October is cybersecurity month, and like the masks people wear at Halloween, perpetrators of online fraud frequently change how they look. It’s important to remain vigilant and make sure your employees are familiar with new fraud tactics. A tactic that is increasingly used is what is known as “remote access scamming.” With remote-access scams, fraudsters […]
October is cybersecurity month, and like the masks people wear at Halloween, perpetrators of online fraud frequently change how they look. It’s important to remain vigilant and make sure your employees are familiar with new fraud tactics.
A tactic that is increasingly used is what is known as “remote access scamming.” With remote-access scams, fraudsters are hoping to trick you or your employees into providing them with the information they need to gain access to your systems, especially your online- banking credentials. One example of a common remote-access scam starts with a phone call from someone who claims to have identified a computer problem with your system.
Sometimes they’ll claim to be from the IT department, or from a large well-known technology or software company, stating that they need your help to fix a problem. What they are really trying to do is gain control of your system, using your access and passwords.
A recent — and diabolical — twist is that some fraudsters are saying that they have detected an issue with your business banking account and they’re transferring you to the Fraud Department to “help fix” the issue. Nothing could be further from the truth; they are using your fear of fraud to gain access.
Here are some red flags that you should be aware of, and make sure your employees are familiar with as well:
• Unsolicited tech support calls — an incoming call from “tech support” should be treated with suspicion, especially if all of your devices are working properly. If you haven’t called for tech help and someone calls you, put your guard up immediately.
• Pop-ups directing you to call a number to address a detected virus — this is a method to have you initiate the call, and have you provide them with the details that provide remote access to your computer.
• Gift-card requests — this should be a dead giveaway that something is wrong or not above-board. No legitimate company will ever ask for you to purchase a gift card and then provide the information to someone over the phone.
• High-urgency requests — any demands that there is no time to waste, or other indicators that an issue is urgent should be treated with high levels of suspicion. What criminals are hoping for here is that you — or your employees — will react without thinking about the request or ask any questions about its legitimacy.
• Requests for one-time PINs — one-time PINs (OTP) are a key fraud-prevention measure and should never be circumvented. Never provide an OTP to anyone who calls and requests one.
• Requests to download software — any request to download software onto your computer, especially to “fix” a virus or other issue from someone who has called you should be treated as potential fraud.
• Requests for any other sensitive information — if a request seems weird or suspicious, pay attention to your instincts. Providing funds for a lawyer or legal fees over the phone is strange. A sudden family emergency that requires over-the-phone payment, but the caller isn’t someone you know, is also strange. Requests to mail cash — strange. Someone saying they are from your bank but asking you to provide them with digital banking credentials — very suspicious. Treat any of these scenarios as having a high potential for fraud.
It’s critically important that your employees are aware of these types of scams, because fraudsters will frequently target people who are expected to respond quickly to requests from company officials. It’s called “spear-phishing” and it’s designed to prey upon rank-and-file employees. In other words, criminals are hoping that your employees will be too scared or too intimidated by a request from “the boss” to say no.
If you ever have a reason to suspect that you’ve fallen victim to a remote-access scam, immediately call your financial institution’s customer-service team. Have your systems professionally cleaned and change all of your passwords and login credentials.
One of the most important things you can do as a leader in your organization is to make employees feel comfortable to say “no,” and to stop, think, and question requests. You would rather have them say “no” to the CEO than “yes” to an online criminal.
Terra Carnrike-Granata is senior VP and senior director of information security at NBT Bank, where she designs and implements sophisticated controls to prevent loss and mitigate risk, while also developing innovative ways to educate consumers and businesses on cyberthreats.