Social engineering: don't fall victim to human hacking - part two
Part two of a two‐part series
Part one of this two‐part series identified in‐person threats and provided you with steps to securing your business. Part two of this series covers remote threats to your business and outlines five simple steps to help you reduce your risk.
When it comes to securing their businesses from long‐distance threats, many owners invest in powerful software for tasks like encryption and firewall protection. But as Dave Gorr, Vice President of Investigation and Corporate Security at Johnson Financial Group, explains, software is only a part of what it takes to keep businesses safe. “Hackers often look for the easiest point of entry into your business,” says Gorr. “Often this ends up being the people behind the computers rather than the systems themselves.” Many criminals use email and phone calls to try and trick employees into giving up sensitive information. Combatting this danger requires following some general rules that can protect your business.
Five ways to reduce your risk
Don't overshare. With the prevalence of Facebook, Instagram and other social media platforms, criminals can learn a great deal about your business and its employees. It is not unusual for employees to divulge information about travel plans, positions within the company and even salary information. “Due largely to social media, online sources are the largest cause of unintentional surrender of information,” explains Gorr. “Criminals use this information to help create realistic emails and gain greater access to your business.”
Exercise caution before opening emails. Most employees should be aware not to open emails from unknown senders. But, many do not look too carefully at addresses that look legitimate. One area where this can pose a risk is when hackers use a copycat email to try and trick employees. “Thieves will often send from an address that is nearly identical to a legitimate address, perhaps missing a letter or changing the order slightly. Often, simply doing an internet search for an email address that seems suspicious will give you results on websites that track fraudulent addresses.”
Double‐check unknown senders. One of the most commonly used email scams is known as Business Email Compromise (BEC). “Right now this is often the most fruitful email hack. In a BEC hack, the fraudster has enough information about your corporation to represent themselves as a member of the leadership team, such as CFO, CEO or anyone with high authority. They will often mimic the form of your company emails and send a message to an employee asking for information. Typically, they will use urgency to get employees to give up the information without proper caution. Employees will often be afraid to be looked on unfavorably by this important leader and want to accomplish the task quickly.”
Secure remote employees. More and more businesses are offering opportunities for employees to work from home some or all the time. If your employees will be working from home, ensure that any hardware used to store or access company systems is properly secured. “Often employees will use personal emails from home or transfer files they may be working on to an unsecured home computer,” says Gorr. “Work with your employees to ensure that any company information is as secure at their home as it is within the office.”
Don't rely on caller ID. While online threats are more common today, fraudulent phone calls remain a concern for businesses. One of the biggest mistakes businesses make is believing that a caller ID will prevent attempts by criminals to gain sensitive information. “Caller ID is relatively simple to trick,” warns Gorr. “There are websites that individuals can use to disguise or shadow the source of the call, and this type of misdirection is legal.” Instead of relying on caller ID, Gorr recommends that anyone who conducts business over the phone should invest in voice print technology. This technology can indicate the true origin of a call, which can be compared to what is shown on the caller ID to look for discrepancies. “For instance, the voice print technology may say a call is coming from India while the caller ID claims the call is coming from Iowa.” As you begin screening out fraudulent calls, your business can also install a blacklist to weed out numbers that are not legitimate so that your business receives fewer and fewer of these calls over time.
While no business can be 100 percent protected from the threat of human hacking, creating expectations for security within your organization can help. “Deciding what security measures to train is step one,” says Gorr. “But it's easy for employees to start slipping back into poor habits after training is over.” Creating occasional reminders and additional trainings based on new threats can help keep security top of mind and protect your business from fraudsters.
At Johnson Bank, we take the trust you placed in us to protect your financial information very seriously. Fraud prevention best practices with our integrated product solutions provides your company with a strong defense against fraud and external risks. Click here to learn more.