Preventing Business Account Compromises
Sep 28, 2020
The past several months have been chaotic in so many ways. Shifts in work routines, changes in homelife, and the introduction of new social precautions have added complication and stress to the ever-present onslaught of traditional news outlets and social media. This information-overload leads to distraction, which leads to details being overlooked while people strive to cope with the upheaval.
Cyber-criminals and nation states understand this and have increased their efforts to take advantage of the situation. Using information passively gathered from social media sites, press releases, community interactions and more active techniques including posing as customers or vendors during phone calls and physical site visits, they are able to build a detailed understanding of key personnel and the inner workings of businesses.
That information is then leveraged to build sophisticated interaction plans that are tailored to each potential victim and end-goal, often which is to capture usernames and passwords for key email accounts and online services, as well as to gain footholds in business networks where they can continue to lurk for weeks and months sifting through email accounts and information stores learning patterns, communication norms and business processes.
The spectrum of potentially devastating impacts can include loss of revenue, erosion of customer and vendor confidence, reputation and brand damage, as well as financial penalties due to data breaches. These outcomes are costly and a significant drain on time and other critical resources.
However, there are some relatively simple steps that businesses and individuals can take to prevent intrusions before they occur and limit the negative impact when they occur.
- Set up and mandate Multi-Factor Authentication (MFA) for all users on all platforms that support it. When selecting new tools and services, make MFA a high-priority requirement for the final options. This is especially effective as email systems are a common target during the initial attack (to gain footholds).
- Enroll in a phishing awareness and training service like Nexigen’s Snared Phishing-as-a-Service.
- Minimize personally identifiable information posted on online. Social media, while a great tool for building visibility and communicating with large groups of like-minded individuals, is a common tool that fraudsters leverage to guess passwords and answers to security questions.
- Don’t click on anything in an unsolicited email or text message particularly if it is asking for account updates or credential resets.
- Don’t contact companies via information provided in an otherwise unexpected email communication. Verify the entity’s contact information via known sources such as an internal company address book or other sources such as their website or another trusted and verifiable source. Be sure to verify that web site names are valid and correctly spelled.
- Be critical of all received emails and carefully examine the email address, URL, and spelling used in any message. If on a mobile device and the validity isn’t abundantly clear, wait until the message can be investigated in more detail on a “full-desktop” type device (workstation or laptop).
- Refrain from opening attachments or downloading files from links sent by strangers or any message that is unexpected or unsolicited. Also, messages that appear to be forwarded from others are a common spoofing vector.
- Use face-to-face or more personal verification techniques for any financial transaction, even those that seem low-risk or routine or are “internal” in nature.
- Any requests to change an account number or payment process should trigger a full red-alert response. Verify any changes being made with a known trusted contact through channels that are also easily verified. With modern technology, criminals have the luxury of creating near-identical personas to mimic trusted partners and vendors.
- Hit the brakes when requestors are pushing for more speed or shorter timeframes. An hour’s or day’s delay is less expensive than unrecoverable ACH or wire transfers, and attackers commonly use urgency as a tactic to “push through” a request or activity.
- Have a plan in place to deal with a cyber intrusion or cyber incident before you experience one. It is no longer a matter of “if” an organization will experience some sort of cyber attack, but “when”. Like an emergency exit plan or inclement weather policy, the better prepared your organization is to handle an incident, the more rapid the recovery and remediation will be.
Through simple and inexpensive changes to internal processes and policies, many of the successful account compromises could have been prevented or mitigated, which reduces the overall risk of doing business in the digital economy and our current environment.
To learn more about Nexigen’s security and general Information Technology offerings, as well as how Nexigen can assist your company in its preparation for cyber-security-related events, visit us on the web at nexigen.com. or contact us at 855-639-4436 to schedule a conversation.