Hardly a day goes by that we don’t hear about a recent cyberattack. While no one is immune to the threat, cyber attacks and cybercrime pose the biggest threat to businesses, hands down. Hackers are constantly becoming more sophisticated and difficult to detect. Consider this alarming statistic.
In 2022, 4,100 publicly disclosed data breaches occurred, exposing an estimated 22 billion records. And 95% of these violations can be traced to human error.
Let’s start with an all-too-common hacking scheme. An administrative assistant receives what appears to be a legitimate email from the company owner, who is away from the office for a week, working remotely. The email directs the admin to forward several dozen company employee W2s. The email looks and sounds real, so the admin complies. But it was a phishing scheme: Someone who knew the owner was away, wrote a credible-sounding email assuming the identity of the boss.
What appeared to be a simple and legitimate request ended up being a costly mistake for the company, one that could have been avoided had the admin verified the request by calling the boss to confirm the request. In today's digital environment, remember this phrase - It's better to be safe than sorry.
Then there’s what is known as spear phishing, where a cyber-criminal tries to “harpoon” an executive-level employee – most often the CEO – and steal their login details. CEO fraud is when attackers abuse the compromised email account of a C-level executive to authorize fraudulent wire transfers to a financial institution and then claim the ill-gotten gains. These breaches, which are also referred to as whaling attacks, target executives because the high-rankers often don’t participate in security awareness training with employees. The mandate should be ongoing training for all company personnel. Businesses should also consider the addition of multi-factor authentication (MFA) channels into their financial authorization processes as a protective layer so that no one can authorize payments through email alone.
Here things to look for to help protect yourself from a phishing scam:
- Email address/domain name is spelled incorrectly or different than the company's normal domain
- Email was sent far outside of normal business hours (unless you have international clients)
- Incomplete and/or misspelled words in the subject line and within the email
- Fonts are unusual or inconsistent
- Requires immediate action or employs a fear tactic
- Requests personal information
- Addresses you by your username versus your actual name
- Ask you to click on a link (You can check where a link goes by hovering over (but not clicking) the link in the email. You'll see the actual destination URL in the bottom left corner of your screen)
- Email has very little details but wants you to open an attachment
This is our advice - Do not open or click on any email that feels suspicious and ensure you have the proper cybersecurity measures in place. Be proactive!