person holding a cell phone

Business Cybersecurity Tips

Business Technology Topic of the Month

Account Takeover Fraud (ATO)
 
What is ATO?
In Account Takeover Fraud (ATO), cyber criminals deliberately gain unauthorized access to a victim's online bank, payroll, health savings or social media account, with the goal of stealing money or information for personal gain. Cyber criminals may gain access to a victim's online account through a variety of methods:
 
  • Brute Forcing username/password- A cybercriminal exploits weak password and lack of multi-factor authentication.
  • Phishing email-A cybercriminal sends a deceptive email to trick the victim into giving away their login credentials.
  • Phishing domains/websites- A cybercriminal uses a phishing website that appears as a legitimate online banking or payroll website to trick the victim into giving away their login credentials.
  • Social Engineering-A cybercriminal manipulates the victim into giving away their login credentials by impersonating a bank employee, customer support or technical support personnel.
  • Data breaches- A cybercriminal obtains victim's login credentials from past data breach or criminal forums that sell data breach data on the dark web marketplaces. 
  • Malware- A cybercriminal obtains a victim's login credentials via malware on the victim's device. 
The goal of the cybercriminal is to steal funds, redirect paychecks, or otherwise affect funds of the targeted victim.
 
SEARCH ENGINE OPTIMIZATION (SEO) POISONING ATO
In one specific type of scam, cyber criminals buy ads that masquerade as legitimate companies to misdirect victims searching for a specific website through popular search engines such as Google, Yahoo, or Bing. The search engine may return a fraudulent website URL that is very similar to the legitimate website, or slightly misspelled, or re-directed to another website with the URL that appears legitimate.
 
When victims click on the fraudulent search engine ad, they are directed to a sophisticated phishing site that mimics the real website, tricking victims into providing their login information. Cyber criminals then capture victims' credentials as they access the fraudulent site. 
 
If the account requires multi-factor authentication, cyber criminals may utilize social engineering to obtain the One-Time Passcode (OTP). For example, cybercriminals pretend to be a bank employee or technical personnel and requests the victim to provide their phone number via fraudulent website's chat box. The cybercriminal then contact the victim while pretending to be the bank employee/technical support and ask for the OTP.
 
If the account is a corporate account which requires two individuals to authorize a transaction (dual control) then, cyber criminals may utilize social engineering in a similar manner as above, and insist that the second individual go to the same website, and/or go to the open browser of the first individual to complete the transaction. Cybercriminals then use the captured credentials to gain full access to the victim's financial account. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employer payroll account, health savings account, or retirement account is accessed, the cybercriminal can change the direct deposit information in the real site and redirect funds. If cyber criminals gain access to full personally identifiable information (PII) for victims, they can also create new account relationships, including loans or accounts that defraud victims. 
 
STAY PROTECTED
To remain on guard against ATO, follow the tips below:
  • Be careful about the information you share online or on social media. By openly sharing things like a pet's name, schools you've attended, your date of birth, or information about your family members, you can give scammers all the information they need to guess your password or answer your security questions.
  • Monitor your financial accounts on a regula basis for irregularities, such as missing deposits.
  • Always use unique complex passwords, enable two-factor authentication on any account that allows it, and never disable it.
  • Use Bookmarks or Favorites for navigating to login websites rather than clicking on Internet search results or advertisements. Multi-factor authentication will not protect you if you land on a fraudulent login page. Carefully examine the email address, URL, and spelling in any correspondence.
  • Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees who call you; don't trust caller ID. Offer to call them back after you look-up the phone number yourself. Remember that companies generally do not contact you to ask for your username, password, or OTP.
Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.

The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.

The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.

Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
How to Avoid Cryptocurrency Scams!
 
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.

  • ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
  • ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
  • NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
 
Here are some common investment scams, and how to spot them.

  • A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
  • An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
  • Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
  • Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
  • Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details. 
  • IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
Cybersecurity Tips for Tax Season
Every February through April, there is a rise in tax fraud by cyber criminals keen on stealing your personal and business's financial data. Learn how to prevent these types of attacks by being aware of the scams they use and having a solid cybersecurity program in place.
 
Common Tax Fraud Issues
  • Impersonating IRS Phone Scams: Callers claim to be IRS employees, say that you owe money and it must be paid as soon as possible via gift cards or a wire service. The real IRS will not call and demand immediate payment. In general, they will send a notice or bill via the mail.
  • Phishing, Email and Malware Scams: Cybercriminals will attempt to get valuable data via unsolicited emails, text messages, or fake websites that prompt users to click a link and open attachments to share personal or financial information or to release malware or spyware into a computer system.
  • Dishonest Tax Firms: Tax preparation companies with little or no credibility open and close quickly during peak tax season. These businesses might not have secure systems, allowing cybercriminals to easily access your information.
Cybersecurity Tips for Tax Season and Beyond
You can protect your business from tax fraud scams and cyber attacks by implementing employee cybersecurity training and data privacy verification procedures, such as:
  • Do not share social security numbers or any tax documentation with unknown parties.
  • Keep an eye on your credit report to see if any bank accounts are being opened in your name.
  • Look for any business loans being taken out under your company EIN.
  • Triple check information prior to sending any wire or ACH transfers. Call a known number directly (not using the email signature), and ensure that multiple parties review before pushing through any payment.
  • Stop, think, and double-check rush demands with other team members or management. Threat actors tend to use urgency in an attempt to rush people to make a mistake.
  • Do not open attachments unless it is one you expected. If in doubt, have IT look at the email in an abundance of caution.
  • Do not allow someone requiring access to your computer unless you can confirm whether they are legitimate with your IT department. Always gather their contact information, confirm and call back if necessary. It is not common practice for someone unknown to call and ask for remote access.
  • Use secure passwords and don't share or reuse them.
  • Ensure your communicate with an authentic individual and not an imposter trying to steal personal and financial information. If you are not familiar with the person's name, verify their relationship with your company before sharing any data.
  • Utilize multi-factor authentication (MFA) when filing taxes online. Use a tax preparing service that requires a username, complex password and MFA.
  • Update software on all devices and operating systems that connect to the internet. Having current software that is fully patched is a strong defense against viruses and malware. 
What is business email compromise (BEC)?
Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. BEC scams are on the rise due to increased remote work.
Types of business email compromise scams
  • Data theft- Sometimes scammers start by targeting the HR department and stealing company information like someone's schedule or personal phone number. Then it's easier to carry out one of the other BEC scams and make it seem more believable.
  • CEO fraud- Scammers either spoof or hack into the CEO's email account, then email employees instructions to make a purchase or send money via wire transfer. The scammer might even ask an employee to purchase gift cards, then request photos of serial numbers.
  • Account compromise- Scammers use phishing or malware to get access to a finance employee's email account, such as an accounts receivable manager. Then the scammer emails the company's suppliers fake invoices that request payment to a fraudulent bank account.
  • False invoice scheme- Posing as a legitimate vendor your company works with, the scammer emails a fake bill- often closely resembling a real one. The account number might only be one digit off. Or they may ask you to pay a different bank, claiming your bank is being audited.
  • Account compromise- Scammers use phishing or malware to get access to a finance employee's email account, such as an accounts receivable manager. Then the scammer emails the company's suppliers fake invoices that request payment to a fraudulent bank account.
  • Lawyer impersonation- In this scam, attackers gain unauthorized assess to an email account at a law firm. Then they email clients 
How do BEC scams work?
Here's what happens in a BEC scam:
  1. Scammers research their targets and figure out how to fake their identify. Sometimes they create fake websites or even register companies with the same name as yours in a different country..
  2. Once they have access, scammers monitor emails to figure out who might send or receive money. They also look at conversation patterns and invoices.
  3. The scammer tries to gain the target's trust and then asks for money, gift cards, or information.
  4. During an email conversation, the scammer impersonates one of the parties by spoofing the email domain. (The email address might be off by a letter or two, or it might be the correct email address "via" a different domain.
Targets of business email compromise
Anyone can be a target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles; 
  • New or entry level employees who won't be able to verify an email's legitimacy with the sender.
The dangers of BEC
If a business email compromise attack is successful, your organization could:
  • Lose hundreds of thousands to millions of dollars.
  • Face widespread identity theft if personally identifiable information is stolen.
  • Accidentally leak confidential data like intellectual property.
Business email compromise examples
Example #1: Pay this urgent bill
You work in your company's finance department. You get an email from the CFO with an urgent request about an overdue bill- but it's not actually from the CEO. Or the scammer pretends to be your repair company or internet provider and emails a convincing-looking invoice.
Example #2: What's your phone number?
A company executive emails you, " I need your help with a quick task. Send me your phone number and I'll text you." Texting feels safer and more personal than email, so the scammer hopes you'll text them payment info or other sensitive information. This is called "smishing" or phishing via SMS message.
Example #3: Your lease is expiring
A scammer gets access to a real estate company's email, then finds transactions in progress. They email clients, "Here's the bill to renew your office lease for another year" or "Here's the link to pay your lease deposit.
Example #4: Top secret acquisition
Your boss asks for a down payment to acquire one of your competitors. "Keep this just between us," the email says, discouraging you from verifying the request. Since M&A details are often kept secret until everything is final, this scam might not seem suspicious at first.
 
Follow these best practices to stop business email compromise:
 
Use a secure email solution
Email apps like Office 365 automatically flag and delete suspicious emails or alert you that the sender isn't verified. They you can block certain senders and report emails as spam.
Set up multifactor authentication (MFA)
Make your email harder to compromise by turning on MFA, which requires a code, PIN, or fingerprint to log in as well as your password.
Set security defaults
Administrators can tighten security requirements across the entire organization by requiring everyone to use MFA, challenging new or risky access, authentication, and forcing password resets if info is leaked.
Teach employees to spot warning signs
Make sure everyone knows how to spot phishing links, a domain and email address mismatch, and other red flags. Simulate a BEC scam so people recognize one when it happens.
Use email authentication tools
Make your email harder to s poof by authenticating senders using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and DMARC.
Adopt a secure payment platform
Consider switching from emailed invoices to a system specifically designed to authenticate payments.
 
Business email compromise protection
Help protect your organization with solutions to detect suspicious email like Microsoft Defender for Office 365,,, which can:
  • Automatically check email authentication standards, detect spoofing, and send emails to quarantine or junk folders.
  • Use AI to model each person's normal email patterns and flag unusual activity.
  • Configure email  protection by user, domain, and mailbox.
  • Investigate threats, find out who's being targeted, detect fake positives, and identify scammers in Threat Explorer.
  • Check domain wide-email patterns and highlight unusual activity with advanced algorithms in Spoof intelligence.
10 Cybersecurity Tips to Protect Your Small Business Data
 
Protecting Your Business Data: Where to Begin
The first step in securing your business is knowing what data you have. Start by identifying all connected devices, including desktop computers, laptops, smartphones, printers, and the applications your business relies on. This inventory gives you a clear picture of your digital infrastructure, enabling you to implement the proper measures to protect your data.
 
Over time, you've amassed a treasure trove of data that cybercriminals would love to exploit:
 
Customer Details: This includes emails, phone numbers, birth dates, and all email lists for marketing or sales records. Imagine losing all your customer emails or having them fall into the hands of scammers.
Website: Your website may contain email addresses, support ticket records, online reviews, and customer transactions. These can be exploited for identity theft or creating fake websites.
Social Media: Social media accounts hold data such as usernames and public profile information. Scammers can create fake profiles to send spam or malicious links or to impersonate you.
Invoices: Invoices contain your bank account details and customer contact information, which can be used for scams.
Payment Processing: Online checkouts are targets for stealing customer banking and personal information.
Inventory Data: If you maintain lists of your current stock.
Orders: If you hold on to customer information such as recent sales, payment details, email addresses, personal addresses, and phone numbers.
 
You can protect all this data by following basic security practices. Here are some foundational principles:
 
Keep Work Computers for Work Only: Avoid using business devices for personal activities, as this increases the risk of exposure to malware.
Uninstall Unused Programs and Disable Unused Accounts: To minimize potential vulnerabilities, regularly review and remove unnecessary programs or accounts.
Know who's using what and why: Ensure employees have unique login credentials and restrict administrative rights to only those who need them.
Guard Against Physical Theft, too. Remember to consider the risk of physical theft. Set up remote wiping, which allows you to delete data on a lost or stolen device remotely.
 
Ten Cybersecurity Practices for Small Businesses
Every business is unique, but there are a few things all employees can do to secure the business infrastructure. 
 
1. Deploy antivirus software
Today, antivirus software is essential. But how do you choose the best one for your needs? Start by assessing your needs and selecting software that protects all your devices from spyware, ransomware, and phishing scams. Look for a software that provides both protection and cleaning capabilities to restore your devices to their pre-infected state.
 
After selecting the proper antivirus, keep it updated to defend against the latest threats and to patch any vulnerabilities.
 
Additionally, remember to secure your mobile devices, such as smartphones and tablets, as these are sometimes overlooked. However, a vulnerable device can be an open door for hackers to access your network and other devices storing information. Encourage your employees to password-protect their devices, install security apps, and encrypt their data to prevent information theft, especially when using public networks.
 
2. Keep everything up-to-date
 
*Regularly update your systems: Ensure that your operating system, applications, and antivirus software are always up-to-date on all devices, not just laptops and computers.
*Upgrade your operating system: Common operating systems like Microsoft Windows and Apple's macOS often release updates with improved security features and bug fixes. Enable automatic updates to keep your devices protected against the latest vulnerabilities.
*Remember to update all your devices and your website, too: Make sure that payment machines, security systems, and any internet-enabled smart devices are running on the latest software versions. Enable automatic updates when possible. Don't forget to update website platforms such as WordPress or Squarespace, as well as their plug-ins and third party extensions. When you log in to the administrator section of your website, set up automatic updates for your website and plug-ins to keep your digital space secure.
 
3. Back up your data
 
Regular backups are the key to protecting your data against ransomware attacks. In the event of an attack, you can wipe out infected computers, reset them to factory settings, and restore data from backups, eliminating the need to pay the ransom.
 
Consider using external hard drives for backups, as they provide a secure off-site location for your data. While cloud backups are convenient, physical backups offer additional security against cyber threats.
 
4. Create Strong, unique passwords for all your business accounts and devices
 
Your passwords should be at least ten characters long and contain a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using predictable passwords like names, birthdays, or common patterns. If you have numerous accounts, consider using a password manager. It can assist you in creating and securely storing complex passwords, making it easier to manage multiple strong passwords without needing to remember each one.
 
Employees often reuse passwords across multiple accounts or choose simple, easy-to guess passwords. This practice makes it easy for hackers to gain access to multiple systems if they crack one password. Tall to them about the risks of this practice.
 
5. Implement 2 Factor Authentication (2FA)
 
Two-factor authentication adds an extra layer of security by requiring additional verification steps beyond a username and password. For example, after entering your password, you might need to input a unique code sent to your phone. This added step makes it significantly harder for criminals to access your accounts, even if they have your credentials.
 
Set it up on:
*Logins for important business accounts, such as bank accounts and emails.
*Accounts that store your payment information, such as eBay, Amazon, and PayPal
*Social media accounts, including Facebook, Instagram, Twitter, and LinkedIn
*Any specific industry or business-related software
 
6. Use a VPN when connecting to public Wi-Fi
 
Public Wi-Fi networks, such as those in airports, hotels, or cafes are often unsecured and vulnerable to attacks. Hackers can position themselves between you and the connection point through Man-in-the-middle attacks. Instead of your data going directly to the hotspot, it goes to the hacker, who then sends it to the hotspot. This allows them access to anything you send over the internet, such as emails, bank statements, credit card information, login details for websites, and more. Essentially, they can access your systems as if they were you. Hackers commonly distribute malware and create fake connection points to exploit these unsecured connections.
 
One of the things a VPN does is encrypt your data traffic. This means that even if an attacker intercepts your data, they won't be able to decipher it because it will appear as a bunch of gibberish to them. Since hackers typically target easy victims, once they see that you have a VPN set up, they are likely to move on to the next unprotected victim.
 
7. Don't click on that link! Protect your business from scams
 
Phishing messages often disguise themselves as communications from legitimate companies like banks, courier services, or government departments. These messages may include links to fake websites that look almost identical to the real ones, aiming to trick people into entering their bank details.
 
Sometimes, phishing emails include attachments that appear to be invoices or documents. When opened, these attachments can install malware on your computer without your knowledge.
 
Scams that target small businesses include:
 
*Impersonation Scams: Criminals may call pretending to be from government agencies, energy or telecommunications providers, banks, or the police and ask for sensitive information about your business to commit fraud.
 
*Invoice Scams: Involves receiving a fake invoice via email from what seems to be a legitimate supplier. Another version is receiving a request to cancel a recent payment or update bank account details, directing the business to make the payment to a new, fraudulent account.
 
  • CEO Scams: Also known as 'CEO phishing' this scam involves an urgent fund transfer request appearing to be from a senior executive, such as the CEO or CFO, in hopes of prompting immediate action without verification.
8. Learn to Recognize Business Email Compromise
 
Business email compromise (BEC) occurs when criminals take control of a company's or individual's email account to commit fraud. This can include sending fake invoices, requesting changes to bank account details, or intercepting and altering payment information. Criminals often gain access through phishing emails posing as trusted contacts, asking for usernames and passwords, or containing harmful software links. Furthermore, compromised email accounts or data breaches can expose credentials used for BEC attacks.
 
Signs of Suspicious Emails

Uncommon or inconsistent Sender Addresses: Always check the sender's email address, especially if the email asks for money or account details. Common warning signs include: the "from" address doesn't match the display name, the "reply-to" header is different from the sender's address, and the email domain doesn't match the company domain."
 
Unusual Requests from Bosses, Business Partners, or Suppliers- Be cautious of emails from senior staff or business partners asking for payments or sensitive information.
 
Unexpected Invoices- Before paying any invoice, verify if the business is expecting it. Double-check the invoice details against previous payments to the same supplier. If something seems off, call the supplier using contact information from their official website, not from the email or invoice.
 
Urgent or Confidential Requests- Emails that ask for immediate payment or insist on confidentiality should raise alarms.
 
Unsophisticated Formatting and Typos- Examine the email from broken English, typos, or grammar mistakes. Emails sent at odd times can also be suspicious, especially if they supposedly come from a local business or person.
 
If you notice these signs, it's likely a Business Email Compromise scam. Pause and verify before taking any action.
 
9. Monitor your company's digital identity
 
To safeguard your brand and reputation from data breaches, it's important to actively monitor your company's digital identity. Your digital identity includes the trail of data points (digital footprint) left behind whenever you or your company interact online. This includes anything from name and biometrics to data like social media activity.
 
10. Educate your employees about cybersecurity
 
Cybersecurity is a shared responsibility, and it's important to raise awareness about cyber safety with employees. Here are some ideas to achieve this:

  1. Provide useful information:  Share practical tips and real-life examples about cyber safety. Create an online resource with your company's cybersecurity guidelines and tips.
  2.  Discuss cybersecurity:  Keep the conversation simple by highlighting that online safety is similar to protecting one's money, family, house and privacy offline. Encourage employees to be cautious of offers that seem too good to be true and unexpected messages from strangers.
  3.  Ensure secure and easy, flexible working:  If your employees value the freedom of working from anywhere, prioritize protection on the go. Implement secure tools and guidelines for remote work to safeguard your business and make flexible working safe and straightforward.
  4. Set up and agree rules  for safe web browsing, email use, social media sharing, AI use, passwords and the plan in case of oversharing, cyberattack, falling victim to a scam, or device loss.
You don't need a big budget or an IT department to stay safe.
 
WHAT IS ACCOUNT TAKEOVER?
 
The average person has dozens of accounts needed for access to both personal and business websites, applications, and systems. Account takeover attacks (as the name suggests) attempt to gain access to those accounts, allowing the attacker to steal data, deliver malware, or use the account's legitimate access and permissions for other malicious purposes.
 
HOW DO ACCOUNT TAKEOVERS OCCUR?
 
For an account takeover attack to occur, the attacker needs access to the target account's authentication information- such as a username and password combination. Attackers can obtain this information in various ways, including:
  • Credential stuffing: Credential stuffing attacks use bots to automatically attempt to log in to a user account using a list of common or breached passwords. These attacks are possible because many user accounts are protected by weak or reused passwords- a major security issue.
  • Phishing: User credentials are a common target of phishing attacks, which often use malicious links to direct a user to a fake page for a service, allowing the attacker to collect their login credentials.
  • Malware: Malware infections on a user's computer can steal passwords in various ways . These include dumping authentication information from browser or system password caches or recording a user's keystrokes as they authenticate to an account.
  • Application vulnerabilities: Users are not the only entities with accounts on an organization's systems and networks. Applications also have accounts, and an attacker can exploit vulnerabilities in these accounts to take advantage of their access.
  • Stolen cookies: The cookies stored on a user's computer can store information about their login session  to allow access to an account without a password. With access to these cookies, an attacker can take over a user's session.
  • Hardcoded passwords: Applications commonly need access to various online accounts to perform their role.. Sometimes, passwords  to these accounts are stored in application code or configuration files, which may be exposed or otherwise leaked.
  • Network traffic sniffing:: While most network traffic is encrypted and secure, some devices still use insecure protocols, such as Telnet. An attacker who can view this unencrypted network traffic can extract login credentials from it.
IMPACT OF ACCOUNT TAKEOVER ATTACKS
A successful account takeover attack grants the attacker the same access and permissions as the legitimate account owner. With this access, an attacker can take various actions such as:
  • Data theft: Account takeover attacks can lead to the breach and exfiltration of vast amounts of sensitive, confidential, or protected classes of data like credit card numbers or personally identifiable information.
  • Malware deliver: Account takeover attacks allow attackers to install and execute ransomware and other malware on corporate systems.
  • Follow-on attacks: Once an attacker gains access to a legitimate account, they can use that access to carry out further attacks. Sometimes, gaining access to a specific account is only done for this purpose (e.g. attackers may steal login credentials in the hope that the user has reused passwords across multiple accounts)
  • Lateral movement: A compromised account can provide an entry point for an attacker to an otherwise secure network. From this initial starting point, the attacker can expand their access or escalate privileges across other corporate systems, a process called lateral movement.
  • Financial profit: Instead of using the compromised account themselves, the attacker may sell access to it on the dark web.
HOW TO DEFEND AGAINST ACCOUNT TAKEOVER ATTACKS
  • Strong password policies: Many account takeover attacks take advantage of weak and reused passwords. Defining and enforcing a strong password policy- including testing if user passwords have been exposed in a breach--can make credential stuffing and password cracking attacks more difficult to perform.
  • Phishing protection: Phishing attacks are a common method for attackers to steal user passwords. By filtering risky emails or blocking suspicious domains via Internet filtering, an organization reduces the risk of users inadvertently compromising their credentials.
  • Multi-factor authentication (MFA): MFA uses multiple factors to authenticate a user, such as the combination of a password and a one-time password  (OTP) generate by an authenticator app, or the use of hard keys in addition to a password. Enforcing MFA use on all accounts makes it harder for an attacker to take advantage of a compromised password.
  • Application security testing: API Keys and authentication tokens exposed in APIs can grant attackers access to an organization's online accounts.. Enforcing strong authentication practices and scanning application code and configuration files for authentication material can protect against this.
  • Login and API security: Credential stuffers try many different username and password combinations to try to guess valid login credentials. Login and API security solutions can help to identify and block these attacks.
 
HOW TO PROTECT YOURSELF AND YOUR BUSINESS

Beware of Fraud Trends on the rise.
  • Zelle Refund Imposters-Grandview Bank will never reach out to you asking you to send money to refund yourself for a fraudulent transaction. Even if it appears the calls are coming from Grandview Bank, if it doesn't make sense, hang up and call us at 817-641-3100.
  • Business Email Compromise-There continues to be an increase in email fraud where a scammer sends an email to your business from what appears to be a known source. When you receive a transaction request via email, verbally validate the request with the sender before sending it.
  • Cybercriminals and Your Personal Information- Identity theft is on the rise as merchants you do business with fall victim to data compromises. As a result, scammers can gain access to your personal information, such as your Social Security number, date of birth, debit card or account number. 
HOW TO PROTECT YOUR BUSINESS FINANCES
Protect against check and electronic fraud
  • Verify checks and return fraudulent checks before they post to your account with Positive Pay.
  • Speak to your Account Representative for more information regarding Treasury Management Services.
SECURE YOUR SIDE OF THE TRANSACTION
  • Use a dedicated computer for online banking that's not used for any other purpose.
  • Update antivirus software and operating systems on all devices.
  • Do not log in to online banking using public Wi-Fi hotspots.
  • Always log out of online banking when you have completed your transactions.
STAY ALERT FOR SUSPICIOUS ACTIVITY
  • Monitor accounts frequently and reconcile them daily
  • If you suspect fraud, contact your banker immediately
UNDERSTAND THE POTENTIAL FOR FRAUD
  • Do not use the same login ID and password across multiple systems.
  • Do not store or save login IDs and passwords on your browser, on a computer or on paper.
  • Do not share account information. login credentials, passwords or other sensitive data with anyone requesting it by phone. Grandview Bank will never call or email you or your employees to request this information.
  • Do not open suspicious email attachments that you have not requested or click on any links in emails you receive from unknown sources.
  • Do not visit websites you think may be suspicious
TAKE ADVANTAGE OF GRANDVIEW'S SECURITY TOOLS FOR YOUR BUSINESS
  • Sign up for Positive Pay
  • Sign up for Account Alerts to help protect against unauthorized transactions
  • Monitor transactions with Grandview Bank's online banking and App.
WATCH FOR SIGNS YOUR SYSTEM MAY BE COMPROMISED
  • Inability to log in to online banking
  • Unusual timing of transactions
  • Changes in web pages or appearance of graphics, text or icons
  • Unusual pop-up messages, such as "try back later"
  • Dramatic loss of computer speed, or unexpected restarting of computer
  • Unexpected request for a one-time password or token during an online session.
 
Helpful fraud prevention tips to safeguard your business
 
Do Not Share Business Login Information
Grandview Bank will never reach out to customers to request information related to their business account login. This includes asking for details such as your User ID. passwords, usernames, security pins or token numbers. To keep your data safe and out of the hands of fraudsters, please do not share sensitive information with anyone.
 
Verbally Confirm New Payment Instructions
If you receive a request to change payment instructions, call to confirm using a known number. Never use the email addresses or phone numbers provided in the email request to confirm new payment instructions.
 
Be Cautious of Email Scams
Emails- even those from a known sender- can sometimes be opportunities for fraudsters to gain access to your sensitive financial information. Phishing is an online scam that targets its victims using email and can lead to malware or email compromise. Be cautious before clicking on links and stay alert for emails that raise red flags including those with excessive typos or grammatical errors.
 
Verify Correct URL addresses
Avoid using search engines to find the login for Grandview Bank. Fraudsters can imitate the web address with minor changes to appear legitimate.
 
Monitor Your Accounts
 
Make it a consistent practice to carefully review your monthly bank statements and reconcile your accounts daily to monitor for unauthorized activity. If you find or suspect unusual activity on your account(s), contact us immediately.
 
Safeguard Your Business Checks
 
Keep business checks in a secure location. Avoid leaving payments in unguarded drop boxes or outgoing mail slots. When mailing check payments, it is best to drop them at a secure location.


Proudly serving North Texas for over 130 years.

Who We are