Someone is out to get you.
Hackers are working full time. And with your team working from home now, you face greater risk. Cyber-criminals are constantly working to find soft spots or weak links in your organization to exploit. And hackers study human behavior and are good at manipulation.
When everyone first started working from home, their organizations addressed security items like VPNs, Wi-Fi security, bolstered passwords and multi-factor authentication.
But even if those ducks are lined up, there is a key vulnerability that remains: people.
Employees working at home must be alert and cautious to maintain security. Fraudsters employing social-engineered cyber-attacks seek to exploit fear, uncertainty and doubt. People under stress make a good target.
The bad guys use common tools to break into systems: email, text messaging and phone calls. As the pandemic spread and the remote working environment was hurriedly set up, attacks that referenced COVID-19 leapt way up. (We are now halfway through autumn, and COVID-19 is on the rise again.)
But not all attempts to breach security fly a COVID flag. The common pre-pandemic techniques still work. You might get an email that looks like an internal system-generated notification of a voicemail. It includes a link to access the message. If your company has set up VOIP, you might more readily fall for it, though even without VOIP, you might be tempted.
Or maybe you receive a phone call indicating there’s been a breach of your cell phone or computer, and you are instructed to press “1” for help.
Perhaps you receive an email from the boss. The message sounds very nearly like something the boss might write. You might act on it without giving it a second thought. Don’t. You could be very sorry.
The perpetrators employ a variety of types of phishing. There is vishing, which is phishing via phone (voice). Then there is smishing, in which you receive a text (SMS) asking you to reply with information or to click a link. (Click here for a good primer on phishing.)
Phishing, of course, is an email appearing to be from a trusted entity. It is somewhat non-specific, meaning it targets a broad number of users (though may still include your name in the greeting). Spear phishing is more sophisticated, aimed at a particular organization or individual, using specific information found online. Whaling takes spear phishing to the next level, targeting higher-level personnel and appearing to come from the CEO, CFO, president, etc.
These various messages attempt to get you to provide information to them, or they are a “trojan horse” loading malware onto your computer. They urge you to click on a link or download a document. Once you’ve clicked or opened the document, the malware is in.
Consider that as you and your staff work from home, you might take a break and check Facebook, where you receive a message that appears to be from a friend. It says, “Hey, is this you in this video?” You click the link to see whether you do appear in the video. But the message is not from your friend–their Facebook account was hacked. And any time you click on a link it could result in downloading malware to your computer.
The first defense is to pause. Pausing to look more closely enables you to spot suspicious messages.
Sometimes the grammar or punctuation in a message gives it away. Other times it is less obvious. Mimicking large organizations is not hard. The hackers cut-and-paste a logo and copy the organization’s layout and fonts. But does the message sound correct?
If it appears to be from someone you work with, would the person write that way or ask you to do that? Does it seem a little “off?”
Before you do anything else, check the “from” line – not the name but the email address. It may be the reputable company’s name and logo, or even the boss’s name, but the actual email address is wrong.
Hover over, but do NOT click the link. What URL appears? Is it that reputable company’s URL, or is it something else—maybe a lot of numbers and letters?
Robo-calls might seem transparent, yet people fall for them. Whatever the alarming message, Do NOT press “1.” If you think there may be a real issue, independently look up and contact the organization to inquire.
Not all dangerous phone calls are the robot kind. A few of the more famous hacks occurred when the hackers, unable to find out the right code or password to get past a security level, called someone in the organization who very helpfully gave it to them!
Mike Rose, Security Engineer at White Ops, a cyber-security concern, identifies these elements of a good defensive strategy:
- Keep an eye on the news – know what’s out there
- Update your operating system regularly
- Don’t open attachments or links
- Enable firewalls
- Avoid answering unknown calls
- Regularly backup your devices
- Contact the real sender
Generally, accounts payable people are accustomed to taking a skeptical stance. Their job is guarding the company’s cash. That skepticism serves them well. But attacks that appeal to fear, as in a false report that an account has been hacked or compromised, can fool us. Likewise, our desire to be helpful, or our anxiousness to support the finance director or CFO, can cause us to drop our guard.
So, beware. Remind your team to stay alert. When they see something “not quite right,” pause, check. Have them contact you or the appropriate person in IT. Cyber security experts at Heimdal Security recommend the following to protect your organization:
- Review and limit access controls and admin rights to the appropriate staff
- Hold cybersecurity training sessions
- Perform staff exercises and testing
- Plan incident management, not just prevention
InvoiceInfo and VendorInfo provide safe, secure vendor communications. To learn more, contact us.