When pandemic shutdowns shifted the nation’s commerce from in-person to online, cybersecurity experts knew that fraud attempts would follow. Circumstances during the past few years forced many Americans to quickly become far more comfortable with working remotely, banking, and making purchases online. Now, as the pandemic begins to recede as the primary focus of our attention, it’s a mistake to think that online threats will fade too.
As geopolitical tensions rise between Ukraine and Russia, it’s even more important to be aware of fraud attempts. Intense public interest and a willingness to help means that Americans are sharing information and donating online to a wide variety of causes. This is where the risk of exposure increases, because all it takes is one click for your business to be at risk.
Think for a moment about some of the posts you might have seen recently on social media. Many of these include images of bombed-out buildings, stranded dogs and cats, or children huddled in below-ground shelters — all intended to capture your attention and elicit a sympathetic or action-oriented response.
Many of these images are from legitimate sources that are trying to raise money to help, but some are bogus images and videos serving as bait for malware or viruses. Even if the sender is familiar, exercise caution and conduct due diligence before clicking or following any links from emails or social media posts.
Make sure your employees and vendors are vigilant against phishing emails
Cyber threats are everywhere, and criminals take advantage of the human desire for information. An action as simple as opening an email or clicking a link can deploy keyloggers (also called keystroke logging — these are programs that record which keys are struck on a keyboard), remote-access tools or other possible malicious software onto a person’s computer — typically, without the victim even noticing.
Remote work, which allowed many businesses to continue to function at the height of the pandemic, has made employer cybersecurity even more of a challenge. Employees who access company systems from personal computers don’t always exercise the same caution with their personal systems as they do at work. Because of this, a simple click on a personal Facebook post that contains malware can allow criminals to steal passwords and access work product or work systems.
Alert your employees to exercise caution in handling any email with the subject line, attachments, or hyperlinks related newsworthy events — even if it appears to originate from a trusted source. Criminals have become very adept at “spoofing” legitimate organizations by designing emails that look like they’ve come from news or philanthropic organizations. Many of these are phishing email campaigns, circulating using subject lines related to the Ukraine crisis. Do not open unexpected attachments or click on links in suspicious emails.
Once cybercriminals gain access to a system, a lot of the damage is done. They can lock you and your employees out of the company network, demanding a ransom in exchange for returning your own systems to your control. They can access your payment-processing systems and either extort your vendors or pose as a representative of your company to withdraw funds.
This raises another important point: your third-party service providers are subject to the same risks. Know how they interact with your systems, monitor vendor access to your network, and ensure they maintain cybersecurity programs that are in line with your risk tolerance.
Make sure you are speaking with experts about cybersecurity, including your commercial lender, and your business-insurance provider. They are your partners in this fight against fraud.
How to avoid becoming a victim of fraud:
• Educate your employees on how to identify potential fraud.
• Know how your vendors interact with your network and ensure they are following cyber-safe practices.
• Follow CISA’s Shields-Up guidance (https://www.cisa.gov/shields-up), which outlines general cybersecurity practices that will help your business resiliency in the event of a cyber-attack.
• Check out the free tools and resources available from the U.S. Small Business Administration (https://www.sba.gov/business-guide/manage-your-business/stay-safe-cybersecurity-threats).
If you do become a victim of fraud, there are steps you can and should take. One of the first things you should do is notify your bank. It is there to offer support if you have an incident, as well as provide guidance to help you build stronger defenses. Additional resources to help you better prepare your company for the current cyberthreat environment are available from the Cybersecurity & Infrastructure Security Agency at www.cisa.gov.
Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyber threats.