New telecommunication technologies may offer countless opportunities for small businesses, but they also offer cybercriminals many new ways to victimize your business, scam your customers and hurt your reputation. Businesses of all sizes should be aware of the most common scams perpetrated online. To protect your business against online scams, be cautious when visiting web links or opening attachments from unknown senders, make sure to keep all software updated, and monitor credit cards for unauthorized activity.
Train employees to recognize social engineering. Social engineering, also known as “pretexting,” is used by many criminals, both online and off, to trick unsuspecting people into giving away their personal information and/or installing malicious software onto their computers, devices, or networks. Social engineering is successful because the bad guys are doing their best to make their work look and sound legitimate, sometimes even helpful, which makes it easier to deceive users. Most offline social engineering occurs over the telephone, but it frequently occurs online, as well. Information gathered from social networks or posted on websites can be enough to create a convincing ruse to trick your employees. For example, LinkedIn profiles, Facebook posts, and Twitter messages can allow a criminal to assemble detailed dossiers on employees.
Teaching people the risks involved in sharing personal or business details on the Internet can help you partner with your staff to prevent both personal and organizational losses. Many criminals use social engineering tactics to get individuals to voluntarily install malicious computer software such as fake antivirus, thinking they are doing something that will help make them more secure. Fake antivirus is designed to steal information by mimicking legitimate security software. Users who are tricked into loading malicious programs on their computers may be providing remote control capabilities to an attacker, unwittingly installing software that can steal financial information, or simply trying to sell them fake security software. The malware can also make system modifications which make it difficult to terminate the program. The presence of pop-ups displaying unusual security warnings and asking for a credit card or personal information is the most obvious method of identifying a fake antivirus infection.
Protect against online fraud. Online fraud takes on many guises that can impact everyone, including small businesses and their employees. It is helpful to maintain consistent and predictable online messaging when communicating with your customers to prevent others from impersonating your company. Be sure to never request personal information or account details through email, social networking, or other online messages. Let your customers know you will never request this kind of information through such channels and instruct them to contact you directly should they have any concerns.
Protect against phishing. Phishing is the technique used by online criminals to trick people into thinking they are dealing with a trusted website or other entity. Small businesses face this threat from two directions — phishers may be impersonating them to take advantage of unsuspecting customers, and phishers may be trying to steal their employees’ online credentials. Attackers often take advantage of current events and certain types of the year, such as
- Natural disasters (Hurricane Katrina, Indonesian tsunami)
- Epidemics and health scares (H1N1)
- Economic concerns
- Major political elections
Businesses should ensure that their online communications never ask their customers to submit sensitive information via email, personal visits, or phone. Make a clear statement in your communications reinforcing that you will never ask for personal information via email so that if someone targets your customers, they may realize the request is a scam. Employee awareness is your best defense against your users being tricked into handing over their usernames and passwords to cybercriminals. Explain to everyone that they should never respond to incoming messages requesting private information. If a stranger claims to be from a legitimate organization, verify his or her identity with his or her stated company before sharing any personal or classified information. Also, to avoid being led to a fake site, employees should know to never click on a link sent by email from an untrustworthy source. Employees needing to access a website link sent from a questionable source should open an Internet browser window and manually type in the site’s web address to make sure the emailed link is not maliciously redirecting to a dangerous site. This advice is especially critical for protecting online banking accounts belonging to your organization. Criminals are targeting small business banking accounts more than any other sector. If you believe you have revealed sensitive information about your organization, make sure to.
- Report it to appropriate people within your organization
- Contact your financial institution and close any accounts that may have been compromised (if you believe financial data is at risk)
- Change any passwords you may have revealed, and if you used the same password for multiple resources, make sure to change it for each account
Don’t fall for fake antivirus offers. Fake antivirus, “scareware” and other rogue online security scams have been behind some of the most successful online frauds in recent times. Make sure your organization has a policy in place explaining what the procedure is if an employee’s computer becomes infected by a virus. Train your employees to recognize a legitimate warning message and to properly notify your IT team if something bad or questionable has happened. If possible, configure your computers to not allow regular users to have administrative access. This will minimize the risk of them installing malicious software and condition users that adding unauthorized software to work computers is against the policy.
Protect against malware. Businesses can experience a compromise through the introduction of malicious software, or malware. Malware can make its way onto machines from the Internet, downloads, attachments, email, social media, and other platforms. One specific malware to be aware of is keylogging, which is malware that tracks a user’s keyboard strokes. Many businesses are falling victim to key-logging malware being installed on computer systems in their environment. Once installed, the malware can record keystrokes made on a computer, allowing bad guys to see passwords, credit card numbers, and other confidential data. Keeping security software up to date and patching your computers regularly will make it more difficult for this type of malware to infiltrate your network.
Develop a layered approach to guard against malicious software. Despite progress in creating more awareness of security threats on the Internet, malware authors are not giving up. The malware research firm SophosLabs reports seeing more than 100,000 unique malicious software samples every single day. Effective protection against viruses, Trojans, and other malicious software requires a layered approach to your defenses. Antivirus software is a must, but should not be a company’s only line of defense. Instead, deploy a combination of many techniques to keep your environment safe. Also, be careful with the use of thumb drives and other removable media. These media could have malicious software pre-installed that can infect your computer, so make sure you trust the source of the removable media devices before you use them. Combining the use of web filtering, antivirus signature protection, proactive malware protection, firewalls, strong security policies, and employee training significantly lowers the risk of infection. Keeping protection software up to date along with your operating system and applications increases the safety of your systems.
Be aware of spyware and adware. Spyware and adware, when installed will send pop-up ads, redirect to certain websites, and monitor websites that you visit. Extreme versions can track what keys are typed. Spyware can cause your computer to become slow and also leaves you susceptible to privacy theft. If you are subject to endless pop-up windows or are regularly redirected to websites other than what you type in your browser, your computer is likely infected with spyware. To remove spyware run an immediate full scan of your computer with anti-virus software and if necessary run a legitimate product specifically designed to remove spyware. To avoid being infected with spyware, limit cookies on your browser preferences, never click on links within pop-up windows, and be wary of free downloadable software from unreputable sources.
Verify the identity of telephone information seekers. Most offline social engineering occurs over the telephone. Information gathered through social networks and information posted on websites can be enough to create a convincing ruse to trick your employees. Ensure that you train employees to never disclose customer information, usernames, passwords, or other sensitive details to incoming callers. When someone requests information, always contact the person back using a known phone number or email account to verify the identity and validity of the individual and their request.