By: Mike Maggs, President
Think that email from your boss actually came from your boss? You might be wrong.
These days, most of us are so buried in emails that it has become socially acceptable to ignore them—at least for a little while. Still, most people stand at attention when they get an email from their boss or another member of company leadership.
When an email from the CEO hits your inbox, your natural inclination is most likely to try to address the email as quickly as possible and, in many cases, without reservation, right?
That self-imposed, or even expected, sense of urgency may play a major role in exposing your email inbox as one of the most significant threats to your company.
Welcome to the era of scams.
Because Sentric is in a high-risk industry for these types of scams, our employees are always on high-alert. Still, practically no one is immune to the ever-evolving tactics employed by cybercriminals. A few of our employees have almost been misled by convincing emails from “Mike Maggs” asking for things from the innocuous “Got a moment? Give me your personal cell number as I need you to complete a task for me” to the more suspicious “Are you available to make a Wire Transfer? Get back to me as soon as you receive this.”
Another example that, at first glance, appears to have been sent from one employee to another:
Fortunately, in the examples above, our employees recognized the threat and took appropriate action to protect our business and our clients because we’ve educated Sentric staff about email fraud tactics.
Email fraud is a growing—and lucrative—industry.
According to the FBI, CEO email fraud is now a $12 billion scam. Between December 2016 and May 2018, the FBI uncovered a 136% increase in identified global exposed losses, with scams reported in all 50 states and in 150 countries.
The FBI calls this kind of email fraud Business Email Compromise (BEC) or Email Account Compromise (EAC):
“Business Email Compromise/Email Account Compromise (BEC/EAC), is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.
The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct the unauthorized transfer of funds.
The scam may not always be associated with a request for transfer of funds. A variation of the fraud involves compromising legitimate business email accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees.”
Last December, the IRS issued a warning to watch for fake payroll direct deposit and W-2 related emails. According to the IRS, a range of industries, employers, and tax preparers are being targeted by business email spoofing.
“These email scams are often masked to look like they are coming from a company employee—often someone in a leadership role. The fake employee will request a change in his/her direct deposit information or W-2 information, and sometimes even provide a new account number (which, in reality, belongs to the spammer).” —Victoria Beppler, Marketing Specialist, Sentric
In the last month, authorities have observed a new spin on the classic BEC email: this time targeting HR. These email scams attempt to trick HR personnel into changing an employee’s bank account and routing information to those belonging to fraudulent direct deposit accounts. Once sent to the attacker’s account, the victimized company is responsible for reimbursing the impacted employee and the employee is faced with the disruption of a late paycheck.
In the past, spoofed emails were loaded with errors, making them easy to spot. Unfortunately, these latest attacks are harder to catch. As hackers have become more organized, they’ve also grown sneakier. The most recent attacks used email signatures gathered from legitimate accounts accompanied by unassuming and straightforward text. The goal of these emails is to trick the recipient into rerouting an employee’s payroll or downloading an attachment carrying malware.
And it works.
In the lead-up to tax day, many professionals were hit by the TrickBot financial malware campaign. Designed to fool recipients into downloading a malware-infected Microsoft Excel file by “spoofing” two leading payroll service providers, TrickBot was successful in disrupting tax season for more than a few employees (and businesses).
Knowing that most employees are unlikely to say no to a request from leadership or another trusted source, criminals have found an easy way to gain access to data—and dollars.
Which brings us to my next point: while employees are the first line of defense against email fraud, they are also the weakest link. Regardless of the security measures you have in place, it takes just one mistake to create a significant problem.
This is where HR comes in.
It was once common practice to place the burden of cybersecurity exclusively on the shoulders of IT. I believe that HR must be involved because HR is now one of the primary targets of email fraud. Our HR department includes cybersecurity training and awareness in our onboarding and ongoing training programs and I think this has played a key role in protecting our business from scams.
What you can do.
Fraud is a scary thing, and it’s important that you take it seriously—but you don’t need to panic. Here are a few preventative measures that you can take to avoid email fraud:
- Train employees to become the first line of defense in your security risk prevention framework. This means educating them on the latest cybersecurity threats as well as malware/ransomware training.
- Avoid the email inbox altogether. Use collaboration tools for most, if not all, internal communication (this might have the added benefit of a productivity boost).
- Build a culture of open communication to ensure employees feel comfortable voicing concerns if they notice something off-kilter.
- Work with IT to ensure that all devices, computers, and networks are running the latest software with security patches applied and be sure that those systems, computers, and devices have anti-virus software installed and are secured by firewalls. This includes your employees’ home computers and any devices used to access the company network or online application.
- Make sure you and your employees regularly update account passwords. Require them to be complex so they are difficult to decipher and NEVER share passwords with ANYONE. In addition, you should make sure your password policies don’t allow repeat passwords.
Additional reading: Schneider Downs published a great article discussing password complexity.
- NEVER share confidential information using email unless you are using encryption.
- If you have to use email, train your employees to never open an attachment from an unknown source and always review the actual email address, not just the name presented to them.
- When in doubt, pick up the phone or stroll into the “senders” office to ask them if they actually sent the email in question. A quick conversation can help you prevent a data breach. When deciding whether or not this is necessary, consider what the email sender is asking you to do for them. Any email with a link attached that might result in information or monetary loss must be questioned.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”—Martin Licciardo, special agent, FBI Washington Field Office
How Sentric protects data.
Protecting client data (and our own information) is a significant aspect of what we do both within the SentricHR platform as well as in our physical spaces. Here’s how we do it:
- SOC 1 Reports.
As an HR Software and payroll service provider, data and privacy protection are of vital significance. As part of our commitment to data security, we maintain SOC 1 Type 2 Compliance Controls. Also known as the Statement on Standards for Attestation Engagement 18 (SSAE 18), the SOC 1 report centers on controls relevant to the audit of a customer’s financial statements. Sentric is responsible for the services we provide and the security and confidentiality of sensitive data. SOC 1 reports ensure the transparency of specific controls implemented by Sentric.
- Employee background checks.
This should go without saying, but it’s good practice to ensure that your employees are trustworthy before they are hired. The unfortunate reality is that many threats originate from inside a business. With this in mind, Sentric conducts detailed background checks as part of the process of evaluating both new and existing employees.
- 24/7 security monitoring.
Sentric makes use of a Palo Alto Networks firewall that flags suspicious incoming connections, and we work with the Blue Bastion division of Ideal Integrations, a 24/7 monitoring service that hosts, and has direct access to, our servers. The Blue Bastion Team uses Guardicore, a product that flags suspicious connections. When they spot something odd, the team jumps into action to contain it before there is an issue. Also, we work with products from both AlienVault (an internal security layer) and Carbon Black Defense (antivirus software installed on individual machines) to further insulate ourselves and our customers from any potential security issues.
- Network and application penetration testing.
We hire outside professionals to test periodically for potential security weaknesses. They use several methods to examine our security layers: Network Testing of our externally facing IP addresses to cover all possible paths of entry, the Manual Hack method (where a person attempts to hack our systems just as a hacker would), and the Machine-based method (they try to hack our network using the tools a hacker would use to penetrate systems). This partner also looks for unpatched servers and tests from inside our network to defeat any threats lurking within.
- Physical controls within our offices.
At Sentric, our physical office spaces are contemporary, bright, comfortable, and open. We strive to provide our employees with a workspace that inspires collaboration and excellent work. While our offices don’t look like Fort Knox, they are secure. Access to cabinets and storage with critical data and systems are locked (where there is paper, it is secured) and accessible to a select few. We use fobs to control who has access to our workspaces and track every visitor.
The tactics hackers use to steal data are ever-changing. Because of this, it’s essential to provide ongoing education to keep your employees on top of the latest threats. We regularly provide formal and informal training to keep our employees updated and to ensure the security of client data. Remember, your employees are the first line of defense and your weakest link.
- A culture of transparency.
The success of internal security controls and training depends on your business’s culture. I’m proud of the culture of transparency we’ve built at Sentric. I hope that every employee within our organization will, without hesitation, feel comfortable picking up the phone or walking into my office if they receive a suspicious email claiming to come from me or any member of leadership.
It’s not if, but when.
Unfortunately, it’s not a matter of whether or not you will be confronted with a cybersecurity issue. For most businesses, it is a matter of when. Through the adoption of technology, ongoing education, and open lines of communication between IT, leadership, Human Resources, and employees, the potential for exposure will be significantly reduced.