Cybercriminals are increasingly targeting small, growing businesses. And as more businesses are selling online and working remotely, the threat is taking new forms. (Click here to see if your company may need cyber insurance.)
The good news is they often do it through dirty tricks that can be avoided if you know what to watch out for. “Social engineering” (often called “phishing”) refers to a wide range of proven techniques for convincing you to hand over your valuable info and assets voluntarily.
Where should you be on guard? Short answer - everywhere.
The fav of phishers everywhere. An email from a familiar-looking address asks you to click on a link to update payment details, pay an outstanding invoice, or even receive a refund or free gift.
Hustles that never go out of style:
Clicking a link downloads a virus onto your computer that starts sending out your information.
Watering hole. Clicking a link takes you to a website that looks accurate (a “watering hole” everyone visits and trusts) but asks you to enter confidential information. The Amazons and PayPals of the world will never do this.
Cash transfer. A “manager” who’s upset about a payment that wasn’t made (or a “relative” who claims to be stranded in a foreign land) asks you to make a cash transfer ASAP. A wire cash transfer can’t be reversed and the recipient often can’t be traced either.
Check phishy emails for tell-tale signs like misspellings, altered names or addresses, grammatical errors or unnatural phrases. (With some bosses, “please” is a dead giveaway.)
Hover your cursor over a link to see the actual web address. If it’s not a legit URL, it’s often a random string of characters.
Check the email address. Sometimes it’s obviously not from the company the phisher claims to work for. Be careful though because some phishers create email addresses that look legit.
Make sure your company has an up-to-date firewall and virus protection and uses multi-factor identification (requiring a second credential) to open important accounts.
See “By email.” Scammers can slide into DM’s with the same bag of dirty tricks. They can even get access to your Facebook friends’ accounts. If your friend messages you a link that says “You won’t believe this!” or a video that says “Is this you?!” check with her first. (Also, don’t believe it.)
If you’re working from a physical office, scammers can take advantage of your employees’ naiveté (and nice manners) to steal your physical documents, hardware or data:
Piggybacking. A fake employee claims to have misplaced a badge and asks to be swiped in – or simply follows your employee through.
Pretexting. A hoaxer in a vendor’s T-shirt (that’s sometimes all it takes) claims to have arrived to fix a tech problem or install software - a perfect ploy to access employees’ computers.
Dumpster diving. A scammer with no shame mines your company’s actual trash for confidential financial records, employee info, client records or other treasure.
Train your employees not to give access to someone they don’t recognize. Require anyone without a badge to wait while their identity is verified.
Before you let random geek squads into your space or your systems, check with your internal tech people or call the company they claim to work for.
When in doubt, shred everything. (And of course, recycle after that.)
It’s scary easy for someone to phone your company or remote-working employees from an unrecognized number and pretend to be a known institution that “needs” your private information:
Your internet security company (or some equally vague phrase). They’ve “noticed suspicious activity” and need your login information.
Your bank. They’re letting you know your account has been breached, and your card needs to be reset. They can do that for you if you provide your PIN.
FBI or police. They’re requesting your help with a confidential investigation of one of your employees. Please supply the following information …
Don’t take a call in the first place if you don’t recognize the number.
If you do end up talking to somebody, tell them you need to look up their number on their actual website and call them back.
Although the best solution is not getting punked in the first place, it’s important to have social engineering in mind when you’re insuring your business. Most growing businesses need to carry cyber insurance if they have employees, take credit cards or store confidential information.
In the event of a cyber breach, this coverage helps you:
It’s important to shop carefully because not every cyber policy covers the types of breaches you bring on yourself by falling for social engineering. Also, some policies will only pay out if you meet several conditions, which may include:
And as a bonus, some insurance companies provide small businesses with risk management services that might include:
In the case of bogus bosses and fake family members who convince you to part with money, you’ll need to carry a special form of crime coverage: “fraudulent wire and cash transfer.” You may be able to add this to your current business insurance policy.
Want to check out your options for cyber insurance ... which may include adding it to a money-saving business owner’s policy (BOP)? Call a Mylo agent for a custom consultation on the right coverage for you.