It is officially the European Cybersecurity Month (ECSM) – EU’s annual campaign dedicated to promoting cybersecurity among citizens and organizations through awareness raising and sharing of good practices. The motto of this year’s campaign is ‘Think Before U Click’, and a key theme explored by ECSM 2020 are cyber scams and the dangers they pose to individuals and businesses.
As criminals refine their tactics, internet scams continue to evolve and can vary widely – from phishing to business email compromise, and online shopping fraud. It is critical to be wary of cyber scams when conducting business and personal transactions online – anyone can fall victim to a refined scam.
A variety of scams – beware
So, what are some prevalent types of scams that are targeting businesses and what should employees look out for? One common way in which criminals will target the business is through fake executive requests to staff. This is the impersonation of executives where for example, it appears that a member of the company management has asked an employee to purchase gift cards, then send the codes to be passed on to clients. Scammers could also ask for a wire transfer or personal information.
Criminals have also been running HM Revenue and Customs (HMRC) phishing scams, asking businesses to pay ‘fines’ under expedited conditions to save additional fines. Remember, according to HMRC, you will never get an email, text message or a phone call in which you are contacted regarding a tax rebate or penalty or asked for your personal or payment information.
Another way in which criminals have been targeting businesses are Companies House scams. This is when businesses are being contacted by someone claiming to be from Companies House, requesting details of their company’s directors, including full dates of birth for directors and addresses. Again, remember that Companies House will not contact you by telephone to ask for secure information.
Lastly, be aware of COVID-19 scams, which are still prevalent. This type of business grant fraud offers additional money to firms under the guise of COVID-19 grants. However, if it seems too good to be true, it probably is.
In addition to these scams, when it comes to the financial industry, criminals have been misusing tools such as Cobalt Strike in advanced persistent attacks, resulting in a significant increase in ransomware targeting private equity and their portfolio companies. In September 2020, “Leak Sites” on the dark web began advertising remote access credentials for financial institutions in the UK, further evidence of these advanced attacks occurring in financial services.
Practical tips to stay a step ahead
So, how can you avoid falling victim to fraud or scam?
- Always verify payment or bank account information through a secondary means such as a phone call to an already known number, not a number offered by the potential scammer
- Pay attention to misspelled domain names and incorrect addresses when you reply to an email. If in doubt, always get assistance from the cybersecurity or IT team at the company
- Beware of misplaced urgency. Criminals will often make urgent requests, so avoid actioning or rushing based on the tone of the message requesting money or changes to accounts. If something seems suspicious, make a phone call to confirm, even if it means contacting the CEO and his or her team.
- Do not click on links sent via SMS/text message. If a text is business related, make use of your corporation’s web filters, and check the links with the cybersecurity and IT team
- Pay particular attention to out of place behaviour or content in emails from colleagues and other internal staff, and always make sure to look out for ‘external email’ warnings on messages that should be internal
- Focus on the company’s vendor and employee cybersecurity training program. Anyone who has access to sensitive corporate data must have equivalent training. Remember, if third parties and employees don’t know how to recognize a security threat, they won’t be able to avoid it, report it or remove it
Security threats and scams are evolving and are becoming more sophisticated, so beyond employing an expert cybersecurity team and deploying security tools, platforms and software, businesses must also pay attention to the human element of the cyberthreat. To best protect your business, continually educate yourself and your team on prevalent cyber threats and consult with cybersecurity experts. Only then will you be able to avoid falling prey to a cyber scam or attack.
Find out more about our cybersecurity training program – here.