You and your employees are the first line of defense against security threats made to your business and your customers. After reading this material, delve into our additional Cybersecurity resources.
Social engineering is the ultimate con, incorporating all tactics employed by fraudsters to get past your organization’s security controls. Social engineering bypasses all technologies, including firewalls. Your organization’s best defense against social engineering are your employees. A properly trained staff is the best protection against social engineering attacks. Learn how to protect yourself and your organization against social engineering attacks by understanding social engineering tactics and knowing how to recognize scams.
Social engineering is the human side of breaking into a corporate network. It involves gaining sensitive information or unauthorized access privileges by building inappropriate trust relationships with insiders. Social engineers manipulate people into speaking/acting contrary to their normal manner. The goal of a social engineer is to fool someone into providing valuable information or access to that information. In most cases, the attacker never comes face-to-face with the victim, but they get the information or the access they need to commit fraud nearly 100% of the time.
Social engineers are so successful because they relate well with others. They are consistently quick to establish a personal connection with the target and use that connection as the basis of building rapport. The simplest way to get information is to ask for it directly, and this forms the basis for the various techniques used by hackers.
Common social engineering techniques include:
- Impersonation, such as posing as an employee, is arguably the best technique used by social engineers to deceive people since most people are helpful towards coworkers without question.
- Pretexting is when a social engineer develops a storyline that he or she is able to portray to the target. It provides the justification for the questions being asked.
- Phishing is a way of attempting to acquire information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.
- Dumpster diving is successful due to the improperly discarding memos, organizational charts, or policy manuals could be used for foot-printing (the art of gathering information or pre-hacking). Social engineers commonly research a predetermined target and determine the best opportunities for exploitation. Dumpsters provide a huge amount of information, including the information a hacker needs to impersonate an employee.
Protect your self and your business by:
- Properly educating your employees through training and awareness.
- Never give sensitive information to anyone unless their identity can be verified verify and there is a legitimate need for access to the information.
- Develop and conduct frequent and continuous training on security-related policies and procedures.
Payment Card Industry Data Security Standard (PCI DSS)
Any business that stores, processes or transmits credit card information is responsible for complying with the credit card security standard known as PCI DSS. PCI DSS is an acronym that stands for Payment Card Industry Data Security Standard (PCI DSS). This security standard was created to help reduce the financial risks associated with compromises to account payment information. Compliance with PCI means that your systems are secure, and that customers can trust you with their payment card information.
It’s almost impossible to be in business today and not handle personal information about your customers, employees, or business partners. Personal information can include names and addresses, credit card numbers, or other account numbers. If this information falls into the wrong hands, it could put these individuals at risk for identity theft and cause trouble for your business.
Failure to comply can have serious financial consequences for your business, your customers, and your financial institution, especially should the information become compromised. Consequences could include: lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.
PCI DSS Compliance
Businesses need to apply the information security best practices that are included in the PCI security standards. To begin, businesses should:
- Take an inventory of the business’ IT assets and how your business processes credit cards.
- Analyze your computers, networks and business processes to see if there are any vulnerabilities that could lead to a breach.
- Fix the vulnerabilities found.
- Collect the records required by the PCI to demonstrate that you’ve done these things, and submit compliance reports to the bank and global payment brands you do business with.
If your business is unable to take these actions independently, hiring an IT security and compliance assurance group may be a resource. You’ve worked hard to build your business. Stay out of trouble and ensure your continued success by keeping your customers’ credit card and personal data safe.
Your customers’ personal and private information can be lost, stolen or compromised by:
- A computer program with a security hole that leaks information.
- An employee who makes a simple mistake and unintentionally exposes data.
- A disgruntled employee who steals information or sabotages your network.
- A cyber-criminal who infects your corporate network with malware so they can steal credit card numbers or even your money.
Just one bad incident could cause you to lose customers, sales and even your good reputation.
Corporate Account Takeover
A corporate account takeover is a type of fraud where thieves gain access to a business’ finances to make unauthorized transactions, including transferring funds from the company, creating and adding new fake employees to payroll, and stealing sensitive customer information that may not be recoverable. Thousands of businesses have fallen victim to this type of fraud, and the losses have ranged from a few thousand to several million dollars. Business bank accounts are not protected under Regulation E, so when business accounts are compromised, they often lose all, or at least some of their money.
Corporate account takeover attacks today are typically perpetrated quietly by introducing malware through a simple phishing email, a deceptive social engineering ploy, or an infected website.
The best way to protect your business is to develop a strong partnership with Ameris Bank and establish safeguards on your accounts to help the bank identify and prevent unauthorized access to your funds.
- Develop a security plan. Each business should evaluate its risk profile and develop a security plan that includes sound business practices.
- Protect your online environment. Protect your computers just as you would your cash. Use appropriate tools to prevent and deter unauthorized access to your network and make sure you keep them up to date. Encrypt sensitive data and use complex passwords and change them regularly.
- Create a secure financial environment. Dedicate one computer exclusively for online banking. This computer should not be connected to the business network, have email capability, or connect to the Internet for any purpose other than online banking.
- Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that protect you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits to help protect you from fraud.
- Pay attention to suspicious activity and react quickly. Watch for unexplained account or network activity, pop ups, and suspicious emails. If detected, immediately contact your financial institution, stop all online activity, and remove any systems that may have been compromised. Always keep records of what happened.
- Understand your responsibilities and liabilities. The various agreements with your bank explain what reasonable security measures are required in your business. You need to understand and implement these security safeguards. If you don’t, you could be liable for any losses.
- Educate all employees about cyber-crimes so they understand that even one infected computer can lead to an account takeover. One infected computer can compromise the entire network. All employees, even those with no financial responsibilities, should receive security awareness training.