Full Site Navigation
Insights & Resources

You've Been Hacked: What Cybercriminals Are Really After 12/13/2017


By Chris Mouton, Risk Management Specialist

Recently, one of our clients experienced a frighteningly close call related to a cyberattack on their business. The corporate secretary received an email from the CEO requesting for her to send him a copy of every employee’s Form W-2. She dutifully pulled together all of the information, but instead of hitting “Reply” on the original email, she sent the attachments in a new message. The CEO responded confusedly, “What are you doing?”

It turned out that the executive had not written original missive at all. Rather, it was a cleverly disguised phishing attack targeted at gathering employees’ personal information—including social security numbers—which could be sold on the black market or used to open credit cards and other financial accounts.

The Harsh Reality
Most people have received the dreaded phone call from their bank’s fraud alert department notifying them that their credit or debit card has been charged in a dozen different states, despite never leaving their possession. The tedious and time-intensive process of verifying purchases, waiting for a new card to arrive, updating auto-draft accounts and monitoring for additional fraudulent activity is nothing short of maddening. Equally frustrating is the fact that if this type of hack can happen to you, it can happen to your business.

Whether yours is a multinational enterprise or a small business with a handful of employees, no organization is immune to cybercrime. In fact, a 2016 report from the Ponemon Institute noted that half of all SMBs experienced a data breach in the preceding 12 months. So, what type of information are these bad actors after, how do they get it, and how do they use the personal data they steal? More importantly, what can you do to stop them?

Names and Numbers
Just like the hackers that swipe your credit card number, cybercriminals target any type of data in your company files that can be monetized, whether through fraud, identity theft, or even blackmail. Not only are the names of your employees and customers at risk, but also related data that can be used to create a fake identity or access additional information. The most common types of data that are stolen include:

  • Member name or username
  • Member ID number
  • Date of birth
  • Social security number
  • Physical mailing address
  • Email address
  • Telephone numbers
  • Bank account numbers
  • Claims information

Social security numbers are especially valuable, since they can be used to open credit cards and bank accounts, or to verify a person’s identity for access to additional private information, like medical records. Child care centers, schools and medical facilities also face the unique risk of having children’s social security numbers stolen—a particularly nefarious act, since the crime often is not detected until after the child turns 18.

Sneak Attack
Cybercriminals use numerous strategies to access private personal information stored on servers, computers, and local networks. Newer techniques of social engineering pose a growing threat to businesses, because they target human fallibility instead of data security firewalls. Often, the bad actors already will have infiltrated the company’s email system and will be lurking in the shadows, reading correspondence and waiting for the right opportunity to strike.

Imagine that an executive sends a note to her staff with the dates of her upcoming vacation. The cybercriminal then creates an email address that looks nearly identical. For example, leslie.smith@xyzcorp.com becomes les1ie.smith@xyzcorp.com, where the second letter “L” is actually the number 1. The day after the executive leaves town, a staffer receives an urgent email from her noting that an outstanding invoice was overlooked, and asking the employee to wire a large sum to a specific bank account to keep the vendor from taking legal action. The email looks legitimate, and without close scrutiny, the ruse easily can result in funds being transferred directly into the cybercriminal’s coffers.

Other forms of social engineering use attachments or fake Dropbox links to install malicious code into a company’s computer network that can be used to access confidential data or trigger a ransomware attack. Similarly, quid pro quo attacks trick employees into revealing their login credentials, providing direct access into their company’s network. Often, this is accomplished by the cybercriminal impersonating an IT service representative, either on the phone or in person, and claiming they need to update certain software on the employee’s system.

Safety Measures
The best way to guard against these crafty schemes is to raise awareness company-wide, and put appropriate security protocols in place that can nip an attempted data breach in the bud. Larger organizations as well as small and mid-size firms should develop clear processes and procedures to safeguard sensitive data, and train all employees on how information can be shared via phone, email or in person. Here are several best practices to consider:

  • Verify credentials – If an employee is asked to provide documents or account numbers, transfer funds, or allow access to their computer, they should always verify the credentials of the person making the request. For example, an employee can call their IT department to authenticate a technician’s credentials prior to letting the person log into their PC or laptop. Similarly, if someone calls claiming to be with the company’s bank, the employee can call the main bank number on another line to confirm that the person works there.
  • Create a dual-approval process – Every organization should have safeguards in place for how financial transactions are managed. If an employee receives instructions via email to send money to a vendor or bank account, for example, the employee should first speak with their manager to validate the request before taking action.
  • Double-check email addresses – Employees should be trained to carefully scrutinize the sender’s address for all incoming messages, even if the email appears to be from a trusted colleague. Cybercriminals are crafty, and they rely on people being in a hurry so they don’t catch the subtle spelling change in an email account used for phishing.
  • Mistrust links and attachments – If an email that appears to be from a bank or vendor includes a link to access the company’s account, employees should be instructed to go to the sender’s website directly and log into the account that way. Similarly, if an employee receives an email with an attachment or link to a Dropbox folder, they should first call the sender to confirm the message was from them before clicking to download any files.

Through its partnerships with insurance carriers and cyber-security firms, Marsh & McLennan Agency can help your team establish sound data security protocols, as well as a response strategy in the event that a breach does occur. We can also recommend resources for identity theft and credit monitoring, cyber coverage, and other types of insurance to minimize your exposures. If we can be of any service, please call our office, and a member of our team will be happy to assist you.