Let’s get this out of the way: More companies need to do a better job of protecting themselves – not to mention their customers – from the theft of sensitive personal and account information by hackers.
The good news is that companies are becoming more sophisticated all the time as they learn how to better protect their systems. They are cooperating with law enforcement, and sometimes each other, to keep out criminals.
The bad news is that criminals do not need to hack the professionally deployed, sophisticated, and multi-layered defenses of your favorite big box store or bank to get what they want. They can just attack a system run by the inexperienced information security manager who oversees your home computer and mobile phone. In most cases, unfortunately, that is you.
But you can help protect yourself. During my many years with the FBI, I saw every kind of attack on business and individual computer systems. By far, the most widely used and effective was the e-mail compromise.
In an e-mail compromise, hackers pretend to be someone or some organization that you trust, insulating themselves from detection by security and antivirus protections. They get you to download a virus or give up your log in credentials so they can seize control of your computer. In some cases they then pretend to be you to order products online or trick friends or colleagues to give up something of value.
The best way to beat the e-mail compromise is to recognize the signs of this all too common attack. Here is what you might see:
- The e-mail claims to be from a friend, colleague or trusted company, but it seems slightly off. Maybe there are misspellings or the color of the logo is not quite right.
- When you attempt to view the address of the sender, you cannot. Instead of “firstname.lastname@example.org,” all you can get is “Sally Doe,” in the sender line.
- The sender wants you to do something now. It is, “URGENT!” If you don’t, “ACT RIGHT AWAY,” the offer will expire.
- It mentions a tragedy or horrific event in the media with a link to a picture or a video and says, “You have to see this!”
- Sometimes there is a threat associated with the e-mail. The sender may say that if you fail to respond, you will be referred to collections, or even fired from your job.
- You are asked to open a file, click on a link, or enter your log in credentials directly from the e-mail.
- You may not have applied for the benefit the e-mail is offering, or entered the contest the e-mail says you won.
- The sender does not want you to call with questions. Instead, he reminds you that he is, “having cell trouble,” or, “out of pocket today,” or, traveling to attend a funeral so “if you need me, the best way to get me is by e-mail.” If the e-mail purports to be from a business, it might suggest that you will get a response more quickly if you e-mail your question rather than call the customer service center.
The bottom line: e-mails that seem out of the ordinary should be confirmed with the purported sender via a telephone number already on file, or that is available through a trusted public source.
Businesses have a responsibility to invest in the proper resources to prevent fraud and theft. You, however, are the first line of defense when it comes to protecting your personal and account information.