person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

Helpful fraud prevention tips to safeguard your business

Do Not Share Business Login Information
Grandview Bank will never reach out to customers to request information related to their business account login. This includes asking for details such as your User ID. passwords, usernames, security pins or token numbers. To keep your data safe and out of the hands of fraudsters, please do not share sensitive information with anyone.

Verbally Confirm New Payment Instructions
If you receive a request to change payment instructions, call to confirm using a known number. Never use the email addresses or phone numbers provided in the email request to confirm new payment instructions.

Be Cautious of Email Scams
Emails- even those from a known sender- can sometimes be opportunities for fraudsters to gain access to your sensitive financial information. Phishing is an online scam that targets its victims using email and can lead to malware or email compromise. Be cautious before clicking on links and stay alert for emails that raise red flags including those with excessive typos or grammatical errors.

Verify Correct URL addresses
Avoid using search engines to find the login for Grandview Bank. Fraudsters can imitate the web address with minor changes to appear legitimate.

Monitor Your Accounts

Make it a consistent practice to carefully review your monthly bank statements and reconcile your accounts daily to monitor for unauthorized activity. If you find or suspect unusual activity on your account(s), contact us immediately.

Safeguard Your Business Checks

Keep business checks in a secure location. Avoid leaving payments in unguarded drop boxes or outgoing mail slots. When mailing check payments, it is best to drop them at a secure location.

Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
What you need to know to protect your business
 
A routine activity like opening an email or visiting a website can leave your small business vulnerable. Recognizing fraud and scams isn't always easy, but knowing what to look for can help you or your employees avoid becoming a victim.

Here are some things you can do today to increase your security- and help protect yourself and your business against fraud and scams.
 
1. Keep your contact information up to date
Why it matters: We can contact you quickly and limit your account exposure in the event we see suspicious activity.
How to do this: Log into Online Banking to review and update your account information.

2. Enable extra security features.
Why it matters: Using features such as multifactor authentication and making sure you have the strongest possible password provides you with an extra layer of defense against fraud.
How to do this: Log into Online Banking to review your login settings and update your Password.

3. Allow alerts on the Mobile Banking App
Why it matters: We can contact you quickly in the event we see suspicious activity on your account.
How to do this: Log into Online Banking and set up alerts.

4. Control who has access to your accounts.
Why it matters: Treasury Management/Cash Management gives you the power to grant customized access to your accounts.
How to do this: Contact a customer service representative at 817-641-3100.

Know the red flags that signal a scam
Scammers target small businesses through a variety of tactics. It is critical for you and your employees to remail wary of any business communication that strikes you as suspicious or unexpected in any way. 

Email Compromise: (typical message): "There's been a change in the transfer details for completing your purchase. Please send the funds to the following account.
Red Flags include: You receive an unexpected request to redirect funds.

Fake Invoice Scam: "Pay the amount on the enclosed invoice to keep your website up and running."
Red Flags include: The invoice is from an unknown company and appears to be for something critical (the scammer is hoping you'll be too worried and busy and pay the invoice immediately).

Overpayment: "Go ahead and deposit the check and wire the difference to the account number attached."
Red Flags include: You receive an overpayment for an item you're selling, immediately followed by a request to deposit the check (which turns out to be a bad check) and then send the difference via a wire or gift card.

Phishing Scam: (typical message): Dear employee: Click this link and provide your password. You'll be prompted to change your password in our system."
Red Flags include: the email is not addressed directly to you, doesn't carry the company's usual logo you're not mentioned by name.

Tech Support Scam: (typical message): We've detected malware on your computer, let's go ahead and get this fixed for you."
Red flags include: You receive a request from tech support claiming your computer has malware and requesting payment to fix the defects or access your computer.

Telemarketing Scam: (typical message): "We'd like to offer you and your employees a business coaching opportunity. Wire us a onetime fee and we can set up a date and time".
Red flags include: You receive a request to send money to a company you've never heard of.

Utility Company Scam: (typical message): "Your service is about to be interrupted. Please send gift cards or wire money to this account to keep your service running."
Red flags include: You're asked to urgently wire funds or pay a utility with gift cards.

Impostor Scam: (typical message): "I'm with the IRS and a lawsuit is being filed against you for non-payment of back taxes."
Red flags include: You receive a request from a government agency asking you for a payment and/or to verify your personal information.

Online Shopping Scam: Red flags include: You find an amazing deal online but is it too good to be true? Research the seller and products independently and compare prices with other websites to ensure you are not on a fake shopping site.
Security tips for organizations with remote workers
 
Understand the threats to remote workers
Remote work can increase the likelihood of compromises to your organization's sensitive information. Threat actors use different methods to target remote workers:
  • Physical access to device: If employees leave devices unattended in public, a threat actor can tamper with them or steal them.
  • Phishing: A threat actor emails, texts, or calls victims and poses as a legitimate organization requesting sensitive information, such as passwords or credit card numbers.
  • Social engineering: A threat actor may gather information online about your organization or an employee to craft a targeted phishing message.
    • Any information that is posted online can be used, whether it is on a corporate website or personal social media
  • Ransomware: A threat actor uses malware to access a device and the data on it then denies access until a sum of money is paid.
  • Wireless hijacking: A threat actor spoofs a Wi-Fi network by creating a network that uses the same number as a legitimate one, for example, a coffee shop's public Wi-Fi network.
  • Eavesdropping: A threat actor listens to Wi-Fi traffic and records online activities and account passwords.
  • Traffic manipulation: If a mobile device is infected with malicious code, a threat actor can insert their own traffic to influence data and obtain access to your organization's network.
Manage mobile devices
If possible, your employees should use corporately owned devices when working remotely. Remind employees to follow your organization's policies and use devices appropriately.

If employees are using personal devices for work, keep the following in mind:
  • Lack of security updates: Personal devices may not be updated or patched regularly, leaving vulnerabilities unaddressed.
  • Weak password practices: Personal devices may not be protected with PIN or password, and even if they are, easily guessed PINs or passwords may be used.
  • Loss of control over information: If used for work purposes, personal devices may hold sensitive business information that your organization can't manage appropriately.
Remind employees to follow organizational policies when using personal devices and communicate best practices for securing devices. For example, ensure employees are enabling multi-factor authentication, using anti-virus software and never leaving devices unattended in public.

Prepare your employees
If an employee has never worked remotely before, the transition can be suprisingly difficult. Set your employees up for success and clearly communicate the measures that they need to take to contribute to your organization's cyber security
  • Have policies and procedures in place that outline, for example, the acceptable use of corporate devices and the management of corporate information.
  • Ensure your employees know who to contact, escpecially if they experience security issues, or their devices are lost or stolen.
Train your employees on cyber security issues and best practices, such as:
  • spotting phishing attempts
  • creating strong passphrases and passwords
  • using Wi-Fi network
Use security tools
There are security tools that your organization can use to add additional layers of protection for your networks, systems, and devices. Security tools can reduce the risks to your organization, but keep in mind that no tool is perfect. You should never rely on a tool alone. Be sure to implement other security controls as well.

The security tolls below are just some examples of ways that you can reduce the risks of malicious intrusions caused by malware or other cyber attacks.

Virtual private network

A virtual private network (VPN) is a secure, encrypted tunnel through which information is sent. You can use a VPN to establish a secure connection that uses authentication and protects data. Using a VPN ensures that your organization's communications stay private through an untrusted network. Let your employees know that they must use a VPN to connect to work servers.

Firewalls
A Firewall is security barrier placed between 2 networs. It controls the amount and the types of traffic that can pass between the networks. A firewall adds to your security by monitoring all incoming and outgoing traffic and filtering out known-bad traffic.

Anti- virus software
You should use anti-virus software and ensure that this software is updated regularly. Anti-virus software defends devices against malware by scanning files and your system.

Application allow listing
Application allow listing is a technique used to control which applications can run on corporate devices. Your organization can create an allowlist that defines all approved applications, preventing users from running and installing unauthorized software on corporate devices.

Replace end-of-life devices
Devices that have reached EOL pose a security risk to your organization. EOL means that the vendor stops marketing, selling, and providing support and updates to the device. When you use devices that are not updated to the latest firmware, you can open yourself up to cyber attacks.

Firmware is the software that is installed and updated by the manufacturer and contains important security measures. You can check whether your router is EOL by looking at the vendor's EOL product list or accessing the router's records in system logs.

Protect devices
With employees working from home or public locations, you should take the following measures to protect devices. Encourage employees to take the same measures on their personal devices as well.
  • Use multi-factor authentication: To add an additional layer of protection, require two or more authentication factors to unlock devices, such as a PIN and a fingerprint.
  • Use password-activated screensavers: When a user is inactive after a defined period, their device locks
  • Turn off Bluetooth or Wi-Fi when not in use: Turning off Bluetooth and Wi-Fi prevents threat actors from attempting to connect to and access devices.
  • Update and patch: Set up devices to run automatic updates for operating software, primary applications and security software. Confirm hardware is still supported.
Protect information
Your organization is responsible for protecting the sensitive information that it collects and uses. Keep in mind that sensitive information is a high-value target for threat actors.
  • Back up information: Information should be backed up regularly and backups should be stored securely.
  • Encrypt information: Use encryption to protect the confidentiality of sensitive information. For example, you should only allow users to access HTTPS-supported websites on corporate devices.
  • Apply the principle of least privilege: Ensure that employees only have access to the information they need to do their jobs. Controlling access can prevent unauthorized access to data and data breaches.
Security Challenge of Remote Work

Personal Devices
While working from home, people do not always use company owned devices. Even before the shift to remote work, employees were bringing their own personal devices for work (the BYOD model).

Now, any employee-owned device needs to be protected. If an employee uses their own smartphone, PC, laptop, or tablet for work, there should be an endpoint security solution on the device. This makes it difficult for a hacker to gain access from the outside.

File Sharing
For many employees, file sharing is a necessity in remote work environments. Sharing data is critical for collaboration, especially, for remote teams, but it is easy for sensitive information to fall into the wrong hands without proper data security. 

Weak Remote Infrastructure
Some companies do not have the right technology in place to support a remote work environment. At minimum, employees should be able to remote into their company workstations and connect to the company network using a VPN.

Companies that lack centralized solutions risk employees using their own workarounds. This is called shadow IT. It presents security risks because the solutions aren't vetted by experts, and there's no centralized management.

Remote Work Security Best Practices
Keeping your remote workers secure requires a combination of technology, policies, and education.

Require a VPN
VPNs allow employees to access the organization's information through an encrypted tunnel. Furthermore, VPNs also provide necessary security while using public networks. By encrypting data flowing over the internet, VPNs make it difficult for hackers to intercept the connection.

Remote workers should be required to connect to your VPN before accessing shared storage drives or remote desktops. This is the equivalent of requiring onsite employees to be connected to your network before accessing company data.

Remote Desktop Connections
Employees can remotely access their in-office PCs using a remote connection application. this is helpful when work PCs have specialized software or data that cannot be accessed on a home computer.

Remote connections require strong security protections. This technology makes it possible to access a PC anywhere in the world. While this means your users can access their PC from anywhere, it also means a hacker anywhere in the world can access that PC. That is why it's critical to authenticate the user before allowing the connection.

Tips for enabling safe remote desktop connections:
  • Require the user to connect to the VPN 
  • Make sure multifactor authentication is enabled for the VPN connection
  • Only grant users access to the PCs they need. Most users only need access to their workstations.
  • Require the user to enter their domain password to connect.
Multifactor Authentication
Enabling multifactor authentication is especially important in remote environments. Adding one additional authentication method can stop 99.9% of attacks.

With MFA enabled, users take an additional step to prove their identity. Typically, the code is sent to the user's smartphone via an MFA app or text message. The MFA app may send a push notification instead. Either way, this occurs after the user enters their username and password.

Combining what the user knows (username/password) with what they have (smartphone), the user is authenticated with a higher degree of certainty.

Approve Personal Devices
If personal devices are being used for work, then the devices should follow your information security policies. For example, you may decide not to allow jailbroken smartphones to access the company network. Personal computers with risky software installed can also be blocked.

Technology exists to enforce this compliance:
  • Mobile Device Managers make sure employee smartphones are secure.
  • Next generation firewalls can evaluate VPN connection requests and block devices with suspicious software.
  • Data Loss Prevention (DLP) tools can stop company info from being downloaded onto personal devices.
The first step is writing personal device use policies. The technology in this space isn't foolproof. All employees should understand what is and isn't acceptable. After creating the policies, make sure you have the technology in place to approve compliant devices and deny non-compliant ones.

Security Awareness Training
Cybersecurity awareness training may be the single most effective tool to prevent breaches. Make sure your annual IT security training covers tips to stay safe when working remotely. All training should include:
  • Phishing Prevention
  • Social Engineering
  • Secure Password Manager
  • Multifactor Authentication
  • Physical Security
  • USB Drive
  • Mobile Device Security
Training for remote users should also include:
  • How to connect to the company network securely
  • How to secure home Wi-Fi networks
  • Public Wi-Fi and public computer security
  • Device compliance requirements
All users should receive training at least once per year, regardless of job function or location.

Review Your Cyber Insurance Policy
In response to the greater risks posed by remote work, cyber insurance providers have increased rates and set stricter requirements for issuing policies. When applying or renewing, make sure to note all your cybersecurity investments. These will help lower premiums and facilitate policy approvals.

Remote Infrastructure Auditing
Remote infrastructures need to go through periodic audits to identify all gaps, loopholes, and vulnerabilities that could potentially be exploited. Once this is know, you can take the necessary steps to solve these and create secure, healthy infrastructure. It's not a one-time job, but an ongoing process.
SECURE REMOTE ACCESS

Employees and vendors may need to connect to your network remotely.

Put your network's security first. Make employees and vendors follow strong security standards before they connect to your network. Give them the tools to make security part of their work routine.

How to Protect Devices

Whether employees or vendors use company-issued devices or their own when connecting remotely to your network, those devices should be secure. Follow these tips- and make sure your employees always change any pre-set router passwords and the default name of your router. And keep the router's software up-to-date; you may have to visit the router's website often to do so.

Consider enabling full-disk encryption for laptops and other mobile devices that connect remotely to your network. Check your operating system for this option, which will protect any data stored on the device if it's lost or stolen. This is especially important if the device stores any sensitive personal information.

Change smartphone settings to stop automatic connection to public Wi-Fi.

Keep up-to-date antivirus software on devices that connect to your network, including mobile devices.

How to Connect Remotely to the Network 

Require employees and vendors to use secure connections when connecting remotely to your network. They should:
  • Use a router with a WPA2 or WPA3 encryption when connecting from their homes. Encryption protects information sent over a network so that outsiders can't read it. WPA2 and WPA3 are the only encryption standards that will protect information over a wireless network.
  • Only use public Wi-Fi when also using a virtual private network (VPN) to encrypt traffic between their computers and the internet. Public Wi-Fi does not provide a secure internet connection on its own. Your employees can get a personal VPN account from a VPN provider, or you may want to hire a vendor to create an enterprise VPN for all employees to use.
What To Do To Maintain Security
  • Include information on secure remote access in regular trainings and new staff orientations.
  • Have policies covering basic cybersecurity, give copies to your employees, and explain the importance of following them.
  • Before letting any device- whether at an employee's home or on a vendor's network- connect to your network, make sure it meets your network's security requirements.
  • Tell your staff about the risks of public Wi-Fi.
Give Your Staff Tools that Will Help Maintain Security

  • Require employees to use unique, complex network passwords and avoid unattended, open workstations.
  • Consider creating a VPN for employees to use when connecting remotely to the business network.
  • Require multi-factor authentication to access areas of your network that have sensitive information. This requires additional steps before logging in with a password- like a temporary code on a smartphone or a key that's inserted into a computer.
  • If you offer Wi-Fi on your business premises for guests and customers, make sure it's separate from and not connected to your business network.
  • Include provisions for security in your vendor contracts, especially if the vendor will be connecting remotely to your network.
 
WHAT TO KNOW ABOUT RANSOMWARE

Someone in your company gets an email

It looks legitimate- but with one click on a link, or one download of an attachment, everyone is locked out of your network. That link is downloaded software that hold your data hostage. That's a ransomware attack.
The attackers ask for money or cryptocurrency, but even if you pay, you don't know if the cybercriminals will keep your data or destroy your files. Meanwhile, the information you need to run your business and sensitive details about your customers, employees, and company are now in criminal hands. Ransomware can take a serious toll on your business.

How it happens
  • Scam emails with links and attachments that put your data and network at risk. These phishing emails make up most ransomware attacks.
  • Infected websites that automatically download malicious software onto your computer.
  • Server vulnerabilities which can be exploited by hackers.
  • Online ads that contain malicious code- even on websites you know and trust.
How to protect your business
  • Have a plan- How would your business stay up and running after a ransomware attack? Put this plan in writing and share it with everyone who needs to know.
  • Back up your data- Regularly save important files to a drive or server that's not connected to your network. Make data backup part of your routine business operations.
  • Keep your security up to date- Always install the latest patches and updates. Look for additional means of protection like email authentication, and intrusion prevention software, and set them to update automatically on your computer. On mobile devices, you may have to do it manually.
  • Alert your staff- Tech them about how to avoid phishing scams and show them some of the common ways computers and devices become infected. Include tips for spotting and protecting against ransomware in your regular orientation and training.
What to do if you're attacked
  • Limit the damage- Immediately disconnect the infected computers or devices from your network. If your data has been stolen, take steps to protect your company and notify those who might be affected.
  • Keep your business running- Now is the time to implement that plan. Having data backed up will help.
  • Contact the authorities- Report the attack right away to your local FBI office.
  • Should I pay the ransom? Law enforcement doesn't recommend that, but it's up to you to determine whether the risks and costs of paying are worth the possibility of getting your files back. However, paying the ransom does not guarantee you get your data back.
  • Notify customers- If your data or personal information was compromised, make sure you notify the affected parties- they could be at risk of identity theft. 
HELPFUL FRAUD PREVENTION TIPS TO SAFEGUARD YOUR BUSINESS

Do Not Share Business Login Information
Grandview Bank will never reach out to customers to request information related to their Business account login. This includes asking for details such as your company ID, passwords, usernames, security pins or token numbers. To keep your data safe and out of the hands of fraudsters, please do not share sensitive information with anyone.

Verbally Confirm: New Payment Instructions
If you receive a request to change payment instructions, call to confirm, using a known number. Never use the email addresses or phone numbers provided in the email request to confirm your new payment instructions.

Be Cautious of Email Scams
Emails- even those from a known sender can sometimes be opportunities for fraudsters to gain access to your sensitive financial information. Phishing is an online scam that targets its victims using email and can lead to malware or email compromise. Be cautious before clicking on links and stay alert for emails that raise red flags including those with excessive typos or grammatical errors.

Verify Correct URL Addresses
Avoid using search engines to find the login for Grandview Bank. Fraudsters can imitate the web address with minor changes to appear legitimate.

Monitor Your Accounts
Make it a consistent practice to carefully review your monthly bank statements and reconcile your accounts daily to monitor for uanuthorized activity. If you find or suspect
unusual activity on your account(s) contact us immediately.

Safeguard Your Business Checks
Keep business checks in a secure location. Avoid leaving payments in unguarded drop boxes or outgoing mail slots. When mailing check paymentsl it is best to drop them off at a secure location.
 


Proudly serving North Texas for over 130 years.

Who We are