Last month, the FBI released an alert about the “high-impact” threat of business email compromise, a “sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.”
Although this type of cyberattack isn’t new, the FBI’s Internet Crime Complaint Center reports that it has received an increased number of complaints related to payroll funds. Spoofed messages that appear to come from a legitimate email account request that a company’s human resources or payroll department adjust an employee’s direct deposit account. The new direct deposit info often leads to a pre-paid card, which is perfect for hackers: easy to cash out and difficult to track.
The scam is increasing, too, with more than 1,000 complaints about this payroll diversion scheme filed with the FBI between January 1, 2018 and June 30, 2019. Those incidents alone cost businesses more than $8 million, while all email compromise scams combined cost businesses across North American more than $26 billion between 2016-2019.
So what can you do to protect your business?
1. Educate employees about the threat from business email compromise.
Human beings usually form the first line of cybersecurity defenses—but they can’t protect their information if they don’t know what they’re looking for. Ongoing training about phishing and spoofing, ransomware attempts, and other illicit schemes can help your staff recognize scams before they impact your business.
2. Use multi-factor authentication for all login credentials.
Multi-factor authentication requires users to log in with something they know—their password—and something they have—a unique code usually delivered by text, or a second login confirmation via thumbprint or other personalized information. The extra step may take a few seconds, but multi-factor authentication can neutralize a stolen password and provide more robust protection of your company’s important information.
3. Don’t click on links or open attachments in suspect emails.
This is where the aforementioned cybersecurity education comes in handy. If employees are on the lookout for spoofed emails or unusual requests, they’ll also know to look for misspelled addresses, long strings of random characters where a standard URL should go, and unexpected attachments that, if opened, can instantly install ransomware or other viruses on computers.
4. Work with a trusted IT provider to conduct regular software updates and security patches.
Many cybersecurity scams take advantage of vulnerabilities or holes in operating systems and software packages. If you’ve got outdated applications on your computer or still use a legacy OS like Windows 7, you could stand to lose money and time to hackers and their rapidly evolving attempts to steal your data.
5. Back up your data regularly and remotely.
Although payroll diversion schemes don’t take your data hostage, other common strains of ransomware aim to do just that. The aim is to knock your business offline and force you to scramble to recover critical information, often by paying cyber thieves a ransom in Bitcoin or pre-paid currency cards. But if your data is backed up on an automated basis and in a remote location, your business can recover quickly from any online scam and return to normal operations.
If you think you’ve fallen victim to business email compromise or worry about the layers of security surrounding your data, contact CMIT Solutions today. We specialize in comprehensive IT protection and cutting-edge knowledge of the changing cybersecurity landscape, leveraging our expertise to keep business clients safe.