Union Bank® for Business

Your Business and Cybersecurity

According to the Verizon 2019 Data Breach Investigations Report, 43% of data breaches affect small business. Due to their size, small businesses often do not have the resources to focus on cybersecurity. But they still handle large amounts of business and consumer data. This makes them a prime target for cybercriminals. If affected, a cybersecurity or data breach incident can put a company out of business.

We’d like to help you.

Consider these 4 areas to help your business become more “cyber-secure”:

Be ready - Strategy and Policies

  • Set and enforce cybersecurity-related policies, such as proper usage of devices. Assess cybersecurity as a legal and business risk; discuss the subject with lawyers and insurance providers, as needed.
  • Create a plan in case of an incident: How to stop or mitigate an issue; how to solve it (employing outside expertise?); whom to report the incident to (authorities, industry regulator?); how to inform affected parties and manage consequences.
  • Use only reputable third-party services (e.g., banking, tax advisory), and technology vendors (e.g., Internet provider). Include cybersecurity as part of your third-party vetting process (e.g., ask about their cybersecurity and privacy-related measures, and establish liability, especially if the third party is handling sensitive or consumer information).
  • Invest in an IT and cybersecurity expert who keeps an inventory of your digital assets, manages software updates and users’ access to those assets on a “need-to-know basis,” and manages your external website if you have one.

Be protective - Devices

  • Protect all devices with antimalware and antivirus software, and back up your data. Keep all company software up to date with the latest versions and security updates.
  • Offer general IT and cyber training: Train employees to recognize malicious software in their devices (e.g.: sudden slowness). Educate employees to recognize fraudulent communications, such as malicious emails or text messages, and to not click on links or attachments nor reply to them.
  • Create procedures on company devices limiting personal usage as general online browsing unknowingly can lead to malicious websites: Train employees to closely look at links before clicking, and to avoid clicking on shortened links. Prohibit downloading content for personal use on company devices.
  • Have policies for the use of personal devices for business reasons: Business-related tasks such as email can only be done on the company-approved app.
  • Cybersecurity and physical security are connected: keep devices locked and docked, protect access to facilities and secure paper records. Always shred documents when disposing of them.

Be secure - Networks and Online Accounts

  • Protect your network (i.e.: have a firewall), and change the default network names and passwords to unique, hard-to-guess passwords.
  • Have a different network for customers or visitors from the one in which you conduct your business.
  • If your business has a website/app that processes payments or other sensitive information make sure that it is encrypted (e.g., following the Transport Layer Security (TLS) protocol).
  • Secure all online accounts with lengthy unique passwords and enable, if possible, some form of 2-factor authentication where the user must enter an additional code to access the account.
  • If your business leverages social media for marketing purposes manage the security and privacy settings of the accounts. Be cautious with the type of information you share in those channels.

Be compliant - Data Privacy

  • Follow the regulations to protect data as required by your industry. If you hold any personal health information, for example, you need to follow the provisions of the Health Insurance Portability and Accountability Act (HIPAA).
  • Enforce local, national and even international data laws, such as the California Consumer Protection Act (CCPA), and the European Union’s General Data Privacy Regulation (GDPR).
  • Set processes to keep data, particularly consumer, sensitive business, and payment information, secure. Use secure and reputable point-of-sale systems (lately they have been a target) and actively monitor issues.
  • For proper implementation of regulations, consider getting expertise from a compliance officer or auditor/lawyer with a specialization in privacy and digital data.

Protect yourself from Business Email Compromise

Business Email Compromise (BEC) is a sophisticated scam in which a cybercriminal sends an email that appears to come from a trusted source. In many types of BEC, the scammers uses fraudulent information to trick companies into misdirecting financial transactions into accounts that the scammers control.

BEC continues to trend as a key cyber threat plaguing businesses, accounting for $1.7 billion dollars in losses in 2019.  

The 2021 Treasury Fraud & Controls Survey found that 86% of respondents viewed BEC as the most dangerous threat facing their organizations through 2021 and 2022. Clearly, it is a serious problem for companies and will remain so for the foreseeable future.

BEC Tactics Are Tough to Detect
Cybercriminals perpetrate BEC scams using several tactics. They can hack victims’ inboxes and use them to send fraudulent requests for payments. They can forge an email so it appears to come from a legitimate sender (a technique also known as ‘spoofing’). Or they can create a fake email account that is a close facsimile of the legitimate one (e.g., “internal.suppport@example.com” instead of “internal.support@example.com”) and then send a request in hopes that the recipient isn’t paying close attention. Any of these variations can be tough for victims to detect.

BEC threats also leverage deception and patience. Users may not immediately notice that their account has been compromised, giving cybercriminals time to study the organization and embed themselves into an existing communications flow. They may, for instance, learn the nuances of the CFO’s or CEO’s communications (e.g., their communication style, how they sign their name), then imitate those details so their fraudulent messages appear even more legitimate.

The target of a BEC attack may receive an email that displays the sender’s real name, title, function, the team they work on, corporate branding and their actual (or a very similar) email address, making the message extremely convincing.

Types of BEC
There are three main types of BEC:

  • Fake emails from the “CEO,” “CFO” or other senior executives are sent to victims asking for funds to be sent/wired to the criminal’s account
  • Invoices for fake companies are created by criminals that are then sent to financial institutions for payment
  • A trusted individual (coworker, boss, etc.) is impersonated by criminals who ask that the victim purchase gift cards (online or in-store) for a work event and send them to the cybercriminals

BEC techniques can also be used in conjunction with phishing attacks (malicious emails with the goal of tricking users into exposing sensitive information or interacting with malicious content like malware). A cybercriminal who hacks one user’s inbox may, for instance, exploit their access by sending phishing messages laced with malware to their victim’s contact lists.

Tips to Avoid BEC
So, what can companies and individuals who might be targets for BEC scams do to prevent them? Here are a few important tips to follow:

  • If policies are in place, employees responsible for wire transfers need to follow these internal policies (e.g., the same person that submits a wire transfer should not be able to approve wire transfers, set dollar amount limits on them, and/or validate beneficiary changes)
  • When receiving financial transaction/wire transfer instructions, employees should always validate (with a known source) the email address, dollar amount, recipients, etc.
  • Employees should always verify that the funds’ destination and amount is in line with a customer’s usual activity
  • Employees shouldn’t reply directly to the email sender regarding a wire transfer request; they should use email “forward” to avoid responding directly back to potential BEC perpetrators, or, better yet, pick up the phone and call their contact directly, as their email account may be compromised
  • Employees should be wary of emails that are urgent and create pressure to expedite processing of a financial transaction
  • Employees should reach out to a known contact to verify the email address of the sender if an email seems suspicious
  • Employees shouldn’t click on anything in an unsolicited email or text message asking them to update or verify account information. They should look up the company’s phone number on their own (not using the one a potential scammer is providing) and call the company to ask if the request is legitimate.
  • If anything seems suspicious, employees should alert their manager and/or bank immediately
  • Employees should be alert for emails requesting that they purchase gift cards. As noted above, BEC fraudsters have been reported posing as management to pressure victims into purchasing gift cards, claiming they’re for a work-related event. They actually want to steal the cards, which are easy to transfer and, in many cases, impossible to trace.

Suspected BEC attempts should be reported immediately to your financial institution; you should also contact your local FBI field office to report the crime, and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Want to Learn More? Please see these Small Business Resources:

U.S Small Business Administration

Federal Trade Commission

National Institute of Standards and Technology

The National Cyber Security Alliance (NCSA)

U.S Department of Homeland Security