Online Security

Hand pointing at graphic of a lock

Cybersecurity and Small Business

More than ever, cyberattacks are aimed at small businesses, but not all small businesses are prepared to face this type of attack.

The cost of a cybersecurity breach can be devastating as businesses lose revenue, clients, reputation and growth opportunity. Attackers use many different vectors to gain access to confidential information, but there are ways to protect your business, employees, and clients.

Five Star Bank’s Five Tips for Information Security
  • Use Complex and Strong Passwords or Passphrases that are difficult to crack
  • Enable Multi-Factor Authentication(MFA) whenever possible
  • Keep your devices up to date with the latest patches and antivirus software
  • Create regular and secure backups of your data
  • Monitor your accounts for irregular or suspicious activity 

Malware

Cybersecurity breaches and attacks can take many forms. Most individuals are familiar with the term “computer virus,” but this is simply a catch-all for the many threats in the cybersecurity landscape. These threats include Malware, Trojans, Ransomware, Spyware, Denial of Service, and more.

The best way to combat such threats is to keep all computers and devices up to date with the latest software patches and utilize reputable Anti-Virus/Anti-Malware software for added protection.

While there may be costs associated with maintaining computer systems and purchasing software to protect networks and devices, it pales in comparison to the cost of an actual cybersecurity breach. For small businesses with limited resources, the US Cybersecurity & Infrastructure Security Agency (CISA) provides free services, resources, and tools to secure networks and computers against cyber threats.


Social Engineering

One of the primary attack methods of cybercriminals is social engineering. Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data. Social Engineers will try to gain confidential and privileged information from their victims using some of the methods below:

  • Posing as a trusted brand, such as Microsoft, Amazon, or Google
  • Impersonating a government agency – the IRS, Social Security Administration
  • Attempting to convey a sense of urgency
  • Appealing to greed, as heard of in the “Nigerian prince scam”
  • Digging through your trash for confidential documents such as bank statements
Social engineering attacks can come from various sources, including E-mail, text messages, or phone calls. It is important to take a moment and consider the request and verify the legitimacy of the communication before taking any action. Think before you click!

When encountering a possible Social Engineering attack, consider the following best practices:

  • Be wary of emails and calls requesting sensitive and confidential information
  • Question the legitimacy of calls and emails
  • Never provide usernames, passwords, Social Security Numbers, or One-time Passwords (OTP) to callers. OTPs are the text messages sent to verify your identity when logging into a secure system such as your bank account
  • If you are unable to verify the identity of a caller, respectfully decline the request and offer to contact them at a verified number
  • Securely shred or destroy documents with sensitive information
Social Engineering attacks are constantly adapting, and it is up to every individual to remain aware and vigilant to combat the threat.


Phishing

In the world of email, text and instant messaging, phishing is a particularly favored tactic of Social Engineers and cybercriminals to obtain sensitive information or gain access to computer networks. In a typical phishing attempt, an attacker will send an email or a message that appears to be from a legitimate source. They will spoof email addresses and names, and even design their emails to look nearly identical to those of a reputable brand or vendor.
Once delivered, the email will typically ask the victim to do one of two things - open a malicious attachment that will infect their device or click a link and provide sensitive information such as login credentials.

If you encounter an email asking you to take some sort of action, follow the steps below:

  • STOP – take a moment to review the email and ask yourself if you were expecting the email.
    • Does the name and domain of the sender look real? Is there a typo in the name? i.e. Micosoft.com (missing the letter ‘R’)
    • Does the email attempt to create a sense of urgency or use other social engineering tactics to coerce you into clicking the link or attachment?
    • Is there a generic salutation? “Hello customer” or “dear friend”
  • Verify the type of attachment – if someone is sending you a photo, the file extension will be .jpg, .png or .heif. If the attachment has a .exe extension, it is very likely a virus.
  • Hover over the links in the email, do they lead to the intended destination? If on a mobile device, pressing and holding the link may provide a preview of the destination.
  • If in doubt, call the person who sent you the email and confirm it really came from them.
     

Fraud

As a business grows, there is an increased likelihood for them to be targeted by fraudsters. Scams targeting businesses come in many forms, and they are often perpetuated using the Social Engineering methods indicated above.

  • Account Takeovers: If fraudsters manage to get ahold of your banking credentials, checks, or personal information, they may be able to deduct funds from your accounts or make your account inaccessible.
    • To combat this threat, regularly monitor your accounts and reconcile your statements against business records and invoices. Keep passwords safe and keep account access to a minimum such as yourself and one trusted employee. Create a strong password for the account and enable Multi-Factor Authentication for added protection.
  • Fake Invoices: Fraudsters may create invoices to appear as if your business ordered their products or services, hoping that the person paying the bills will assume they are valid.
    • Maintaining a list of approved vendors, account numbers, and contact information can keep your business safe from this threat.
  • Check Fraud: Fraudsters may make an overpayment to you for services that may or may not have provided. They will then ask for a refund of the difference be paid back, often through a wire transfer, hoping that you will send the funds back before their fake check is returned.
    • To protect yourself from check fraud, accept only guaranteed forms of payment when dealing with new clients or where recourse is not available. If a client requests a refund on a payment, advise them that you must wait for the payment to clear first.
  • Advertising Fraud: Fraudsters contact business owners to sell them nonexistent advertisement space online. This advertisement space may seem like a great deal and the fraudsters may use high pressure sales tactics and social engineering to have the business owner provide payment information. Once the payment is collected, the fraudsters disappear, and no advertising is provided.
    • If a deal sounds too good to be true, it probably is. This type of fraud relies on Social Engineering, and if you cannot verify the legitimacy of a call, hang up and call back on at a verified number.
For additional protection, the Five Star Bank Treasury Solutions Team is dedicated to understanding your business and supporting your success. Our services are designed to help you streamline cash flow and gain a competitive advantage with management of receivables and payables, liquidity, and fraud prevention.



Additional Resources for Keeping Your Business Safe & Secure








Five Star Bank is committed to the security of our customers' information and cyber awareness. As threats continue to evolve, it is imperative that you and your staff understand the risks to help minimize risk of a breach within your company or at home. We have outlined some key terms below with some recommendations on how to help minimize risk around these threats.

Training: As valuable as our employees are, they can also pose the greatest risk. Companies should implement monthly training and testing to keep employees updated on current cyber risks and trends. Testing can help identify employees that need additional training on how to recognize Phishing attempts.

Email Security: Threats around email continue to be the main avenue for breaches. Most BEC, Ransomware, and other breaches can be tied back to malicious links or attachments received through email, which an employee clicked on or opened. Companies should understand these risks and implement security measures, such as Multi-Factor Authentication, SPF/DMARC/DKIM, Advanced Threat Protection, and Suspicious Event Alerting to minimize risk to the company, infrastructure, and the employee.

Multi-Factor Authentication (MFA):This should be turned on for any and all services that are accessible outside of your infrastructure. Office 365, Salesforce, Online Banking, VPN, and other websites that contain financial, healthcare, or other personally identifiable information (PII) should have MFA enabled to minimize your risk.

Business Email Compromise (BEC): In 2019, BEC scams cost US businesses $3.5 Billion. A majority of these scams are initiated by email. A procedural change as it relates to email requests can help minimize this risk. Companies should consider implementing a “call back” procedure to a known good phone number for any request around wires, ACH, payroll, vendor account number and address changes requested through email.

Patch Management: It is important to keep systems updated with the most current patches. A centralized application will help administer deployment of key patches to endpoints. However, if a centralized application is not available, make sure to set your computers to auto-updated when critical patches are released.

Anti-Malware: A good endpoint security solution should include anti-malware, intrusion prevention, and firewall to minimize exposure to malware.

Firewall: A firewall should be turned on for the endpoints as well as the perimeter of the network. Key components, like Geo-IP Filtering, Content Filtering, and other controls on a network perimeter firewall will help minimize risk to malicious traffic entering your network.

Vulnerability Scanner: A vulnerability scanner is useful in verifying that patch levels have been updated, applications are secure, and helps to identify additional security holes. Microsoft occasionally issues patches which also require a manual registry update to apply the patch, and periodically this step is missed. A vulnerability scanner should be able to identify any missing registry keys associated with a patch.
Incident Response: No one ever thinks they are going to be the next victim. However, having a good incident response plan that outlines key personnel and their responsibilities will greatly streamline recovery in the event of an incident.

Disaster Recovery: Clean backups are required to ensure a successful recovery after a breach. Make sure key data, applications, and resources are backed up.

Cyber Insurance: Cyber insurance can help minimize financial risk to the company in case of an incident.