Email account takeovers are not a new phenomenon in today’s business world. Actually, the likelihood of your professional or personal email account being hijacked by a malicious program or person is pretty good. And what cybercriminals can (and do) do with your account is bad – really bad.
In my profession, I get to talk to a lot of business owners and organizational leaders and you’d be surprised by how many have reported instances of their own email accounts being infiltrated. Oftentimes, as if dealing with a hacked email account wasn’t bad enough, the malicious email will serve as the gateway for a Trojan that, once installed on your computer, can lead to dire ramifications. And what’s worse, you probably won’t know that you’ve been infected until it’s already too late.
Read Also: Case Study: How To Survive A Ransomware Attack
Policies to Live By
Even though the outlook appears bleak, it doesn’t have to be. Consider using the following tips to keep your organization safe – even if your email has been compromised.
Establish a verification process – If you’re responsible for making payments via wire transfers or ACH transactions, make it a priority to establish and utilize a verification process for the changing of bank routing and transit numbers. This means that anytime your entity receives a change request for bank routing and transit information, the change should be verified with a direct phone call to your contact via the phone number you have on record. Don’t just call the number that appears in the email’s signature because if the email account has actually been compromised, a hacker can easily alter the contact information that appears in the message.
Two people are better than one – Online banking should be completed only when your organization has a two-person process in place to maintain the integrity of the transaction. While many banks will require this practice, there are others that don’t. Even if your bank gives you the choice, don’t go solo. Instead, opt for the buddy system. Essentially, the two-person process requires one person to create the transaction while the other person approves the transaction – and each action should be completed from a different workspace.
Never be too cautious – You might also consider other types of controls to keep your company or entity safe. For example, other types of dual authentication can be required to complete transactions, such as receiving a return call from bank personnel to confirm the transaction request before the transaction actually goes through. Before you laugh off this level of security as “overkill,” I ensure you that I can cite examples that will likely change your mind. In fact, I recently spoke with an entity where their primary person responsible for online banking had unwittingly become infected with a “Man in the Browser Trojan.” This particular infection allowed a hacker to remotely modify the user’s Web transactions in real time. Even though the transaction appeared normal in every possible way, a few last-second keystrokes were all it took to change the routing and transit number to an eastern European Bank account. The money was gone, quite literally, before they knew what hit them.
Protect Yourself
The term “social engineering” refers to the psychological manipulation of people in an attempt to get them to perform actions and/or divulge confidential information. And, unfortunately, the social engineering crime syndicate shows no signs of slowing down. The best way to protect your data is to stay up-to-date on cyber security issues, take advantage of the best practices outlined above and always use extreme caution any time you are changing or modifying any type of payment information. And, of course, you can always email Rea & Associates for answers to your questions or to find out how our team of forensic experts can identify weaknesses in your organization’s financial infrastructure.
By Travis Strong, CISA (Wooster, OH)
Check out these articles for more cybersecurity insight to help keep your organization safe.
Can A Cybercriminal Crack Your Company’s Network?
Don’t Take The Bait: Government Entities, Businesses Are Victims of Spearphishing Attacks