utilizing technology-based solutions alone is not enough to protect your business from the most effective scams of all, which are referred to as “social engineering.” Social engineering is when a bad actor manipulates an employee into performing an action (such as willingly transferring money) or divulging confidential information (such as account numbers) to be used for an illegitimate purpose. There is also a type of social engineering scam targeted at businesses that is called “CEO fraud” or “business e-mail compromise.” This is when a scammer impersonates the e-mail of a high-ranking executive within the company, then e-mails employees requesting them to do tasks that will benefit the hacker. The information they use can all be found online. In this case, there is no reason for the scammer to hack into a computer or mobile device; this scam works when an employee willingly follows instructions from the so-called “executive.”
These types of scams are particularly dangerous because banks don’t generally offer the same protections if you fall victim to a social engineering scam that they would if someone hacked a business account or credit card.
Luckily, you can train your employees to identify a social engineering attack using these red flags:
- Scammers pretend to be from an organization you know and trust, or they pretend to be an executive within your company.
- Scammers present a problem you would want to take care of or a prize you would want to claim.
- Scammers pressure you to act immediately. They present the issue as urgent and discourage you from consulting with anyone else, including a manager or advisor.
- Scammers give specific instructions on transferring money that is not how your business typically operates, such as sending money through a money transfer company or buying gift cards.
The best way to avoid getting scammed in a social engineering or business e-mail compromise hack is to train your employees to recognize, and then ignore, the attack.
Ultimately, the best defense is to train employees to use their best judgment. Train them to ask questions and ensure the answers make sense. Make sure they don’t give out business and financial information in response to a request they didn’t initiate. Don’t pay someone money to get money back in a different form. Make sure your employees are knowledgeable about company policies and don’t operate outside of company norms, even if it’s for “the big boss.”
Jennifer Pieson is a Financial Planning Analyst at Agili who assists clients with her financial planning and strategy expertise.
Amber Ott is Director of Operations, Chief Compliance Officer at Agili who manages the firm’s internal operations and maintains its compliance program.