It’s Monday morning, and you are checking your emails to start your week off on the right foot. You see that you have an “Urgent” email from a trusted financial institution requesting immediate action on your part. The email is telling you that they are updating all client files, and that in order to comply with this important undertaking, you have to open the attachment, complete a form with updated personal information and send it back as soon as possible. You notice that the email address from whence the email came is different from the one usually associated with your bank, but because of the alarmist tone of the email, you do exactly what has been requested, no questions asked.
What is wrong with this picture? If you say “Nothing”, then you will run into some major problems. By not being able to identify the security risks in the above scenario, you are putting yourself and your business at great risk for security breaches, and other cybercrimes.
Let’s take a closer look at the scenario, and unpack the red flags:
Red flag #1: First and foremost, a financial institution would never solicit you in this way. They know better than to ask customers to provide highly sensitive information via email or even phone. Normally, they would ask you to go to the website yourself to make any necessary updates; some institutions will not even provide a link due to the potential security risks, such as being directed to a counterfeit website.
Red flag #2: The email address looks suspicious. If your financial institution’s email address is usually “noreply@YFI.org”, then anything other than this should be viewed warily. If you get an email that appears to be from them, but has an email address like this, “noreply@YFI-banking.org”, then there is a very good chance this it is a fraudulent email. Pay attention to the domain name (what appears after the ‘@’ symbol), and how it usually appears in a non-fraudulent email. If in doubt, contact your financial institution to ask if they sent the email.
Red flag #3: The email is asking you to open an attachment. Again, a financial institution would not send you an attachment. Rather they might provide you with the steps to locate the important documentation on their trusted and secure website, and not through email. Fraudulent email attachments from people and organizations that you don’t know are especially risky as they can contain malware.
Red flag #4: The email is requesting highly sensitive personal information. It cannot be reiterated enough that a trusted financial institution would never ask you to provide personal information through email. Providing personal information puts you at risk for identity theft which can seriously harm your finances, credit rating, personal and professional relationships and other aspects of your life.
Don’t feel bad if you did not recognize any of these red flags – now you do, and you will be better off because of it. To further protect yourself and your business, take heed of the following tips:
- Educate yourself and your team about cyber security risks. Take advantage of learning about what the latest risks are and how you can avoid them by participating in free webinars and reading online articles and insights from trusted sources. IT security organizations like McAfee and AVG have loads of useful tips and tricks.
- Protect yourself against hackers, viruses and other potential security breaches. Get a good antivirus software, create complex passwords (and change them regularly!), and use data encryption technology to further protect sensitive data from being compromised.
- Create and maintain internal and customer-facing risk management policies and procedures. This will protect you from the inside out, and the outside in. For internal policies that concern employees and business partners, keep access to sensitive data limited, and do background checks if you feel this is necessary.
- Make all of your customer-related policies and procedures accessible in writing. Include refund, billing and shipping policies, privacy and security policies, etc.
- Familiarize yourself with the contracts you have with your financial institutions and other business partners. Know your liability in case of losses through fraud and other security breaches.
- Remove and destroy the hard drives of old computers and devices (don’t merely dispose of them). Also, it’s good practice to shred and properly dispose of paperwork containing sensitive data.
Just because you have a small or medium-sized business does not mean that you are immune to the countless cyber security risks out there. In fact, online predators specifically target smaller businesses because of their lack of knowledge and training on security. By learning everything you can, you are preventing yourself, your assets and your customers from falling prey to the potential threats lurking in your emails. For more tips on securing your e-commerce business, visit the Security Centre of the DalPay Blog and follow us on Facebook and Twitter.