Whether it was the Equifax, Marriott, Yahoo or other big personal data breach in recent news, there is a good chance that you or someone close to you has been affected by a cybercrime attack. As an example, check your email on www.HaveIbeenPwned.com, a website that allows you to see if your email or other personal information was stored by a business that was breeched. If you find yourself identified as part of one, it’s a real-life example of why we are encouraged to use different passwords when logging into different applications and websites.
We do what we can to protect our own personal data, but more often than not we rely on the businesses we interact with to protect our data and our money. Subsequently, if you’re a business owner that responsibility falls on you, which can seem daunting in a time when the threat of fraud and cybercrime seems to be rising every day.
According to Strategic Treasurer’s 2020 Treasury Fraud & Controls Report, more than 50% of respondents said they’ve been a victim of fraud – an increase of 50% over the past three years.
Business Email Compromise (BEC) and Ransomware: Consistent Threats
The fastest growing type of fraud is Business Email Compromise (BEC). Considered a low-touch activity, the fraud is essentially initiated by ‘one-click’ that can instantly send spoofing or phishing emails to a limitless number of employees across multiple businesses. With a reach that far and wide, it’s inevitable that unsuspecting people will fall prey to the false information.
Ransomware is another frequently automated threat on the rise. It maliciously encrypts data, denying a business access to a computer or data system until a ransom is paid or the data is decrypted. This threat is commonly delivered through email attachments that download to a computer. These schemes can be devastating, especially if the data is successfully stolen by the bad guy.
Crime Doesn’t Pay, or Does It?
Both of these crimes are highly automated, can reach a large audience simultaneously, and because of this have consistent success rates. Strategic Treasurer’s report found that 82% of those surveyed experienced BEC Fraud in the past year, of which 15% experienced a loss of funds. In the same survey, 21% reported attempts of ransomware attacks and 5% suffered some sort of loss due to it.
Although the survey found that larger companies are hit harder and more frequently due to a higher payoff, the ease and wide reach of automated attacks reiterate the fact that no business is safe.
In addition to financial damage and remediation efforts that are incurred as a result of fraud on a business, the compromised organization can suffer a damaged reputation and vendor relationships that can be hard to rebuild.
Prevention and Defense Tactics
It might seem like fighting fraud and staying on top of cybercriminals is complicated and expensive, especially for small businesses, but that’s not necessarily the case.
The most important prevention measure is relatively low in cost — the human element. A company’s employees are its biggest asset in the fight against fraud, particularly the attacks that utilize social engineering. Teaching employees to recognize the elements of a suspicious phone call or email; training them to call back customers on a phone number they trust; encouraging a heightened sense of awareness around unexpected emails with attachments and links – these are all measures that can be easily implemented at low to no cost to aid in the fight against cybercrime.
Implementing consistent trainings and sharing information about fraud attacks when they happen are key components to prevention and complacency. Organizations can also leverage educational investment by sending team members to fraud awareness conferences to bring back that knowledge and disseminate to other colleagues. The report found that training alone can reduce successful ransomware attacks fivefold. Lastly, establish a procedure to report suspicious activity and encourage employees to slow down interactions for additional due diligence when something doesn’t add up.
Another tactic emphasized is implementing a principle of least privilege, which is granting access to only the information a person needs to do their job duties. It was shown by 55% of organizations that applying this tactic lower losses. Equally important is establishing a process to remove access when someone separates from the business. On the software side, ensure antivirus and firewall software is up-to-date and set-up automatic updates. The most critical protection — taking advantage of multi-factor authentication (MFA) wherever offered.
Despite the ever-increasing threat organizations face from fraudulent attacks, these are some easy-to-implement and proven ways to stay ahead of the bad guys. Taking these steps can be highly effective against preventing a loss due to a fraud attack and can protect your reputation, setting you up for long-term success.
Chris Gerda is Risk and Fraud Prevention Officer at Bottomline Technologies