If yours is a business that takes online payments, you have a new nightmare to haunt you: e-skimming, a fraud scheme brought to us by the benefits, and dangers, of technology.
The FBI has issued a warning on e-skimming, which works like this: someone hacks your business or personal computer, inserts malicious code that enables them to see and record credit card numbers or other personal or business information, and then robs you, your company, or your customers, or sells the information.
The thief receives the credit card data at the same time as the company.
This can happen without either the company or consumer being aware the code is infecting the system. Anti-virus protections may not spot it, either. The attackers get access through various means, among them through a successful phishing trip into a company computer, or even through a third-party vendor.
The FBI’s Cybersecurity and Infrastructure Security Agency (CISA) suggests several steps to safeguard against e-skimming, among them:
- Update and patch all systems with the latest security software. Anti-virus and anti-malware need to be up-to-date and firewalls strong.
- Educate employees about safe cyber practices. Most importantly, do not click on links or unexpected attachments in messages.
- Segregate and segment network systems to limit how easily cyber criminals can move from one to another.
- Change default credentials and create strong, unique passwords on all systems.
See the FBI news release here.
As that list is examined it’s noticed that these safeguards include things that in the 21st century are exceedingly hard to avoid, such as e-mail attachments, which are transmitted constantly for innumerable reasons. Stopping, checking, and verifying each one ranges from impractical to impossible.
However, that’s what gives cyber-thieves their opportunities.
Additionally, segmenting and segregating networks and functions means more time, planning, expense, and execution. To not throw up such barriers increases the probability that the nightmare of e-skimming will become real.
Until better defenses are erected, if malicious code is undetected, the FBI suggests checking personal records and billing statements to see if unauthorized purchases or transactions have occurred.
Another increasingly popular scam during the holidays or any time of year: gift card fraud. The Internet Crime Complaint Center (IC3) explains the attacks: “In a typical example, a victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate.
“Some of these incidents are combined with additional requests for wire transfer payments as described in classic BEC (Business E-mail Compromise) scenarios.”
Between Jan. 1, 2017 and August 2018, there was a more than 1,200 percent increase in fraudulent gift card complaints, the IC3 said. Its suggestions for protecting yourself are:
- “Be mindful of any email, phone call or text messages requesting multiple gift cards even if the request is ordinary.
- “Beware of sudden changes in business or personal practices and carefully scrutinize all requests for multiple gift card purchases even if requests are ordinary.
- “Since many of the fraudulent e-mails reported in this new trend are spoofed, confirm requests for the purchase of gift cards using two-factor authentication. If using phone verification, use previously known numbers, not the numbers provided in the e-mail request.”
In other words, don’t take the e-mail at face value. Confirm the request.
Of course, always present are the traditional types of accounting and business fraud that have been bedeviling companies as long as companies have existed.
investigative agencies of many types make their living overturning business accounting rocks and finding something bad underneath. Imagine yourself or an employee in a news story or news release being cited as committing any one of the following acts:
- “…defrauding investors by misstating the company’s revenue and attempting to cover up their misconduct.” (Securities and Exchange Commission).
- “…admitted to using his position as controller to embezzle over $1 million from his former employer…” (U.S. Attorney’s Office, Eastern District of Tennessee).
- …” learned that the company's former chief financial officer ("CFO") had made allegations that the company's president and board chairman (the "President") had colluded to engage in improper revenue recognition, channel stuffing, intentional revenue manipulation, and inappropriate stock issuances, among other things.” (Public Company Accounting Oversight Board).
Among the outcomes of appearing in these or similar notices are damage to a business, embarrassment, personal or financial ruin, or imprisonment. The list above doesn’t include the IRS or the daunting list of other enforcement agencies.
New or old, technologically sophisticated or simply executed, fraud has, and always will, be among us. The best defense is awareness of the threat and effective defenses to counter them, recognizing that the threat is like a constantly-mutating virus, requiring new and more formidable defenses.
Therefore, include in your arsenal accounting professionals and technical support experts whose job it is to defend against the latest threats while being able to recognize the more traditional fraud varieties. Otherwise, you could be skimmed, gift-carded, suffer embezzlement, or worse.
There are a lot of rocks out there, and a lot of bad people lurking under them.
