Since 2020 and the rapid pivot of businesses to remote and hybrid working models, hackers have aggressively continued to exploit vulnerabilities and gaps in business security systems for malicious purpose.
Unfortunately, in today’s business world cyberattacks are no longer a matter of if, but when. Attacks are becoming more frequent, more sophisticated and more costly.
Malicious actors deliberately look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures in today’s ever expanding digital ecosystem. According to Verizon’s annual Data Breach Investigations Report 2021:1
- 85% of breaches involved the human element
- 36% of breaches involved phishing, up 11% year over year
- Instances of Misrepresentation increased by 15 times year over year
The cost to businesses keeps rising. IBM and the Ponemon Institute’s Cost of a Data Breach Report 20212 now benchmarks the average cost of a data breach to a company at $4.24 million – the highest in the history of the annual study – with average breach costs $1.07 million higher where remote working models are a factor.
With malicious actors adopting increasingly sophisticated tactics and the human element a key contributing factor in most breaches, we all have a role to play in fraud prevention.
We share 4 of the most common fraud practices and what you can do to protect your business against them.
Phishing
Phishing is an attempt to acquire sensitive, personal information such as usernames, passwords, bank account information, and credit card numbers by posing as a trustworthy source through email, text or other communication. Attackers issue phishing emails to millions, hoping that a handful of recipients act on their ill-intended requests.
To obtain sensitive information, cyber criminals use fake emails or text messages indicating a problem with a bank account, credit card, or even a payroll question that must be answered immediately. Other tactics include attempting to obtain login credentials by telling recipients their password is about to expire.
How do I protect myself against phishing?
Take proactive measures to protect yourself against phishing. Always be suspicious of messages that:
- Seem urgent and require your immediate response
- Request personal information such as user ID, password, PIN, email address, or PhilID even if it appears to be coming from a legitimate source
- Are addressed generically, such as “Dear Customer” If an email seems suspicious, do not click on any of the links or open any attachments in the email. If you do, your computer can become infected with malware. Even if it sounds legitimate, do not call the number given in the message or respond to the message.
Legitimate companies that have your information will not call you or send a request to ask for that same information.
Social Scams
Social scams (or social engineering) are designed to trick someone into releasing sensitive information. Social scammers look for access to company information like financial data, intellectual property, personnel records, customer databases and personal or financial information that can be used to steal people’s identities.
Unlike phishing, these scams can be highly personalized, and often involve a telephone call, contact through social media platforms, and even in-person interactions. They often rely on the natural tendency of people to want to help solve a problem.
How do I protect myself against social scams?
Be wary of anyone who requests any sort of personal information in any unsolicited form of communication. Verify the legitimacy of the person with the company directly before providing any information.
Identity Theft
Identity theft is a crime in which an imposter obtains key pieces of personal information, such as a PhilID or driver's license number, to impersonate someone else. The information can be used to obtain credit, merchandise, and services in the name of the victim, or to provide the thief with false credentials.
Tips to help prevent identity theft:
- Only carry necessary personal information with you
- Memorize your PhilID or other government identification numbers
- Never give out personal information to anyone unless you know who is requesting the information and they have a valid reason to receive it
- Check your bank and credit card statements regularly
- Keep all your personal documents and financial statements in a secure place
- Shred all documents with personal information before disposing of them
- Promptly report any theft of your wallet, credit cards, debit cards, checkbook, or financial statements to law enforcement Be aware of social scams and how to avoid them
Passwords
Passwords are like keys to your house―they protect what’s most important to you, including your identity. Choosing a strong password―and remembering it―can be challenging, but it’s your first line of defense against cyber-attacks and identity theft.
If you’re guilty of reusing, rotating, or using notoriously easy passwords, you are leaving yourself open to an account breach. Get familiar with what makes a strong password so that you can ensure the maximum security for your sensitive information.
10 Steps to a Stronger Password
1. One and Done
Never reuse your password across multiple sites. If your account is compromised and you use this email address and password combination across multiple sites, your information can be easily used to get into any of your other accounts. Use unique passwords for everything.
2. Complexity is Key
- Use a long password that contains lowercase and uppercase letters, numbers, and symbols.
- Avoid “password walking,” which is when you use consecutive keyboard combinations, such as qwerty or asdfg.
- Don’t use dictionary words, slang terms, common misspellings, or words spelled backward.
- Don’t use personal information such as your name, age, birth date, child’s name, pet’s name, or favorite color or song―even if you put a number after it.
- Strong passwords are easy to remember but hard to guess, like this one: Iam:)2bTr>N935! It has fifteen characters and translates to: I am happy to be turning 35!
- Use nonsense phrases that are easy for you to remember, but hard for someone else to guess. For example: M0ckC@ncP1zTo13 translates to Mockingbird, Cancun, Pizza, Toledo (your favorite book, vacation, food and city).
3. Implement 2FA / MFA
On social media, bank accounts and any other services that offer it, enable two-factor authentication (2FA) and multi-factor authentication (MFA) to add an extra layer of protection (which becomes your first layer of protection should your account details get compromised). These protocols require something you know, like a password, and something you have, such as a code sent to your phone, biometrics (fingerprint, eye scan, etc.), or a physical token. This way, as simple or complex as your password is, it’s only half of the puzzle.
4. Password Managers are Your Friend
A dedicated password manager will store your passwords in an encrypted form, help you generate secure random passwords, offer a more powerful interface, and allow you to easily access your passwords across all the different computers, smartphones, and tablets you use.
5. Spying Eyes
Be sure no one watches when you enter your password. Pay extra attention when you’re on a plane, bus, or other place where you’re in very close proximity to a stranger. Consider using a privacy screen on your frequently used devices.
6. Avoid the Unknown
Avoid entering passwords on computers you don’t control (like at an Internet café or library)—they may contain malware that steals your passwords.
7. Wi-Fi
Avoid entering passwords when using unsecured Wi-Fi connections (like at the airport or coffee shop)—hackers can intercept your passwords and data over this unsecured connection.
8. Keep it to Yourself
Don’t tell anyone your password. Your trusted friend now might not be your friend in the future or might share your password unintentionally.
9. Follow the Underwear Rule
Like your underwear, change your passwords regularly.
10. Fool the Questions
Some sites ask personal questions like how you met you spouse, the color of your first car or your favorite pizza topping to validate your password. These answers are often found on social media or have very common answers that are easily guessed. The best way to use these questions are to choose a random selection (if multiple choice) or enter a wacky response if open text (you can say that your favorite pizza topping is basketballs!).
At ADP, security is integral to our products, our business processes, and infrastructure. We deliver advanced services and technology for data security, privacy, fraud, and crisis management—all so you can stay focused on your business. For more information, visit our Data Security Client Resources.
1 Verizon Business 2021 Data Breach Investigations Report
2 Cost of a Data Breach Report 2021, IBM and Ponemon Institute