-
Business Banking -
Insights
Cybersecurity and Identity Theft Useful Practices
Cyberattacks are an unfortunate aspect of the modern world, but taking proper steps to protect yourself and your accounts can help ensure you, your company or your loved ones don't suffer because of one.
Below, you'll find tips from experts about how cyberattacks may happen, how individuals and businesses can try to prevent them and how to respond to a successful attack.
Social Engineering
Social engineering exploits human weaknesses to gain access to personal information and protected systems using manipulation, influence and deceit.
Examples of social engineering include:
- Phishing emails: Messages designed to trick users into providing attackers with personal information.
- Spear phishing: Phishing messages that target a specific person or business.
- Smishing: The act of using text messaging to harvest sensitive information, often using malicious links.
- Vishing: The act of calling a person and enticing them to provide sensitive information.
Sandi Holton, director of member services at LibertyID, pointed out that these attacks have one thing in common: They try to prey on a person's trust or instincts to extract information from them.
According to Michael Sohn, supervisory special agent with the FBI Los Angeles Cyber Task Force, social engineering is so common because it's the easiest type of attack. Besides being fast, social engineering is low-cost because it takes advantage of publicly available information.
Social engineering causes:
- Loss of data.
- Loss of funds.
- Access by bad actors to sensitive or proprietary information.
- Stolen email accounts.
- A negative impact on a company's brand and reputation.
Learning how to identify social engineering can be a great way to prevent it. Specifically, there are red flags people can learn to identify and report. Sometimes, a social engineering attack will exhibit many of these red flag. Other times, a single red flag could be the only sign a person gets that something is wrong.
Signs of social engineering include:
- Unsolicited messages.
- Unexpected or unusual requests.
- Requests for sensitive information.
- Misspelling, unusual phrasing and strange terminology in messages.
- Messages with mysterious links, files, or username and password requests.
- Offers of gifts or prizes from well-known companies.
- Unsolicited survey requests from known companies.
- Unexpected bills or invoices from major companies regarding annual subscriptions.
Email Compromise
Email compromise occurs when an attacker gains access to email accounts used for conducting business with clients, partners, financial services and more. Email compromise is particularly dangerous because it enables an attacker to appear as a trusted individual or company to others.
Attackers can gain access to emails through:
- Malicious links such as fake gift card offers.
- Fake package tracking numbers.
- Falsified antivirus invoices.
Email compromises are one of the most financially damaging types of cyberattacks. Like phishing, a email compromise exploits human trust. However, it has the added disguise of appearing as an email from a trusted source such as a colleague, partner or manager — making a successful email compromise a potential source of rapid and catastrophic damage.
Ransomware
Ransomware is malicious software that identifies critical data, attempts to copy it and then encrypts it so a victim can no longer use it until they pay the attacker a fee. In some instances, the attacker might threaten to destroy the information after not receiving a payment. In other cases, the attacker will take control of private files and threaten to publish them if the victim doesn't meet their demands.
According to Sohn, the FBI does not support the payment of ransoms during ransomware attacks. The bureau's lack of support for ransom payment is because nothing guarantees that attackers will honor their part of the deal. In many cases, attackers increase their demands after seeing that a victim is willing to pay. Instead, the FBI encourages victims to report ransomware attacks as soon as possible after discovering one has happened.
Cyber and Business Process Hygiene
Cyber and business process hygiene is the term used to describe any actions companies should take to prevent, detect and respond to cyber threats. This concept has three important components: people, processes and systems. Companies should have processes that make cyberattacks difficult. Their people should be aware of their responsibilities, and their systems should be constantly updated and secured, using safety features such as multi-factor authentication.
Additionally, segregating duties is an important aspect of cybersecurity. For example, someone working in accounts payable should not be confirming a transaction alone. Instead, supervisors and managers should be part of the process to ensure fraud isn't occurring.
Good cyber business process hygiene habits include:
- Avoiding complacency that attackers can exploit.
- Always using multi-factor authentication.
- Regularly backing up data.
- Patching and updating systems to fix vulnerabilities.
Creating a Cybersecurity Incident Response Plan
While companies and individuals can take every precaution to prevent attacks, it's still essential to have a plan should one breach lines of defense. While cybersecurity practices are important, Holton stressed that every person and business should prepare for a worst-case scenario.
Components of a cybersecurity incident response plan include:
- An internal notification process.
- Having a secondary communication system.
- Ensuring that your response team is reachable after hours.
- Clear investigative steps.
- A plan to communicate breaches with employees, clients and customers.
- Outlining response requirements.
- Knowing how to contact law enforcement.
- A process for restoring from backups.
- Having adequate cyber insurance coverage.
- Contacting law firms, insurers and other companies before a breach to establish a plan.
Holton also stressed that requirements for handling a cyberattack are different from state to state, making checking local cybersecurity laws a vital step for any plan's creation.
If you're an individual who's concerned about your cybersecurity practices, there are three important steps to start with, according to the Cybersecurity and Infrastructure Security Agency (CISA).
CISA suggests the following to protect personal information:
- You should lock down your accounts with all possible types of multi-factor authentication, biometrics and security keys.
- Make your password a sentence. Having multiple words in a password can make it harder for attackers to guess. Using a phrase can make a unique password easier to remember and harder for attackers to crack.
- Never reuse passwords on multiple accounts. A password manager can help you securely store your passwords and can make having dozens — or even hundreds — of passwords effortless
Additionally, CISA encourages individuals to take ownership of their online presence. Everyone should protect their personal information by being careful about sharing too much information online. Never hesitate to customize privacy settings and limit what others can learn about you.
This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.
This video is for general information and education only and is provided as a courtesy to the clients and friends of City National Bank. It is compiled from data and sources believed to be reliable, however City National Bank does not warrant that it is accurate or complete. Opinions expressed and estimates given are those of the speaker as of the date of publish with no obligation to update or notify of inaccuracy or change.