By Ann M. Merkel, Senior Vice President and Chief Market Development Officer, The National Bank of Indianapolis
You are sitting at your computer, working happily away on a project, when you receive an email from a co-worker or friend, encouraging you to open an embedded link or an attachment. Or maybe it’s an urgently worded email from your organization’s executive director, instructing you to immediately wire funds to a new vendor. Or worse, the message instructs you to email to them the W-2 information of all your employees. Curious or eager to help, you click on the link or open the attachment.
Unfortunately, you’ve just exposed your organization to Business Email Compromise and the potential loss of confidential information, as well as funds.
In recent months in Indiana, nonprofits, governmental entities and private corporations have all been targeted by cybercriminals who gained access to information, mostly through emails containing embedded links or attachments. Cybercriminals threaten to steal your data, encrypt or destroy it or make confidential records public. If you’re “lucky,” they may offer to give the data back…for a price.
This hijacking of data and demand for payment has created its own apt name: ransomware. Unfortunately, ransomware can be purchased for less than the cost of a smartphone or a designer handbag. It’s also a faster and less expensive way to steal than credit card identity theft. Nationwide in 2014, there were 783 cyberattacks and breaches, exposing 85.6 million records. In 2015, there were 781 attacks, but the number of records exposed soared to approximately 169 million. Cybercriminals then share the stolen data through social media outlets. Intel Security (McAfee) and the Center for Strategic and International Studies (CSIS) estimated the likely annual cost to the global economy from cybercrime is between $375 billion and $575 billion.
There is no shame in being hacked; criminals are smart in appealing to your interests and making emails look legitimate. The loss of data, however, is a serious threat. Key is educating your employees when to be suspicious. Following are some questions to ask of your organization, and topics to discuss.
Recognizing fraudulent emails:
- Even if you know the sender, verify that the message is legitimate. Pick up the phone and call or walk down the hall and ask the sender about his or her request.
- If you receive a request via text message, don’t respond to the text. Instead, call the number you have on record for the sender and verify the request.
- Although false emails can look professional, many do not. Notice misspellings or badly formatted content.
- Be leery of third-party emails. Hover your cursor on links to see phony addresses. It’s best to search separately for the actual URL.
- Never respond to a request for sensitive information through an unsecured email.
- If your organization doesn’t already have a policy on internet usage, create one. Let your employees know that they shouldn’t be using their work emails for personal activities. If you use online banking services, consider dedicating a PC for this purpose only.
Suggestions for protecting your information.
- Firewalls. Contact your local technology companies and consultants, who often have special rates for nonprofit organizations on firewall technologies, which are designed to prevent unauthorized access, and keep this product current. Heed all security software warnings on links and attachments and do not download if advised not to.
- Back up, back up, back up! Viruses aren’t just about your health any more. Computer viruses, ransomware and malware (software that disables computer systems) are less threats if you back up your work daily. If your data is compromised, you can always go back and retrieve updated files with minimal loss of information. Cloud storage is recommended, but regardless, files should be stored in a separate location.
- Saving data. Many nonprofit organizations cannot afford nor do they need a high-tech individual server. Consider, instead, free data storage cloud services that Google and Microsoft offer to nonprofit organizations.
As your bank’s fraud prevention software has become increasingly impenetrable, cybercriminals are focusing their attacks on you and your employees, instead. With information gleaned from a nonprofit’s website or from public domains, they use social engineering/phishing to gain access to your organization.
Cybercriminals believe employees are your weakest link. However, with some training, they can become your strongest asset in fraud prevention.
In her role as Senior Vice President and Chief Market Development Officer for The National Bank of Indianapolis, Ms. Merkel is responsible for cultivating and maintaining high profile corporate, individual and community relationships that strengthen the Bank’s brand and reputation.