The end of the year is almost here and cyber criminals are looking for free gifts from you and your employees this holiday season. Around this time of year, scammers are shifting tactics: Instead of targeting accounts payable personnel, they may focus more on HR and tax-focused individuals. With more than 90 percent of successful breaches beginning with a social engineering ploy, your staff has to fine-tune their scam detectors now.
Anatomy of a Social Engineering Scam
Consider this situation where an HR person received an email that appeared to be from her CEO: The email urgently requested compensation information for all the senior executives for the board meeting that was in progress. The CEO wrote he could just get all the information from the W-2 forms that had likely just been printed, and that she could send those to him to speed up the process.
The HR person was in a meeting when the email arrived, but ran into the CEO on the elevator. She apologized for not getting the information to him sooner, but said she would get on it ASAP. The CEO had no idea what she was talking about. Upon closer examination, they realized it was a spoof email from a domain very close to their email domain. The email structure, signature and wording were all spot on. Not only did the bad guys know the HR person’s contact information, they also knew the company was having a board meeting that day. They leveraged all that information in their scam.
Were it not for a chance encounter in the elevator, the W-2s for all the company’s senior execs would have been compromised.
1 of 2
2 of 2
Avoiding EOY Scams
Here are some tips for buttoning up your cyber security right now:
- With the Employee Retention tax credit wrapping up, scams related to that program are on the rise. Watch for scammers posing as accounting/CFO firms and offering to help companies get the ERC. They are attempting to get all the employees’ payroll and personal information.
- Remember email credentials are frequently compromised. To avoid these breaches, enable multi-factor authentication (MFA) on your email and messaging logins.
- Flagging external emails assists users in identifying emails from outside senders. Had the company in the CEO scam been doing that, the email received by HR would have been flagged as external, revealing it was not from the CEO.
- Prevention is often less about technology and more about people. Cyber security awareness training and testing are effective in keeping your staff vigilant.
- Create business policies that spell out necessary validations and verifications for procedures like releasing personal information or changing vendor payment information. This will help ensure all requests are legitimate.
Only Happy Surprises
Don’t let cybercrime ruin your holiday season and end of year operations. The Aeko Technologies team is here to help you button up and lock down with the best practices in cyber security. Contact us to book a quick consultation.