October 2017 eNewsletter

Passwords are like underpants – Change them often, keep them private and never share them with anyone.

Joe Berardi, Client Account Representative, Full Service Networking

Here are a few simple tips and techniques to help keep your accounts safer by protecting your passwords. Hackers often utilize password cracking programs that cycle through millions of combinations per second in an attempt to guess your password. Some hackers utilize dictionaries as the source to guess passwords while others simply use brute force measures and run through all combinations of upper and lowercase letters, numbers and special characters.

  1. The longer the better. Use long passwords or password phrases of at least 12 characters or more.  Using long password phrases will offer you protection from dictionary attacks as well as brute force attacks. Every additional character you use for a password increases the number of possible combinations exponentially. To create a password phrase do not use a well-known quote, song lyric or line from your favorite movie. Password phrases will be easier to remember if they have a significant meaning to you.
  2. When creating your password phrases utilize upper and lowercase letters, numbers and special characters. Do not put the uppercase letters at the beginning and special characters at the end as hackers are well aware of this habit.
  3. Do not use the same password for all of your accounts. Although it is easy to remember just one password it could be a disaster if your password was compromised and used for multiple logins. If you fall victim to a phishing attack where you were tricked into revealing your credentials this could be a catastrophe.
  4. Do not store your passwords in a spreadsheet, a text document or email them to yourself. If a hacker gains access to your computer or email account they will scour your files looking for password lists. It is also not a good practice to write your passwords on a sheet of paper.
  5. Never share your passwords with others. You may have a very secure and complex password but if you share it with someone else and they store it in a file, an email or write it down, then it will make little difference.
  6. Substituting numbers and special characters for letters used to be an effective technique to protect your account, but password cracking software is on to that method. So using Spr1ngst33n for Springsteen, or B@n@n@$ for Bananas, is no longer effective.
  7. Do not use recognizable keystroke patterns for your password. 4rfv5tgb6yhn might look like a tough password to guess but if you look closely at your keyboard you will notice that there is a pattern and your password is not random.

Business Email Compromise: A Deceptive Threat to your Business

Eric J. Nabozny, Commercial Market Manager, First Financial Bank

With the recent Equifax Data Breach, our minds instantly turn to how we can better protect our personal information and the information of our business.  As important as these data breach threats are, as seen in the rampant media coverage to expose these threats, there is another equally pervasive threat to our businesses that often goes unnoticed and unreported.  This threat is known as “Business Email Compromise.”

Business Email Compromise (BEC), as defined by the FBI, is a sophisticated scam targeting businesses that work with foreign suppliers and/or businesses that send wire transfers regularly.  These attacks can take the form of an internal business email account that has been compromised via malware or more often by using a technique called “spoofing.”  Spoofing is an attack that leverages social engineering and deception to trick the recipient of a spoofed email into believing the sender is legitimate.  A spoofed email address is created to look like the legitimate email address, however, only a letter is omitted or deliberately transposed to confuse the recipient.

BEC has recently become one of the fastest growing crimes in the world of business payment fraud and one of the most profitable modes of fraud leveraged by organized crime today.  Cumulatively from October 2013 to December 2016, the FBI has recorded more than 40,000 incidents and more than $5.3 billion in losses!

Deception is the primary tool of BEC.  This deception, typically orchestrated by foreign crime rings, is a highly sophisticated operation that involves weeks and months “researching” the business to target.  These fraudsters learn who your vendors are, what billing systems you use, and your CEO’s work habits and even travel schedule through compromised legitimate business email accounts, malware-infected computers, or social engineering.  When the timing is right, usually when a Senior Executive is traveling, a spoofed email will be sent to accounting requesting an urgent payment be made to “vendor,” “investor,” or other similar legitimate sounding transaction on the executive’s behalf.  Oftentimes, the recipient only wants to be helpful and assist in what appears to be a very important request.  They have been provided just enough valid information to believe the request is real.  Cyber criminals count on their target not taking the time to verify the e-mail. 

No business is immune to such attacks, so a business process plan and response plan is critical to preventing and responding to a BEC attack.  Here are just a few steps your business can take now to address this rapidly expanding threat:

  • Dual Control for Payments:  Any transaction created by your business should always require at least two individuals’ approval to send.  Between internally implemented procedures and online banking controls available to your business, this simple process can be the main line of defense to prevent you from falling victim.
  • Communication and Education:  Establish policies that communicate how any and all payments are to be processed and no payment instructions can ever be accepted via email.  Also, communicate the importance of awareness regarding any communication with outside parties to your business. Whether via phone or email, educate your staff to scrutinize and ask questions regarding the origin of a request.  Making this part of everyone’s daily routine lets the criminal know that this target might be difficult to penetrate and they’ll move on to the next target.
  • Incident Response Plan:  Work with your Executive Teams, Communications, and Legal Counsel to formulate a business plan to respond swiftly and appropriately to an attack.  Oftentimes, a documented and rehearsed game plan can help your business stop a funds transfer or possibly recover funds before it’s too late!
  • Verify billing changes:  Require secondary approval directly from vendors and suppliers for any billing changes.
  • Email Authentication:  Work with your technology partners to implement intrusion detection systems within your email system.
  • Scrutinize Emails:  Proceed cautiously with emails you receive from Senior Executives requesting unusual information.

You can stop BEC attacks.  One of the best controls you can implement is simply to contact senders directly to confirm the authenticity of suspicious emails you receive, either face-to-face or over the phone.  Though more time consuming, a well-planned and communicated strategy for handling suspicious email will greatly reduce the likelihood of your company being compromised and strengthen your BEC defenses.

Business Email Compromise won’t be the theme of the next big-budget action movie, but make no mistake; criminals have realized the “big-budget” potential for BEC attacks.  As these criminals work to continually improve their technology and techniques, your business needs to keep pace with improved security procedures and develop plans to heighten your organization’s awareness to these threats.   Making simple changes today to protect your business will pay dividends tomorrow, next month, and two years from now when your business is their next target.