Cybersecurity issues continue to ramp up and are now being discussed by Congressional leaders and President Obama with an eye toward encouraging more cooperation between private sector companies and public sector agencies.
The director of the Federal Bureau of Investigation, James Comey, has also weighed in on the issues. Some of his recent comments compared the Internet to a dangerous parking lot: “If you were crossing a mall parking lot late at night, your entire sense of danger would be heightened. …Folks are wandering around that proverbial parking lot of the Internet all day long, without giving a thought to whose attachments they’re opening, what sites they’re visiting. And that makes it easy for the bad guys.”
Comey adds, “When someone sends you an email, they are knocking on your door. And when you open the attachment, without looking through the peephole to see who it is, you just opened the door and let a stranger into your life.” That attachment might take over the computer, lock it, and then demand a ransom payment.
Computer users are generally considered “the weakest link” in a cybersecurity system because many users are not getting the message about the dangers of email scams, social engineering or phishing schemes.
“All it takes is for one person to inadvertently click on the wrong hyperlink or attachment to expose the computer and network to viruses, malware, ransomware, and a potential breach of security,” according to NAS Insurance Services. “Managing data security risks means training staff members and raising their awareness of the dangers. Few effective technical security controls exist that can defend against clever phishing attacks. Often the best solution is to provide periodic training on policies, procedures, regulatory changes, and best practices.”
We should also be aware that some scams are so sophisticated that law firms and other businesses have been bilked out of millions of dollars and bank personnel have been duped by scammers mimicking legitimate businesses. Fraudsters produce high-grade counterfeit checks and set up telephone lines as tools to facilitate the most successful scams.
Hacked Email/Voicemail
Email accounts are often compromised through schemes that revolve around actual details in the user’s life, such as a scheduled event, travel plans, or user interests. In some cases, voicemail and email accounts have been hacked and commandeered by a scammer who sent fraudulent messages from a legitimate email account. Sometimes the user will have his or her voicemail messages delivered to an email account, enabling a hacker to receive and confirm both voicemail and email messages. (See War Story 102 in IMPACT 102.)
It is prudent to check senders’ email addresses, and to check the web addresses of links by hovering over the links with the cursor without clicking on them.
Social engineering often relies on social media sites to deceive and manipulate people into performing actions or divulging confidential information. Fraudsters often attempt to acquire sensitive information by masquerading as a trustworthy entity in email, website or instant-messaging communications to unsuspecting recipients. Sometimes the hacker’s attack is aimed at redirecting a website’s traffic to a bogus website.
As security tools become more sophisticated to prevent such attacks, the attackers become just as sophisticated. The main rule of thumb is: Do not open attachments or links if the email is suspicious or questionable. Be sure to use email spam filtering services from a reputable company that is constantly improving its spam filter engines.
Email requests for wire transfers should be verified by phone calls directly to the client by someone who knows his or her voice. Never rely on phone calls to unknown parties whose voice you don’t recognize—scammers sometimes set up phone lines controlled by the scammers.
Predetermined dollar thresholds and procedures should be agreed upon for having a firm partner approve a check or transfer. Also consider whether both spouses should be notified when working with a spouse approving fund disbursements and transfers.
Encryption
Encrypting client data will help ensure its protection from hackers and thieves. The three basic areas include hard-drive encryption, data encryption, and file encryption.
Remote Mobile Device Security enables a user to prevent access to protected files in the event a computer has been lost or stolen. Protected files are encrypted, and the application periodically authenticates the identity of the user. Certain programs will track mobile devices when they are connected to the Internet.
Safeguards that protect without user involvement appear to be most effective in reducing vulnerabilities. Encryption policies and other protective actions can be managed by the firm or by a third-party managed service provider (MSP). Both approaches should protect the organization independently of the end-user, and should work whether the computer is online or offline.
Some services are available by online subscription, without the need to purchase or support hardware or software infrastructure. For example, Beachhead Solutions (www.beachheadsolutions.com) offers multiple options online. CAMICO offers its policyholders a 10 percent discount on services from Beachhead Solutions.
More tips, tools and information can be found on the Identity Theft and Data Security Resource Center and the Fraud Resource Center, located on the CAMICO Members-Only Site (Click Here to Log-in).