Cybercrime has been a hot topic in the news recently with ransomware attacks such as WannaCry and Petya. It is important to protect ourselves from these types of threats by educating employees to recognize the differences between phishing attacks and legitimate email. This isn't always easy.
Possibly even more dangerous are frauds that come in the form of spear-phishing attacks. Spear-phishing is the practice of sending emails from a known or trusted sender in order to induce targeted individuals to reveal confidential information. Spear-phishing attacks tend to target C-Suite individuals or others in a position that have access to banking information. Since 2016 and even more frequently in 2017 there has been a rise in these C-Suite targeted attacks. CEO fraud uses social engineering and spoofed email from executives to influence other senior executives and/or accounting and human resource individuals to provide sensitive information and worse, transfer money to the attacker's bank accounts.
Why are these attacks successful? Many individuals don't take the extra time to pick up the phone and confirm the transactions with senior officers. Sometimes the individual is not available or can't be bothered, but a simple phone call would identify the fraud before it happens.
Businesses need security awareness training for their employees so they are informed about fraudulent attacks. It all starts with awareness. Here at Weiss & Company LLP we hold periodic training with our staff and have an involved and visible IT department. When we identify suspicious emails they are shared throughout the office as many scams target multiple individuals in an organization. Our cybersecurity is of utmost importance because it's not just our firm's information at stake, more importantly it's our client's information.
Lost in the education and prevention of cyberattacks is the importance of creating strong, secure passwords. Here are some tips that I like to follow when creating passwords.
1. Use a phrase as your password. This accomplishes two things. It creates a longer password which makes it more difficult to guess and because it is a phrase it should be easier for you to remember.
2. Use special characters such as !@#$%^&*+= when allowed by your software.
3. Use combinations of upper and lowercase but don't make the uppercase letter the first or last letter of the phrase.
4. Come up with the phrase for your password. Create the phrase yourself or choose something that isn't common, then alter it to make it more difficult to crack. For example: "What'sForBreakfast." Using the @ symbol for a simple character substitution, you can change it to Wh@t'sForBre@kf@st. Although a very strong password and easy to remember, I would make it more secure by changing it to "what's4or8reaKf@st".
5. Don't write it on a post it note by your workspace.
6. When not using a phrase, don't use passwords with dates, your name or birth date.
7. Don't use character patterns in your password such as 12341234.
8. Don't reuse your passwords or change them by a number increment.
9. Do mix upper and lowercase letters in your password.
10. Do use a second factor of authentication when available such as having a code sent to your phone or email address.
If you have trouble remembering passwords use a secure password manager. There are a number of them recommended by industry experts including: LastPass, Dashlane and 1Password.
Cybercrime costs the global economy over $400 billion annually. In our increasingly networked world, take the time to secure your personal and business information. When your information is strongly protected, hackers will go elsewhere to prey on easier targets who have not implemented cybersecurity.
• Keith White, CPA, is with Weiss & Company of Glenview.