

Business Technology Topic of the Month
Technology Frauds for your Business to Avoid
Businesses of all sizes are increasingly targeted by fraudsters using sophisticated technology to execute their schemes. Here are some of the latest technology frauds businesses should be aware of and actively work to avoid:
AI-Powered Scams:
- Deepfakes: AI is used to create highly realistic fake audio and video to impersonate individuals like executives or vendors, leading to scams like CEO fraud where employees are tricked into transferring funds based on fake instructions.
- Enhance Phishing & Smishing: AI helps generate convincing phishing emails and text messages, making them more personalized, grammatically correct, and harder to detect,
Business Email Compromise (BEC):
- Impersonation: Fraudsters impersonate trusted individuals like CEOs, vendors, or suppliers through email to manipulate employees into making payments or providing sensitive information.
- Sophisticated Tactics: Scammers use AI to mimic writing styles and exploit real-time data for more convincing and timely requests, making them harder to identify.
Ransomware Attacks
- Data Encryption: Attackers encrypt valuable business data and demand a ransom payment (often in cryptocurrency) to restore access.
- Vulnerability: Small businesses are particularly vulnerable due to potentially less robust cybersecurity measures.
Digital Payment Fraud:
- Fake Invoices: Fraudsters create realistic-looking fake invoices for goods or services that were never ordered or delivered, often containing subtle discrepancies in payment details to trick businesses into making payments.
- Account Compromise: Scammers gain unauthorized access to digital wallets or payment platforms through phishing attacks, manipulating payment logins or setting up recurring fraudulent payments.
Tech Support Scams:
- Impersonation: Scammers pose as representatives of well known tech companies (e.g., Microsoft) to trick employees into granting remote access to company computers or paying for fake support services.
- Remote Access: Gaining remote access allows scammers to steal sensitive information, install malware, or compromise business systems.
Other Notable Frauds:
- Online Marketplace Scams: Fake profiles and listings on platforms like Facebook Marketplace can lead to scams where businesses pay for goods or services they never receive.
- Fake Job Offers: Scammers create fraudulent job postings, especially for work-from-home positions, to recruit individuals as money mules, where they unknowingly participate in laundering illegal funds.
- Cryptocurrency Scams: With the rise of cryptocurrencies, scams like fake investment schemes and "rug pulls" are targeting businesses and individuals alike.
Key Prevention Strategies:
- Employee Education: Train employees to recognize signs of phishing, BEC, deepfakes, and other social engineering tactics.
- Robust Cybersecurity: Implement and regularly update security measures like firewalls, antivirus software, intrusion detection systems, and multi-factor authentication (MFA).
- Verification Protocols: Establish strict procedures for verifying financial requests, invoices, and any communication that seems suspicious.
- Secure Payment Processes: Enforce secure payment processes and educate staff on safe digital payment practices.
- Continuous Monitoring: Monitor for fraudulent payments, unusual account activity, and potential data breaches.
- Incident Response Plan: Develop a plan for responding to cyberattacks and data breaches.
By implementing these practices and staying vigilant against emerging threats, businesses can significantly reduce their risk of falling victim to technology-enabled fraud.
ANATOMY OF A FAKE CHECK SCAM
Fake checks drive many types of scams- like those involving phony prize wins, fake jobs, mystery shoppers, online classified ad sales, and others. In a fake check scam, a person you don't know asks you to deposit a check-sometimes for several thousand dollars and usually for more than what you are owed- and wire some of the money back to that person. The scammers always have a good story to explain the overpayment- they're stuck out of the country, they need you to cover taxes or fees, you need to buy supplies, or something else. But by the time your bank discovers you've deposited a bad check, the scammer already has the money you sent, and you're stuck paying the rest of the check back to the bank.
The Federal Trade Commission receives tens of thousands of reports each year about fake checks. Over the last three years, the number of complaints has steadily increased, and so have the dollars lost.
The FTC's new info graphic developed with the American Bankers Association Foundation, offers some tip-offs to rip-offs and what to do if you get a check from someone you don't know.
Please share this information with others. Victims may be embarrassed to talk about their experiences, but you can help. A simple phone call, email or text, saying "Look what I just found" and sharing this information may make a difference in someone else's life.
Avoiding Cryptocurrency Scams
How to Avoid Cryptocurrency Scams!
Scammers are always finding new ways to steal your money using cryptocurrency. To steer clear of a crypto con, here are some things to know.
- ONLY SCAMMERS DEMAND PAYMENT IN CRYPTOCURRENCY. No legitimate business is going to demand you send cryptocurrency in advance- not to buy something, and not to protect your money. That's always a scam.
- ONLY SCAMMERS WILL GUARANTEE PROFITS OR BIG RETURNS. Don't trust people who promise you can quickly and easily make money in the crypto markets.
- NEVER MIX ONLINE DATING AND INVESTMENT ADVICE. If you meet someone on a dating site or app, and they want to show you how to invest in crypto, or asks you to send them crypto, that's a scam.
Spot Crypto-Related Scams
Here are some common investment scams, and how to spot them.
- A so-called "investment manager" contacts you out of the blue. They promise to grow your money- but only if you buy cryptocurrency and transfer it into their online account. The investment website they steer you to looks real, but it's a fake, and so are their promises. If you log in to your "investment account", you won't be able to withdraw your money at all, or only if you pay high fees.
- An online "love interest" wants you to send money or cryptocurrency to help you invest. That's a scam. As soon as someone you meet on a dating app asks you for money, or offers you investment advice advice, know this: that's a scammer. The advice and offers to help you invest in cryptocurrency are nothing but scams. If you send them crypto, or money of any kind, it'll be gone, and you typically won't get it back.
- Scammers guarantee that you'll make money or promise big payouts with guaranteed returns. Nobody can make those guarantees. Much less in a short time. And there's nothing "low risk" about cryptocurrency investments. So: if a company or person promises you'll make a profit, that's a scam. Even if there's a celebrity endorsement or testimonials from happy investors. Those are easily faked.
- Scammers promise free money. They'll promise free cash or cryptocurrency, but free money promises are always fake.
- Scammers make big claims without details or explanations. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details.
- IF YOU SEE A TWEET ( OR A TEXT, OR OTHER MESSAGE ON SOCIAL MEDIA) THAT TELLS YOU TO PAY WITH CRYPTOCURRENCY, THAT'S A SCAM!
August 2025 Security Tip
How to prevent against account takeover for a business
To prevent account takeover (ATO) for a business, you need to implement a multi-layered security strategy that focuses on protecting access points and detecting suspicious activity.
Here are some key steps you can take:
- Implementing Strong Authentication Measures:
- Multi-Factor Authentication (MFA): This is one of the most effective ways to prevent ATO. MFA requires users to provide multiple forms of identification before granting access, making it much harder for attackers to gain entry even if they have stolen a password. Use more secure MFA methods like app-based authenticators or hardware security keys, which are less vulnerable than SMS-based MFA.
- Strong Password Policies: Enforce policies that require complex passwords (combining letters, numbers, and special characters) and encourage or mandate regular password changes. Recommend the use of password managers to help employees generate and store strong, unique passwords for every accounts.
2. Enhance Website and Application Security:
- Web Application Firewall (WAF): WAFs can detect and block malicious traffic, including bots used in ATO attacks.
- Bot Detection and Mitigation: Implement bot management solutions to prevent credential stuffing attacks and other malicious bot activities.
- Data Encryption: Encrypt sensitive data, including passwords, bot in transit (using HTTPS/TLS/SSL) and at rest to prevent attackers from easily stealing information.
- Regular Security Audits: Conduct periodic security audits and vulnerability assessments to identify and address potential weaknesses in your systems.
- Limit User Access: Implement access controls based on the principle of least privilege, ensuring employees only have access to the accounts and data they need. Regularly review and update access controls.
- Keep Systems Updated: Regularly apply security patches and updated to all software, including operating systems and applications, to close potential vulnerabilities.
3. Monitor for Suspicious Activity:
- Behavioral Analytics: Utilize solutions that analyze user behavior and detect deviations from normal patterns, which could indicate an ATO attempt.
- Monitor for Compromised Credentials: Regularly check databases for compromised credentials that can be used in ATO attacks.
- Track and Block Suspicious Accounts: Monitor account activity for unusual behavior like logins from new locations or devices and temporarily block or subject suspicious accounts to additional verification.
- Limit Login Attempts: Implement rate limiting to deter brute-force attacks by limiting the number of login attempts allowed within a certain time period.
- Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoints and detect suspicious activity that could lead to ATO.
- Implement Fraud Prevention Tools: Work with your bank to implement fraud prevention tools and alerts for unusual account activities.
- Set Up Account Alerts: Configure alerts to be notified about unusual conditions on your account, such as large transactions or changes to account details.
- Initiate Payments Under Dual Control: Implement a process where different individuals are responsible for initiating and authorizing transactions.
4. Prepare for Incidents
- Develop an Incident Response Plan: Have a detailed plan in place for responding to ATO attacks, including steps for containment, eradication, recovery, and communication.
- Practice Incident Response: Conduct regular drills to ensure everyone understands their roles and responsibilities in the event of an attack.
July 2025 Security Tip
AI Scams that Your Business Needs to Know About
Business face an evolving landscape of AI-powered scams that leverage sophisticated technology to deceive and defraud. Understanding these threats is crucial for effective protection.
Here are some of the most prominent AI scams businesses need to be aware of:
1. AI-Powered Phishing and Spear Phishing
- How it works: AI algorithms can craft highly personalized and convincing emails or messages that mimic legitimate communications, making it harder to detect them as fraudulent. AI can analyze public information and online behavior to tailor messages, increasing the likelihood of recipients falling for the scam. AI also helps scammers create fake websites and landing pages that look identical to legitimate ones, further enhancing the deception.
- Why it's dangerous: The AI-driven phishing attacks can bypass traditional spam filters and trick employees into revealing sensitive information like login credentials, potentially leading to a significant financial loss or reputational damage.
- Protection: Businesses should educate employees on recognizing the red flags of AI-powered phishing, including scrutinizing sender email addresses, being wary of unusual requests, and verifying information through official channels. Implementing multi-factor authentication (MFA) on all platforms is also essential.
2. Deepfake and Voice Cloning Scams
- How it works: AI can create realistic audio or video deepfakes that impersonate executives, employees, or trusted individuals, which scammers then use to deceive victims into transferring funds or divulging confidential data.
- Why it's dangerous: Deepfakes can make fraudulent requests seem legitimate, especially when paired with urgent instructions or claims of emergencies.
- Protection: Businesses should establish clear certification procedures for high-value transactions, especially those initiate via phone or video calls. Training employees on deepfake technology and the risks of impersonation is critical. Consider establishing "safe words" with key employees or stakeholders for verification.
3. AI- Powered Business Email Compromise (BEC):
- How it works: AI is increasingly used to make BEC attacks more sophisticated and scalable. AI can analyze company data to craft highly personalized and urgent requests, making it harder for employees to distinguish them from legitimate business communications.
- Why it's dangerous: BEC attacks, especially those leveraging AI and deepfakes, can lead to substantial financial losses, as seen in cases where millions of dollars were transferred to fraudsters impersonating executives.
- Protection: Implement dual approvals for high-value transfers and educate employees to question the urgency of financial emails. Use AI-based email security tools that can detect unusual sender behavior.
4. Other AI-Enabled Threats:
- AI Chatbots: Fraudsters can use AI chatbots to impersonate customer service representatives or company officials to gather sensitive information or convince victims to make payments.
- AI-Generated Fake Reviews and Content: AI tools can create convincing fake reviews or content to deceive consumers about products or services, potentially damaging a business's reputation.
- Job Offer Scams: AI is used to target job seekers with fake offers, requesting upfront fees for training or equipment.
Key Takeaways for Businesses:
- Educate Employees: Regular training is crucial to help employees recognize AI scams and how to protect themselves and the company.
- Implement Strong Security Measures: Utilize multi-factor authentication, email security tools, and robust fraud prevention systems.
- Verify Information Carefully: Always verify requests and communications through official channels, especially those involving financial transactions or sensitive information.
June 2025 Security Tip
What Is a Compromised Email Account? The Meaning & Telltale Signs to Look Out For
What is a Compromised Account?
A compromised email account occurs when an attacker or unauthorized individual access a legitimate user's email. Once attackers gain access to an email account, they can look at and copy all emails sent or received from that account- and any personal information attached to those messages.
Email accounts can be compromised by attackers' tactics, such as phishing and password spraying. Phishing involves the attacker tricking a user into revealing login credentials through fraudulent emails or websites, while password spraying involves trying common passwords across multiple accounts. Malware can be used to hack into email accounts.
If you suspect your email account has been compromised, you should immediately change the password to a new one that's hard for others to guess and enable two-factor authentication. You should also notify your service provider about the breach so they can help recover any lost mail or files as needed. Let your contacts know that you've had a security breach so they don't unknowingly engage in fraudulent activity stemming from your account.
It is essential to practice good cybersecurity to protect yourself from compromised email accounts. This includes using strong, unique passwords, being cautious of suspicious emails or links, regularly updating your devices and software, and using reliable antivirus and anti-malware software.
How Are Accounts Compromised?
- Phishing: Attackers create fraudulent emails that appear to be from a legitimate source, such as a well-known company or service. The emails may contain links prompting users- who are most likely expecting this kind of communication and don't check the URL before entering their login credentials-into believing they need to log back into something important. Once attackers have compromised these accounts, they can then use them for malicious purposes.
- Password Attacks: Attackers may use techniques like password spraying to try a small number of commonly used passwords across multiple accounts. They exploit weak or reused passwords to gain access to email accounts.
- Malware: Malware, including keyloggers and spyware, can be installed on a device without the owner's knowledge. This malicious software records login credentials (such as passwords) and sends them to an attacker.
- Credential Stuffing: Attackers exploit the practice of password reuse by using leaked login credentials (such as passwords) and sends them to an attacker.
- Social Engineering: Attackers may use manipulative tactics to trick individuals into revealing their email account login information. This may involve impersonating a trusted source, like a friend or coworker, or eliciting personal information through deceptive means.
To protect against email account compromise, staying vigilant and practicing good cybersecurity hygiene is crucial. This includes using strong, unique passwords, enabling two-factor authentication, being cautious of suspicious emails or links, and regularly updating devices and software.
What Are The Different Types of Account Compromise?
Business and personal accounts can be compromised in various ways, such as malicious phishing emails sent to employees or a data breach allowing unauthorized users to gain access. Weak passwords, malware, and social engineering attacks can all compromise personal accounts.
- Email Account Compromise (EAC): Hackers most commonly gain access to people's email accounts by planting malware on their computers, usually after the victim has fallen for an initial email phishing scam. This can lead to various fraudulent activities like sending spam emails and stealing sensitive information- or sending official-looking messages to other contacts from the victim's email, trying to trick users into giving up personal or financial data.
- Account Takeover (ATO): ATO occurs when a cybercriminal takes control of an individuals online identity and impersonates that person. Attackers can exploit these compromised accounts for financial gain and other malicious activities.
- Business Email Compromise (BEC): BEC refers to an attack where cyber criminals target employees responsible for financial transactions or sensitive information. Attackers often impersonate high-ranking executives, tricking employees into making unauthorized wire transfers or sharing sensitive data.
- Credential Stuffing: In this attack, attackers use username and password combinations obtained from previous data breaches to gain unauthorized access to various online accounts, including email accounts. They rely on the fact that many individuals reuse passwords across multiple platforms.
It is important to remember that this is just a small sample. New email hacking techniques are being developed all the time. So staying on top of solid security measures like using unique and strong passwords and enabling multi-factor authentication is your first line of defense. Being cautious with suspicious emails or links also helps mitigate the risk of account compromise.
What Are The Telltale Indicators of a Compromised Account?
It is important to act fast if you think your email account has been compromised. Start by changing the password to something secure, then take the necessary steps to ensure no further damage can be done. Some signs of a breach to look out for include:
Unfamiliar messages sent from your account
If you notice emails sent from your account that you did not write, this is a clear sign that someone else has gained access to the account, especially if the emails are sending messages and links to others. If other people are also complaining to you about receiving spam emails from your email address, then your account has likely been hacked.
Unexpected password reset notifications
Getting messages about changing passwords when you haven't changed anything may signal that someone else has tried to gain access.
Missing emails
Sometimes, hackers delete emails to cover their tracks, which can signify that someone else has accessed your account.
Other unusual activity
You may also watch for unusual activity from privileged accounts, increased access to services, or increased network activity. Also, watch for logins from unusual locations or strange emails being sent out, unauthorized settings, or registry changes. Finally, contact your IT department or security provider for additional help securing your account.
Steps to Take if Your Account Has Been Compromised
Change your password
Immediately change your password for the compromised account. Choose a strong and unique password not used for other accounts. This will help prevent further unauthorized access.
Check for and remove suspicious activity
Review your account activity and look for any unfamiliar or suspicious actions. If you notice any unauthorized activity, such as emails sent from your account without your knowledge, delete them and notify your contacts to avoid any potential scams.
Enable multi-factor authentication (MFA)
If available, enable MFA for your account. This adds an extra layer of security by requiring a second form of verification such as a code sent to your phone, in addition to your password.
Update you security settings
Review and update your account security settings. Ensure your recovery options, such as alternate email addresses or phone numbers, are current. Consider changing security questions and answers as well.
Scan your device for malware
Run a complete computer or mobile device scan with up-to-date security software. This can help to detect and remove any malware or keyloggers that may have compromised your account.
Be cautious of phishing attempts
Remain vigilant for phishing emails or messages that trick you into providing personal information or login credentials. Avoid clicking on suspicious links or downloading attachments from unknown sources.
Monitor your accounts
Check your financial accounts, credit reports, and other online accounts regularly for sign of unauthorized activity. If you notice any suspicious transactions or activity-report it immediately!
Report the compromise
Depending on the type of account, report the compromise to the appropriate service provider or organization. They can assist in recovering your account and take steps to prevent further compromises.
Remember, prevention is vital to account security. Changing your passwords regularly, using strong and different passwords for each account, and avoiding sharing personal information online is wise.
Tips & Best Practices to Prevent Accounts from Being Compromised
The best way to approach cybersecurity is preemptive. Taking proactive steps to secure your accounts can go a long way in preventing unauthorized access and safeguarding your data:
- Use strong passwords with uppercase and lowercase letters, numbers, and special characters.
- Enable two-factor authentication if available for additional protection.
- Check your inbox regularly for any suspicious emails or activities.
- Set up email filters to automatically delete or block known malicious emails.
- Use a secure email provider with built-in security measures to help protect your accounts from unauthorized access.
- Keep up with security updates and patch any vulnerabilities immediately.
- Monitor your accounts for any suspicious activity or changes in settings, and contact your IT department immediately if anything is out of the ordinary.
May 2025 Security Tip
Data Breach Response: A Guide for Business
You just learned your business experienced a data breach. Whether hackers took personal information from your corporate server, an insider stole customer information, or information was inadvertently exposed on your company's website, you are probably wondering what to do next.
What steps should you take and whom should you contact if personal information may have been exposed? Although the answers vary from case to case, the following guidance from the FTC can help you make smart, sound decisions.
Secure Your Operations
Move quickly to secure your systems and fix vulnerabilities that may have caused the breach. The only thing worse than a data breach is multiple data breaches. Take steps so it doesn't happen again.
- Secure physical areas potentially related to the breach. Lock them and change access codes, if needed. Ask your forensics experts and law enforcement when it is reasonable to resume regular operations.
Mobilize your breach response team right away to prevent additional data loss. The exact steps to take depend on the nature of the breach and the structure of your business.
Assemble a team of experts to conduct a comprehensive breach response, Depending on the size and nature of your company, they may include forensics, legal, information security, information technology, operations, human resources, communications, investor relations, and management.
- Identify a data forensics team. Consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
- Consult with legal counsel. Tall to your legal counsel. Then, you may consider hiring outside legal counsel with privacy and data security expertise. They can advise you on federal and state laws that may be implicated by a breach.
Stop additional data loss. Take all affected equipment offline immediately- but don't turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials. your system will remain vulnerable until you change those credentials, even if you've removed the hacker's tools.
Remove improperly posted information from the web.
- Your website: If the data breach involved personal information improperly posted on your website, immediately remove it. Be aware that internet search engines store, or "cache", information for a period of time. You can contact the search engines to ensure that they don't archive personal information posted in error.
- Other websites: Search for your company's exposed data to make sure that no other websites have saved a copy. If you find any, contact those sites and ask them to remove it.
Interview people who discovered the breach. Also, talk with anyone else who may know about it. If you have a customer service center, make sure the staff knows where to forward information that may aid your investigation of the breach. Document your investigation.
Do not destroy evidence. Don't destroy forensic evidence in the course of your investigation and remediation.
Fix Vulnerabilities
Think about service providers. If service providers were involved, examine what personal information they can access and decide if you need to change their access privileges. Also, ensure your service providers are taking the necessary steps to make sure another breach does not occur. If your service providers say they have remedied vulnerabilities, verify that they really fixed things
Work with forensics experts. Find out if measures such as encryption were enabled when the breach happened. Analyze backup or preserved data. Review logs to determine who had access to the data at the time of the breach. Also, analyze who currently has access, determine whether that access is needed, and restrict access if it is not. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures as soon as possible.
Check your network segmentation. When you st up your network, you likely segmented it so that a breach on one server or in one site could not lead to a breach on another server or site. Work with your forensics experts to analyze whether your segmentation plan was effective in containing the breach. If you need to make any changes, do so now.
Have a communications plan. Create a comprehensive plan that reaches all affected audiences- employees, customers, investors, business partners, and other stakeholders. Don't make misleading statements about the breach. And don't withhold key details that might help consumers protect themselves and their information. Also, don't publicly share information that might put consumers at further risk.
Anticipate questions that people will ask. Then, put top tier questions and clear, plain-language answers on your website where they are easy to find. Good communication up front can limit customers' concerns and frustration, saving your company time and money later.
Notify Appropriate Parties
When your business experiences a data breach, notify law enforcement, other affected businesses, and affected individuals.
Determine your legal requirements. All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. In addition, depending on the types of information involved in the breach, there may be other laws or regulations that apply to your situation. Check state and federal laws or regulations for any specific requirements for your business.
Notify law enforcement. Call your local police department immediately. Report your situation and the potential risk for identity theft. The sooner law enforcement learns about the theft, the more effective they can be. If your local police aren't familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. For incidents involving mail theft, contact the U.S. Postal Inspection Service.
Did the breach involve electronic personal health records? Then check if you're covered by the Health Breach Notification Rule. If so, you must still notify the FTC and, in some cases, the media. Also, check if you're covered by the HIPPA Breach Notification Rule. If so, you must notify the Secretary of the U.S. Department of Health and Human Services and, in some cases, the media.
Notify affected businesses. If account access information-say, credit card or bank account numbers- has been stolen from you, but you don't maintain the accounts, notify the institution that does so it can monitor the accounts for fraudulent activity. If you collect or store personal information on behalf of other businesses, notify them of the data breach.
If Social Security numbers have been stolen, contact the major credit bureaus for additional information or advice. If the compromise may involve a large group of people, advise the credit bureaus if you are recommending that people request fraud alerts and credit freezes for their files.
Notify individuals. If you quickly notify people that their personal information has been compromised, they can take steps to reduce the chance that their information will be misused. In deciding who to notify and how, consider:
- State laws
- the nature of the compromise
- the type of information taken
- the likelihood of misuse
- the potential for damage if the information is misused
For example, thieves who have stolen names and Social Security numbers can use that information not only to sign up for new accounts in the victim's name, but also to commit tax identity theft. People who are notified early can take steps to limit the damage.
When notifying individuals:
- Consult with your law enforcement contact about the timing of the notification so it doesn't impede the investigation.
- Designate a point person within your organization for releasing information about the breach, your response, and how individuals should respond.
- Consider using letters, websites, and toll-free numbers to communicate with people whose information may have been compromised. If you don't have contact information for all of the affected individuals, you can build an extensive public relations campaign into your communication plan, including press releases or other news media notification.
- Consider offering at least a year of free credit monitoring or other support such as identity theft protection or identity restoration services, particularly if financial information or Social Security numbers were exposed. When such information is exposed, thieves may use it to open new accounts.
April 2025 Security Tip
Account Takeover Fraud (ATO)
What is ATO?
In Account Takeover Fraud (ATO), cyber criminals deliberately gain unauthorized access to a victim's online bank, payroll, health savings or social media account, with the goal of stealing money or information for personal gain. Cyber criminals may gain access to a victim's online account through a variety of methods:
- Brute Forcing username/password- A cybercriminal exploits weak password and lack of multi-factor authentication.
- Phishing email-A cybercriminal sends a deceptive email to trick the victim into giving away their login credentials.
- Phishing domains/websites- A cybercriminal uses a phishing website that appears as a legitimate online banking or payroll website to trick the victim into giving away their login credentials.
- Social Engineering-A cybercriminal manipulates the victim into giving away their login credentials by impersonating a bank employee, customer support or technical support personnel.
- Data breaches- A cybercriminal obtains victim's login credentials from past data breach or criminal forums that sell data breach data on the dark web marketplaces.
- Malware- A cybercriminal obtains a victim's login credentials via malware on the victim's device.
The goal of the cybercriminal is to steal funds, redirect paychecks, or otherwise affect funds of the targeted victim.
SEARCH ENGINE OPTIMIZATION (SEO) POISONING ATO
In one specific type of scam, cyber criminals buy ads that masquerade as legitimate companies to misdirect victims searching for a specific website through popular search engines such as Google, Yahoo, or Bing. The search engine may return a fraudulent website URL that is very similar to the legitimate website, or slightly misspelled, or re-directed to another website with the URL that appears legitimate.
When victims click on the fraudulent search engine ad, they are directed to a sophisticated phishing site that mimics the real website, tricking victims into providing their login information. Cyber criminals then capture victims' credentials as they access the fraudulent site.
If the account requires multi-factor authentication, cyber criminals may utilize social engineering to obtain the One-Time Passcode (OTP). For example, cybercriminals pretend to be a bank employee or technical personnel and requests the victim to provide their phone number via fraudulent website's chat box. The cybercriminal then contact the victim while pretending to be the bank employee/technical support and ask for the OTP.
If the account is a corporate account which requires two individuals to authorize a transaction (dual control) then, cyber criminals may utilize social engineering in a similar manner as above, and insist that the second individual go to the same website, and/or go to the open browser of the first individual to complete the transaction. Cybercriminals then use the captured credentials to gain full access to the victim's financial account. If a bank account is compromised, cyber criminals can transfer money from the accounts. If an employer payroll account, health savings account, or retirement account is accessed, the cybercriminal can change the direct deposit information in the real site and redirect funds. If cyber criminals gain access to full personally identifiable information (PII) for victims, they can also create new account relationships, including loans or accounts that defraud victims.
STAY PROTECTED
To remain on guard against ATO, follow the tips below:
- Be careful about the information you share online or on social media. By openly sharing things like a pet's name, schools you've attended, your date of birth, or information about your family members, you can give scammers all the information they need to guess your password or answer your security questions.
- Monitor your financial accounts on a regula basis for irregularities, such as missing deposits.
- Always use unique complex passwords, enable two-factor authentication on any account that allows it, and never disable it.
- Use Bookmarks or Favorites for navigating to login websites rather than clicking on Internet search results or advertisements. Multi-factor authentication will not protect you if you land on a fraudulent login page. Carefully examine the email address, URL, and spelling in any correspondence.
- Stay vigilant against phishing attempts. Be suspicious of unknown "banking" or "company" employees who call you; don't trust caller ID. Offer to call them back after you look-up the phone number yourself. Remember that companies generally do not contact you to ask for your username, password, or OTP.
March 2025 Security Tip
Cybersecurity Tips for Tax Season
Every February through April, there is a rise in tax fraud by cyber criminals keen on stealing your personal and business's financial data. Learn how to prevent these types of attacks by being aware of the scams they use and having a solid cybersecurity program in place.
Common Tax Fraud Issues
- Impersonating IRS Phone Scams: Callers claim to be IRS employees, say that you owe money and it must be paid as soon as possible via gift cards or a wire service. The real IRS will not call and demand immediate payment. In general, they will send a notice or bill via the mail.
- Phishing, Email and Malware Scams: Cybercriminals will attempt to get valuable data via unsolicited emails, text messages, or fake websites that prompt users to click a link and open attachments to share personal or financial information or to release malware or spyware into a computer system.
- Dishonest Tax Firms: Tax preparation companies with little or no credibility open and close quickly during peak tax season. These businesses might not have secure systems, allowing cybercriminals to easily access your information.
Cybersecurity Tips for Tax Season and Beyond
You can protect your business from tax fraud scams and cyber attacks by implementing employee cybersecurity training and data privacy verification procedures, such as:
- Do not share social security numbers or any tax documentation with unknown parties.
- Keep an eye on your credit report to see if any bank accounts are being opened in your name.
- Look for any business loans being taken out under your company EIN.
- Triple check information prior to sending any wire or ACH transfers. Call a known number directly (not using the email signature), and ensure that multiple parties review before pushing through any payment.
- Stop, think, and double-check rush demands with other team members or management. Threat actors tend to use urgency in an attempt to rush people to make a mistake.
- Do not open attachments unless it is one you expected. If in doubt, have IT look at the email in an abundance of caution.
- Do not allow someone requiring access to your computer unless you can confirm whether they are legitimate with your IT department. Always gather their contact information, confirm and call back if necessary. It is not common practice for someone unknown to call and ask for remote access.
- Use secure passwords and don't share or reuse them.
- Ensure your communicate with an authentic individual and not an imposter trying to steal personal and financial information. If you are not familiar with the person's name, verify their relationship with your company before sharing any data.
- Utilize multi-factor authentication (MFA) when filing taxes online. Use a tax preparing service that requires a username, complex password and MFA.
- Update software on all devices and operating systems that connect to the internet. Having current software that is fully patched is a strong defense against viruses and malware.