By Chris Mouton, Risk Management Specialist
Recently, one of our clients experienced a frighteningly close call related to a cyberattack on their business. The corporate secretary received an email from the CEO requesting for her to send him a copy of every employee’s Form W-2. She dutifully pulled together all of the information, but instead of hitting “Reply” on the original email, she sent the attachments in a new message. The CEO responded confusedly, “What are you doing?”
It turned out that the executive had not written original missive at all. Rather, it was a cleverly disguised phishing attack targeted at gathering employees’ personal information—including social security numbers—which could be sold on the black market or used to open credit cards and other financial accounts.
The Harsh Reality
Most people have received the dreaded phone call from their bank’s fraud alert department notifying them that their credit or debit card has been charged in a dozen different states, despite never leaving their possession. The tedious and time-intensive process of verifying purchases, waiting for a new card to arrive, updating auto-draft accounts and monitoring for additional fraudulent activity is nothing short of maddening. Equally frustrating is the fact that if this type of hack can happen to you, it can happen to your business.
Whether yours is a multinational enterprise or a small business with a handful of employees, no organization is immune to cybercrime. In fact, a 2016 report from the Ponemon Institute noted that half of all SMBs experienced a data breach in the preceding 12 months. So, what type of information are these bad actors after, how do they get it, and how do they use the personal data they steal? More importantly, what can you do to stop them?
Names and Numbers
Just like the hackers that swipe your credit card number, cybercriminals target any type of data in your company files that can be monetized, whether through fraud, identity theft, or even blackmail. Not only are the names of your employees and customers at risk, but also related data that can be used to create a fake identity or access additional information. The most common types of data that are stolen include:
Social security numbers are especially valuable, since they can be used to open credit cards and bank accounts, or to verify a person’s identity for access to additional private information, like medical records. Child care centers, schools and medical facilities also face the unique risk of having children’s social security numbers stolen—a particularly nefarious act, since the crime often is not detected until after the child turns 18.
Cybercriminals use numerous strategies to access private personal information stored on servers, computers, and local networks. Newer techniques of social engineering pose a growing threat to businesses, because they target human fallibility instead of data security firewalls. Often, the bad actors already will have infiltrated the company’s email system and will be lurking in the shadows, reading correspondence and waiting for the right opportunity to strike.
Imagine that an executive sends a note to her staff with the dates of her upcoming vacation. The cybercriminal then creates an email address that looks nearly identical. For example, email@example.com becomes firstname.lastname@example.org, where the second letter “L” is actually the number 1. The day after the executive leaves town, a staffer receives an urgent email from her noting that an outstanding invoice was overlooked, and asking the employee to wire a large sum to a specific bank account to keep the vendor from taking legal action. The email looks legitimate, and without close scrutiny, the ruse easily can result in funds being transferred directly into the cybercriminal’s coffers.
Other forms of social engineering use attachments or fake Dropbox links to install malicious code into a company’s computer network that can be used to access confidential data or trigger a ransomware attack. Similarly, quid pro quo attacks trick employees into revealing their login credentials, providing direct access into their company’s network. Often, this is accomplished by the cybercriminal impersonating an IT service representative, either on the phone or in person, and claiming they need to update certain software on the employee’s system.
The best way to guard against these crafty schemes is to raise awareness company-wide, and put appropriate security protocols in place that can nip an attempted data breach in the bud. Larger organizations as well as small and mid-size firms should develop clear processes and procedures to safeguard sensitive data, and train all employees on how information can be shared via phone, email or in person. Here are several best practices to consider:
Through its partnerships with insurance carriers and cyber-security firms, Marsh & McLennan Agency can help your team establish sound data security protocols, as well as a response strategy in the event that a breach does occur. We can also recommend resources for identity theft and credit monitoring, cyber coverage, and other types of insurance to minimize your exposures. If we can be of any service, please call our office, and a member of our team will be happy to assist you.