Security threats can attack a company from all angles. You might have a security guard at the door to keep out unwanted visitors. Perhaps you have security cameras to keep an eye on things when you are not around. You likely have an anti-virus software to prevent a technical attack. But what do you do when a scammer tries to trick one of your employees into giving up sensitive information through an email?
This type of security threat is called Social Engineering. TechTarget.com defines this as follows:
Social engineering is a non-technical method of intrusion hackers use that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is one of the greatest threats that organizations today encounter.
–TechTarget.com
A social engineering scam is one that targets the individual (rather than the computer) by posing as a trusted source, claiming to be, for example, a vendor. At first glance, nothing looks suspicious about these emails, as they are coming from an address that appears familiar, the language is professional, and they are making a reasonable business request. It could be presented as a vendor is asking you to change their banking information or a client is asking you to send payment to a new location.
Your employees need to know that these kinds of scams exist. If someone asks for personal or banking information, and you or your employee gives it away, there is nothing that your IT personnel can do to recover that data. The only protection is preemptive education.
Here is a list the FBI has provided to avoid this kind of scam along with some thoughts on each point:
- Verify changes in vendor payment location and confirm requests for transfer of funds.
- Have a second form of contact (like a phone call or a text message) so you can confirm the need to make changes to banking information or payment details.
- Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked.
- In addition to being easily hacked, they are also easily spoofed. It is very easy for someone to make an email address through Google or Yahoo that is one letter different from an address you recognize.
- Be careful when posting financial and personnel information to social media and company websites.
- Let us say you are a CEO and you’re posting on Twitter that you will be on vacation and out of touch for the next two weeks. If a scammer is looking for a good time to pounce, that’s it. Scammers can also better personalize the scam if they know, for example, your specific bank and can say, “Hi, I’m Gary from Bank XYZ.” Or if they know that only Debra deals with vendor banking info and can ask for her by name.
- Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly.
- The world of business is fast-passed but you can always make time for dealing with money. Go the extra step and verify where your money is going. Pressure to rush should be a red flag.
- Consider financial security procedures that include a two-step verification process for wire transfer payments.
- In other words, have a second method of contact in place, especially when wiring money. Know that each request for funds is followed up with a phone call or a text.
- Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same. For example, .co instead of .com.
- Partner with your IT technician to property filter your email if you don’t know how to yourself.
- If possible, register all Internet domains that are slightly different than the actual company domain.
- One way a scammer might spoof you email address is registering a domain that is one letter off from your email address. If your address is MyExample.com, they might use www.MyExamples.com
- Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes.
- Use common sense. If a regular habit is broken or significant changes are requested, use the second mode of verification previously established to confirm the change.
If you have a question on the validity of the information in an email, and you have not established a secondary form of verification, rather than replying to that email, forward it. This gives you a chance to type in the address—manually—yourself.
Remember, the best way to avoid these scams is by educating your employees and letting them know it is okay to ask questions. If you would like more information or would like to schedule a training session with your employees, please contact Epsilon Systems at info@epsilon-e.com or by phone at 804.427.6567.
Dale Beck
Director of Technology
Epsilon Systems Consultants
