Cyber crime today: not if, but when

Published on November 9, 2019 | Laurance A. (Larry) Selnick

What would you do if a stalker followed you home from work every day for six months?

YouÕd take actionÑand you wouldnÕt wait six months. But inside your computer, it could be happening right now.

LetÕs say your admin gets an email from your address:

Hey Sammy: IÕve got a meeting with Jules at ABC Accounting in about an hour. Would you please shoot me the employee W-2 files? Thanks!

Samantha thinks itÕs from you. She fires off the file. And in minutes, all that privileged data is up for sale on the dark web.

How did the cybercriminal know that you call Samantha ÒSammy?Ó Or the name of your CPA and his firm? Or when you might be out of the office, opening a window of sneaky opportunity?

The thief has been hunkered down in your computer system for months, reading your email, noting important details, and crafting a crime using social engineering: manipulating the trust and responsiveness of the people who work for you.

CNN reports: ÒIn the last 10 months, 140 local governments, police stations and hospitals have been held hostage by ransomware attacks.Ó

The question isnÕt if youÕll be hit by a cyber crime. ItÕs whenÑand how much will the damage cost you?

Helping businesses avoid cyber fraud is a top priority at Webster Bank, although the solutions go far beyond the bank. We believe that awareness, education and readiness are crucial, as demonstrated through services like Positive Pay. This review of the current threatsÑand suggested best practicesÑcan help you stay on top of the ever-evolving risks.

IT solutions experts weigh in.

I asked three IT specialists about the cybersecurity landscape today: Michael Gray, chief technology officer of Thrive Networks in Foxboro, MA; Daniel F. Charland, founding partner of NetCenergy of Cranston, RI; and Jim Parise, president of Kelser Corporation in Glastonbury, CT. Their companies are on the front lines of cyber crime.

ÒWe have seen an unprecedented rise in business email compromise and supply chain fraud,Ó reports Michael Gray. ÒCustomers are being impersonated by false personas and vice versa with vendors. It’s social engineering matched with simple email hacking that is very sophisticated.Ó

ÒOne of the most common issues clients face is ransomware attacks,Ó notes Jim Parese. ÒCyber criminals have effectively weaponized email and code on websites that capitalize on employeesÕ vulnerability.Ó

ÒOrganizations that have sensitive data have the most to lose,Ó says Daniel F. Charland. ÒHealthcare, legal service organizations and accounting firms are at the top of the list. The most common thread of attack is usually aimed at the general users or employee. Therefore, awareness training is critical. Remember that someone must open the door to let them in!Ó

Meet the new breed of cyber thief.

TodayÕs cyber criminals arenÕt 14 year-old hackers from Eastern Europe or semi-literate princes searching for long-lost beneficiaries. TheyÕre super-sophisticated business people whose full-time job is finding devious new ways to crack your data.

Banks have made life tougher for these thieves, with ever-evolving protocols to head off new attempts at cyber crime. Therefore, the bad guys have turned their focus on easier prey: the businesses themselves.

Of course, data breaches at giants like Anthem, Target or Equifax make the headlines. But some of the most prevalent crime never gets the same attention: attacks on small-to-mid-sized companies.

Why big thieves think small.

ÒWe’ve seen more and more small businesses being targeted, especially those where senior leadership wears multiple hats,Ó says Thrive NetworkÕs Michael Gray. ÒThey are taking advantage of the hectic lifestyle of a small business owner. The attackers have also learned that emerging businesses have less controls than an enterprise.Ó

Kelser CorporationÕs Jim Parise agrees: ÒSmall and midsized companies across all industries are at much greater risk today than previously. Cyber criminals recognize that many smaller organizations typically do not have the resources that large enterprises do to secure their environment or have not taken steps to secure their data. This makes them potentially an easier target.Ó

Small business owners may not have the highly specified knowledge needed to address the issue adequately. Their staff doesnÕt have the training necessary to spot fraud. Or worse, all too often, they assume ÒIt canÕt happen to me.Ó

It canÑprecisely because thatÕs the mindset the hackers are counting on.

Business owners may think cyber crime is an IT problem. ItÕs not. ItÕs a business problem. A data breach is a breach of trust with your customersÑone that costs American companies $400 billion a year, according to inc.com.

ÒThe most common failure we seeÓ

NetCenergyÕs Daniel F. Charland says,ÒThe most common failure we see is the lack of an appropriate and tested Disaster Recovery Plan. You can have the technology in place, but if you do not have an organizational plan that explains who, what, where, and how users access the systems, then your systems may take much longer to recover. This can result in financial and reputational losses.Ó

What can you do about it?

The experts agree: Up-to-date knowledge and heightened awareness are keyÑfor staff, for vendors and for the partners in your business.

ÒThe reality is you do not need to be a large company to implement basic steps that will make your data more secure,Ó says Jim Parise. ÒTraining employees, web filtering, robust antivirus/malware, offsite data backup, next-gen firewalls and device monitoring are all within the means of most organizations.Ó

Daniel F. Charland highlights these priorities as essential: ÒUser education, email protection tools, system and file recovery capability, and tested and documented Disaster Recovery Plans.Ó

Michael Gray recommends best practices includingÒproactive training through a learning management system as well as mock phishing attacks. Tracking logins to email systems from foreign countries has proven to be very effective. Lastly, a mock security incident, typically referred to as a tabletop, can be very effective with internal non-technical teams.Ó

Some companies even use the services of an ethical hackerÑa cyber expert who thinks like a bad guy but uses that knowledge to help protect businesses. (Some, like Frank ÒCatch Me If You CanÓ Abagnale or Kevin Mitnick, are reformed fraudsters themselves.)

Fighting cyber crime today requires an investment in specialized expertise and a commitment to ongoing training. Both are minimal, compared to the staggering risks of a data breach.

Low and high tech solutions.

Hand in hand with vigilance comes technology. Some of the best solutions are low-tech: confirming transactions and messages through a phone call. Simple, fast and effective.

From a banking standpoint, companies also benefit from services that give you important status updates for your transactions: for example, Positive Pay services to warn you about potential check or electronic debit fraud, or alerts to report account activity you need to double-check.

We recommend a more detailed review of your account set-up and cash-flow processes to mitigate the impact of cyber fraud. Please contact me or the treasury solutions officer at your local Webster branch to review the best practices weÕve learned and shared with clients.

Cyber awareness is a leadership mindset that managers need to instill in all staff, partners and providers. Webster can help by offering our Cyber Fraud Awareness program to your management team or trade association.

Start with our Fraud Awareness Checklist; just email me to receive your copy.

Everyone in your businessÑfrom finance and accounting to marketing and operationsÑshould feel empowered to recognize the threat of cyber crime. That way, you can stop it in its tracks.

Laurance A. (Larry) Selnick, CTP, Director, Treasury and Payment Solutions Sales, at Webster Bank has nearly 40 years of experience in cash management systems and bank operations.

The opinions and views in this blog post are those of the authors, and are not intended to provide specific advice or recommendations for any individual. All loans are subject to the normal credit approval process.
The Webster Symbol is a registered trademark in the U.S.
Webster Bank, N.A. Member FDIC. Equal Housing Lender.
© 2019 All rights reserved. Webster Financial Corporation.