Remember when you first got one of those emails from Nairobi looking for your account information so that a long-lost relative could send you an inheritance? Boy, have the schemes and scams gotten more sophisticated in recent years. The scammers out there are making their electronic communications through email and other media look more and more authentic each day. Fake emails (and phone calls for that matter) are asking you to provide information to your credit card provider; emails from the ‘CEO’ are asking for you to forward sensitive information to him or another party; and others keep asking for money to be wired to a ‘vendor’ with the requestor promising to provide the support when he/she gets into the office.
Unfortunately, many folks have fallen victim to these scams; scams that are appearing in our email boxes every day. We have heard first-hand many stories of middle-market companies falling prey to the wiring scam – and have experienced several attempts on our firm as well.
As we become more and more dependent on technology, we need to take care to slow down, think about what we are doing, follow established protocols, and use a little bit of common sense coupled with skepticism.
Many organizations, including mine, have implemented information security training and routine internal phishing efforts to keep our folks on their toes. If an employee responds to one of our internal phishing attempts, they get to repeat the training. So far, this has been an effective preventative measure. Just yesterday, a hacker emailed several of my folks with an urgent request for assistance that needed to be completed before they got to the office. The sender was looking for someone to communicate and, ultimately, go to a store to buy thousands of dollars of iTunes card to send to a ‘client’. Several of my folks called/texted or separately emailed me to let me know of the scam or ask if this was really coming from me. Unfortunately, a couple folks did go a second round of email exchange with the scammer – that’s how we know what he wanted. , This situation reminds us that we cannot let our guard down and we will continue to provide training and information on cybersecurity.
Here are a few tips to consider and pass along to those in your organization:
1. Change passwords regularly. Yes, this can be a pain with the number of places we all use passwords these days from our home computers to office hardware and applications to numerous social media and online shopping sites. Changing passwords regularly, and not using the same one everywhere, will make it more difficult for a scammer to get access to any of your accounts and collect more of your personal or business data. Of course, you should not use the same password everywhere and should seek to use passwords of suitable strength.
2. Be trained and provide training about the red flags to recognize fake email. Some simple things to look for include:
Unusual email addresses – sources that do not match or use the address conventions of the purported sender.
Greetings, closings and other language used in the body of the email that just don’t sound like the sender you know.
Grammatical and spelling issues.
Outdated logos, inaccurate logos – or even the lack of a logo that might normally appear in a sender’s communication.
Requests that seem out of the norm. Anything unusual should be subjected to a subsequent approval not using the initial communication method. An old-fashioned phone call may be in order or a new text using an established string with the “sender”, especially if the request is to send data, money or other assets to outsiders. Yes, text numbers can be spoofed too.
Don’t click on links in emails until you verify your source.
Don’t fall prey to requests from a bank or credit card company for you to supply information such as your social security number and bank account information – they already have it! Even if you think the request is real, the best course of action is to contact your financial institutions directly.
3. Use anti-virus software and keep it up to date.
Limit what you share in the way of personal information on social media, think twice about sharing extensive personal information, or your vacation photos while on vacation! Wait till you get back. Be wary of open WIFI networks and platforms/websites that are not secure. It is oh so convenient these days to hop on WIFI networks we discover at coffee shops, retail outlets, gas stations – and even on airplanes. Be wary of these sites – especially the ones that tell you straight away that they are “open” or “not secure.” Care should be taken when using these connections, especially when you are transferring sensitive data. When you are online, look for the websites that have an address starting with “https” vs. “http”. That extra ‘s’ tells you the site has additional security protocols to protect you and your data.
4. Don’t let your guard down when using your mobile device. The speed and power of today’s mobile phones, our desire to respond quickly to requests, and our propensity to multi-task all can serve to gang up on you and create a situation where you lose focus.
And the final step……start back at #1 and repeat, repeat and repeat.
Slow down, be aware and protect your information. Be vigilant and let your only fishing success be at the lake with a rod!
Wayne R. Pinnell, CPA, is a founding member and serves on the advisory board for the Center for Business Growth. Wayne has over 30 years serving business owners in his public accounting career. He is managing partner of Haskell & White, LLP, one of the largest independently owned accounting, auditing and tax consulting firms in Southern California, servicing public and private middle-market companies. Wayne consults with a number of companies on their general business operations including workflow, waste reduction, strategy, and growth/profit initiatives. He can be reached at WPinnell@hwcpa.com or 949-450-6200.