The people who want to misappropriate your confidential information are getting smarter about it every day.
Over the past month, hackers have hijacked email accounts and issued fraudulent requests for money transfers and employee data at an alarming rate. Millions of dollars have been lost because the requests appear to be from colleagues or friends.
The following are three types of scams that have prompted law enforcement officials and cyber security professionals to issue warnings.
- Wire Transfers. The email account of a Chief Financial Officer or other senior executive is used to send wiring instructions to the company’s accounting department. The instructions direct the funds transfer to a bogus account. This scam is particularly difficult to thwart because it is virtually impossible to determine that the email is fraudulent because it comes from a trusted source. The email looks identical to any other from the account owner. The fake emails are often sent while a senior officer is out of the office, when it is more difficult to walk down the hall to verify the transaction. And how do crooks know the officer is out of the office? Social media. People posting on Facebook, Twitter or LinkedIn describing a conference they’re attending, business travel or vacation are tipping off the thieves.
- W2s. A variation on the theme of hackers using a company executive’s email address to request W2 tax forms or employee records. The IRS recently issued an alert to HR and payroll professionals, warning them about this scheme. The thieves are looking for an individual’s Social Security number or other personal information. SnapChat and several hospitals were recently the victim of this fraud. Once thieves have a Social Security number, they can use it to commit a variety of identity theft misdeeds. At this time of year, when many are filing taxes, hackers use the purloined Social Security numbers and W2s to enrich themselves with tax refunds
- Homebuyers. Yet another recent scenario is that hackers pilfer the email login credentials of real estate brokers and escrow agents, take over their email account and issue wiring instructions to homebuyers. We know of at least two homebuyers who sent a total of $600,000 to fake accounts set up by online thieves.
Avoiding the Scam
The IT departments of every company have been working overtime to protect themselves from these threats. But even the best efforts of technology professionals haven’t been able to stop the ingenious, constantly evolving tactics of online crooks.
As a result, law enforcement officials are urging individuals to be more vigilant than ever. As North Carolina Attorney General Roy Cooper said in a recent warning about online scammers, “Think twice before responding to any email seeking personal information or money, no matter who appears to have sent it.”
In fact, one of the best defenses is an old-school tactic: Use the phone. If you have any doubt about the authenticity of an email, simply pick up the phone and call someone to verify the information. This is particularly important when large sums of money or unusual requests are involved.
The Perils of Public Wi-Fi
Corporate-wide cyber prevention initiatives are critical, but so, too, is the vigilance of individuals when they are online.
One increasingly common source of hacks is through public Wi-Fi networks offered at coffee shops, airports, malls or other communal places. A single comprised computer can give hackers entry to an entire network. Instead of using a public Wi-Fi, cyber experts say it’s safer to you use your personal hotspot on your smartphone or a stand-alone hotspot, which is password protected and thus provides more security.
Think Before You Click
Another safeguard is to never click on a link or executable file in an email. Rather, retype the link in a browser or Google the link. A growing number of hackers are infiltrating a computer system when a user unwittingly installs malware of their computer. Malware tracks a computer user’s behavior and collects key information, such as login and passwords.
A particularly pernicious form of malware is ransomware, which cripples the affected computer system and is accompanied by ransom demands. Over the past few weeks, a new ransomware, called Locky, has targeted the U.S., Japan and Europe. One Internet security company said it caught 19 million copies of Locky emails over the past two weeks.
One final note: If a breach does occur, it’s important to follow your company’s incident response plan for dealing with a cyber breach. This assumes, of course, that your company has a plan. If your firm has insurance for cyber liability/data theft, a coverage that Marsh & McLennan Agency offers to clients, it’s important to use the approved vendors from the insurer when responding. If you don’t, the claim could be challenged.
The bottom line: It’s important for companies to not only strengthen their own systems, but also encourage individual users to be extra diligent. The world’s crooks are getting more enterprising each day.
Michael Grant is a principal at Marsh & McLennan Agency and the director of the Data Breach Practice.