Fighting Fraud Amid Disruption: Is Your Company Practicing Good Cyber Hygiene?
Any company that uses digital tools is susceptible to cyberattacks, no matter the size or type of business. And as the COVID-19 pandemic has forced many companies to work outside their normal environments and processes, hackers and fraudsters are taking advantage of stressed employees, less secure home work environments and general economic and social disruption to increase their activity. However, it doesn’t have to take tremendous resources to make your business and your colleagues safe from cybercrime. A good defense starts with a greater awareness of the heightened risks and good cyber hygiene – simple online behavior or process changes – that can combat them.
Survey Says: Companies Believe Their Networks Are Secure
Business owners are confident in the measures they’re taking to protect their networks even as they report more attempts to breach them. A recent survey of middle-market business executives and owners conducted by KeyBank found that 70% of respondents believe their companies are very or somewhat secure.1 At the same time, more companies reported experiencing cybersecurity incidents over the last 12 months than had when asked in June 2019.
Anti-virus and anti-malware protection are the top tools middle-market businesses use for cybersecurity, employed by 69% and 57% of respondents, respectively. However, since June 2019, there has been a significant increase in the usage of several cybersecurity tools, including password expiration policies, limited administrative access, VPN requirements, security measures to prevent unauthorized devices and dual authorization for payments.
Higher-revenue companies have more interest in implementing a number of cybersecurity tools, likely because of higher budgets, greater amounts of sensitive information and potentially a greater risk of a cybersecurity attack. Businesses that experienced a cyber incident tend to take multiple steps in response, but higher-revenue companies are more likely to consult with legal counsel (60%) and work with forensic experts (57%) in the aftermath.
How Hackers and Fraudsters Prey on Businesses and Individuals
Even before the spread of COVID-19 changed everyone’s behaviors, cybercrime was on the rise. According to the Federal Bureau of Investigation’s (FBI) 2019 Internet Crime Report, 2019 saw both the highest number of complaints and the highest dollar losses reported since the bureau established the Internet Crime Complaint Center (IC3) in May 2000.2
2020 is on pace to see a record increase, as fraud attempts have reached a frantic pace. In April, the FBI announced that instances of cybercrime appear to have jumped by as much as 300% since the beginning of the coronavirus pandemic.3 IC3 is receiving between 3,000 and 4,000 cybersecurity complaints every day, up from the average 1,000 complaints per day pre-pandemic.
Defending your company begins with understanding the most common schemes directed at businesses and individuals:
- ID theft and account takeover: “Phishing” scams that mimic legitimate financial institutions or technology providers to gain access to personal identifying information.
- Social engineering: Fraudsters use publicly available information, such as employer information, family and friends’ names or schedules and habits garnered from social media to get secure information.
- Investment scams: These scams prey on Americans who have received federal or state recovery funds.
- Websites for fake charities or products: Some scammers have set up fraudulent websites that appear to sell sought-after protective equipment or sanitation supplies or to help those affected by the pandemic, taking payment and never delivering items or support.
- Ransomware: Hackers access computers via remote desktop software or malicious attachments, encrypt the network and then require a ransom payment to regain access.
“Many of the attacks we’ve seen use themes that rely on fears about the pandemic, or pretend to contain important instructions about working remotely, to convince the targeted employee to open the malicious files quickly, without thinking it through,” said Randy Pargman, Senior Director of Threat Hunting and Counterintelligence for Binary Defense. “The attacker’s intended purpose is to gain remote control of the company’s computers and steal sensitive information.”
What You Can Do to Protect Your Organization
Some of the basic protective measures your business can take don’t involve a major investment in security firms or software, but rather are focused on shifting processes and employee behaviors to make them less susceptible to fraud and attack.
“During this crisis and going forward, it is important for companies to establish secure work-from-home protocols for their employees, and to the extent possible, to put in place additional monitoring and escalation around anomalous activities,” said Kelly Uhrich, Senior Vice President, Deputy Chief Information Security Officer, KeyBank. “It is equally important for companies to engage with their third-party providers to ensure any necessary modifications and monitoring are agreed upon and implemented by both parties to ensure the security of information assets.”
KeyBank recommends short-term steps to keep business functions secure, including:
- Use positive pay for checks
- Add debit-blocks if shifting to Automated Clearing House (ACH) payments
- Watch for business compromise and phishing email fraud
- Maintain dual controls (or approvers) for all outbound payments
- Monitor accounts and purchase card activity daily
- Validate any payment instruction changes that occur via email by calling the requestor at a known valid phone number
Looking forward, companies should:
- Maintain heightened awareness of fraud risks by holding social engineering seminars for employees to demonstrate how they can be targeted and compromised
- Develop contingency plans to sustain dual controls
- Revisit ACH limits, as payment mix evolves
Spotlight on Wire Transactions
- If you receive an email or text with wiring instructions, do not reply. If you receive a phone call with wiring instructions, tell the caller you’re going to hang up to verify the information.
- To ensure you’ve received a legitimate request, call a trusted phone number you’ve used before to contact the vendor, or use a number written in the contract. Do NOT use a number listed in the email sent to you or call the number that texted you.
- After calling a trusted number, talk to the person that the email, text or call was said to have come from. Verify that there has been a change to wiring instructions.
Key Is Your Partner in Secure Transactions
As all businesses conform to a more digitized environment, which has been accelerated by the COVID-19 pandemic, educating employees and customers about cybersecurity has never been more important. KeyBank is committed to helping you protect your business and your treasury management system from fraud interference. To learn more about how Key can help support your company’s information security efforts, visit key.com/security or contact your KeyBank Payments Advisor.