Business Fraud and Cybersecurity Best Practices in the Office or While Working Remotely
Presented by BARR Credit Services with Wanda Borges, Esq. – Borges & Associates, LLC
About the Webinar
As the nation and the world adapted to the coronavirus pandemic, businesses became accustomed to employees working from home. Even as the states reopened from the mandated “lockdown”, many companies and employees alike found advantages to working remotely. Today, we live in a world where the hybrid of in-office work and remote work from home is the “new” normal. Home computers or other remote locations are more vulnerable than ever to cyber-attacks. Organizations need to build people-centric cybersecurity strategies to protect against business email compromises or email account compromises. Increasingly risky websites are being transmitted through corporate emails. The speaker will discuss some of the newest trends in cyberattacks which are continually evolving and growing. Ransomware can hit in seconds. Credit card use is higher than ever, and some cyber-crime groups live to target payment card information. This program has been designed to offer real-life examples and practical steps which may be taken to thwart business-fraud and cyber-crime.
About the Presenter: Wanda Borges
Wanda Borges, Esq is the principal member of Borges & Associates, LLC, a law firm based in Syosset, New York. For more than forty years, Ms. Borges has concentrated her practice on commercial litigation and creditors’ rights in bankruptcy matters, representing corporate clients and creditors’ committees throughout the United States in Chapter 11 proceedings, out of court settlements, commercial transactions and preference litigation.
She is a member and Past President of the Commercial Law League of America and has been an Attorney Member of its National Board of Governors, a Chair of the Bankruptcy Section and Creditors’ Rights Section. She is the President of the Commercial Law League Fund for Public Education. She is a member of several bar associations, including the American Bar Association and the American Bankruptcy Institute. Ms. Borges serves on the Board of Directors of the International Association of Commercial Collectors, of which her firm is an associate member.
She is an internationally recognized lecturer and author on various legal topics including Bankruptcy Issues such as 503(b)(9) claims and preferences, the Uniform Commercial Code, ECOA, FCRA, antitrust law, and current legal issues such as Credit Card Surcharge issues, Social Media, Cybersecurity and Ethics for the Trade Credit Grantor and current proposed legislation that may impact trade credit grantors.
Webinar Transcript
(00:02:29):
All right. Welcome everyone. I am super excited for, uh, those of you that do not know me. My name is Angela Olson. I work for bar credit services. Um, welcome to our webinar. This is gonna be business fraud and cyber security best practices in the office or while working with remotely, which we all know is very important since we’ve all been pretty working remotely with us here today, we have the mu wonderful Wanda Borgess. She’s a principal member of Borges and associates, a law firm based in New York and been going on for more than 40 years. So I’m super excited for Wanda. She’s done a few for us and she’s always done a phenomenal job up. So we’re excited to get started, but quickly LA few housekeeping items. If you have any questions during the webinar, please, uh, go ahead and put them in the QA box. I will be watching over that and managing some of that as we go on. And if you have anything that you, uh, want to be sent to you again, please just put it in the QA box. We’re happy to, um, will a follow up after the webinar if we can’t get it answered during the webinar. So with that, Wanda, thank you. Welcome and take, go ahead.
(00:13:59):
Thank you. It’s my pleasure to be here. And um, I believe all of you will receive a copy of the PowerPoint presentation after the, uh, webinar itself. So yeah, we are going to start out by talking about fraud in today’s cyber world and you can’t have cyber fraud without having fraud to begin with. So I’m going to give a very basic preview of the five elements to the legal definition of fraud. And this may sound pretty simple and they are a false state of a material fact. They’re lying to you and they know they’re lying to you and they intend to deceive you by lying to you. You are fooled and you rely on these lies and you’re injured as a result. Well, that sounds very simple. 1, 2, 3, 4, 5, when we are in a court of law, however, we actually have about 14 additional points, all subsets of these points that we have to prove to the court that fraud takes place.
(00:15:02):
So then we look at certain things like identity theft and identity fraud, and these are not new identity theft identity fraud has probably been around forever, but it’s become more focal to all of us in the last 20, 25 years or so. And the us department of Homeland security defines this identity theft and identity fraud as a term where it’s a type of crime. If someone wrongfully obtains and uses another person’s personal data or in frankly in today, business data in some way that involves fraud or deception, typically for economic gain, many of you will remember the movie catch me if you can. Well, that will, and back to a frankly, a very beginning of an identity theft and identity fraud, where the man was stealing the identity, pretending to be an airline captain and, uh, passing fraudulent checks, paying for things falsely. And ultimately he ended, ended up going to work for the FBI to help them uncover fraud among other people.
(00:16:15):
But this does happen today. So we have the identity theft and assumption deterrence act. It was passed as long ago as 1998 and it created a specific identity theft crime. And it says it prohibits knowing, transferring or using without lawful authority, any means of identification of another person. Now, remember when we use the word person, we mean person to be an individual or a corporation or an LLC or a partnership. So a person is very broad in the legal definitions with the intent to commit or aid or Abbet any unlawful activity that constitutes a violation of federal law or a felony under applicable state or local law. Well, I will give you an example of this. Uh, several years ago I received a alleged check in my office to pay for a debt owed to a client of mine. The check was about $120,000. The check was a regular check with a legitimate company name on the check, but somehow it just didn’t smell.
(00:17:34):
Right. I contacted the bank and it happened to be the, the, um, bank of CA of, uh, I think it was the bank of Nova Scotia, but it’s headquarters or the office was in Toronto. And I contacted them. I said, is this a client, a legitimate client? And is this a legitimate check? And they said, well, that is definitely a client of ours. Please send me a copy of the check. And I, at that time, faxed them a copy of the check and they came back and they said, that is a client of ours. That number was already used. Um, the check you have in your hand is a fraudulent check. Please do not cash it. I said, oh, trust me. I won’t. Well, they actually then reported it to the department of Homeland security. And I received a letter within a couple of days from the department of Homeland security telling me that I was in possession of a fraudulent check, do not attempt to pass to cash.
(00:18:35):
It. I felt like I was playing monopoly, do not pass, go do not collect $200. So this, um, identity theft and assumption deterrence act has been a while. And it does carry a maximum term of 15 years, imprisonment fine, and a criminal forfeiture of any property used to commit the, the crime. There are several other statutes governing fraud, and you’ll see, they hit on every aspect of our everyday lives, identification, credit card, computer mail wire, or file financial institution fraud. And they are all part of our title, 11 of the us statutes, which are all the federal criminal statutes.
(00:19:23):
So now we take fraud and we apply it to cyber fraud. So we are looking at a false statement of a material fact, and we are very familiar with the words fishing or hacking. And it’s, it’s an attempt to get our sensitive information, uh, such as user names, passwords, credit card details, and frankly, indirectly money often for malicious reasons, by may making you think you are dealing with a trustworthy entity in an electronic communication, fishing is the most common and successful method of gaining access to any organization. And then we also hear the common expression malware and all of this. There is a knowledge on the part of the wrong doer, the defendant that the statement is untrue and this defendant this wrong doer is conducting these activities intending to get access connections or information where it can then conduct a transaction and make money or get goods or some other unauthorized or illegal activity.
(00:20:40):
We have something called an a P T an advanced persistent threat. Well, what happens here is these are like little tiny pings hitting your computer. They are always pinging trying to find a loophole and opening through your back door, through your system where they hope to get in and ultimately steal your password, your name, your information. These are all activities on the part of the attacker to deceive you the alleged victim when tending to get your information and then use it to gain advantage over you. And what we see is there a whole malware families now, and these are malicious software or with of malicious intent, and it might be a program or multiple programs where there is sufficient code overlap that they can alter your system by using their malware adjusting to anything that you do thus broaden their ability to attack. And in the mean back, meantime, you sit back justifiably, relying on your computer system and the people with whom you have contact, never knowing that there’s somebody in there, not who they pretend to be looking for the opportunity to cause you harm and you are harmed as there is result.
(00:22:10):
So when we get to cyber fraud, we now take all those definitions from fraud and apply them to the cyber world. It’s an attempt to get information, to create fraudulent transactions everywhere. And again, these phrases that we hear all the time, Phish hack malware, we almost become immune to them until we get hit. And these are all activities where they are trying to get your connection, access, or information to create a transaction where they can profit from that illegal activity. So when we talk about cyber, we are referring to the whole body of technologies, processes, and practices designed to protect our networks, our devices, our programs, and our data from attack damage or unauthorized access. You’ll often also hear cyber to as tech information technology security. So in October of 2021, the deputy attorney general of the United States announced that the department of justice has a new SI civil cyber fraud initiative to combat new and emerging cyber threats to the security of sensitive information.
(00:23:36):
And it’s called the false claims act. And it’s now the government civil tour tool to redress false claims for federal, federal FA funds. Where did this arise from? Well, we all know we’re still coming out, hopefully coming out of a pandemic. And during the pandemic, people and companies were applying for stimulus funds and applying for PPP loans. Well, what the government has found is that many of the entities that applied for and received either PPP loans or stimulus stimulus funds were not who they said they were, and they were getting false money from the government on a false pretense. So this cyber fraud initiative is hopefully going to get some federal funds back from the wrongdoers. And it contains a very unique whistleblower provision. Um, you may, and probably not, I don’t know anybody that has, but somebody like us could maybe know a company that was in fact obtaining a PPP loan fraudulently, and perhaps they bragged about it.
(00:24:58):
Oh yeah. You know, I got a PPP loan from my company that doesn’t exist. And if you choose to be a whistle loan, you can be a whistleblower and without harm and without anybody having any ability to come after you for that. So what are the benefits of this initiative? They’re trying to build resiliency against these attacks against the government, the public sector and key industry partners, which in this case were the, they are holding contractors and grantees to their commitments to protect the government information. And in infrastructure, they’re making sure that companies follow the rules so that those applying for PPP loans are legitimate companies and not just fees, then real embracing the government and taxpayers for losses that they may have incurred when the companies fail to satisfy their cybersecurity obligations and improving overall cybersecurity practices that will protect everyone, the government, public users, private users, and the American public.
(00:26:10):
So why is cybersecurity a concern for credit and collection professionals? Well, here are the five most common cyber crimes today, malware, which includes all of these. And we’re going to talk particularly about ransomware debit credit card, or why transfer fraud, data breaches, compromised passwords and business email compromise business email compromise in 2020 was the most rampant cyber crime throughout the world, unauthorized email and social media access. And we will talk about this in the later slides, but just a couple of, of simple things to think about why are transfer fraud? Um, just as yesterday I was sending, I was sending out a wire and as I was in my bank, they now have, and I never saw it before yesterday. A statement at the top when you’re starting to go into the wire transfer information, saying a, confirm your information by 10 ting, your customer.
(00:27:26):
And that’s what you’re gonna see on a future slide that we’re recommending that you no longer rely on wire transfer information only by email and the business email compromise. I bet every one of you at one time or another has received an email from somebody that you may have thought was a good friend, a good colleague, a good client, a good customer, and you turn, it turns out not to be from them at all. And that is what is a business email compromise. And we’ll talk more about that. So fraudulent wire transfer is just a tactic of manipulate, influencing, or deceiving a victim in order to gain control over a computer system or steal personal and in financial information. So they are using social engineering to get you to send a wire transfer. So it might be bar is collecting accounts on your behalf. And they tell a debtor to send them a wire.
(00:28:33):
Or the debtor says, may we send a wire and BARR gives them all the proper electronic wire transfer information or ACH information. And as that debtor and will presume for a moment, we’re talking about an honest debtor, but as that debtor is getting ready to send that wire or that ACH, it gets another email supposedly from bar that says, um, this is a correction to the email, which was sent to you yesterday. Please make sure your ACH or your wire transfer is directed to this account and gives a whole new account number, maybe even a new ABA number, which means it’s a different bank. And what does the debtor do? Well if the debtor has a brain in today’s world, it will up the phone and call someone at bar and say, did you just send me a second email, changing your wire transfer or banking information? And that’s the best way to prevent that, because imagine if you would, that, that debtor sends a payment to bar because it got this second fraudulent email and is now sending a false or fraudulent wire transfer, or it could be that an entity such as a debtor is pretending to send a wire transfer. And that doesn’t happen at all.
(00:30:18):
Yeah, Juan, I was just commenting that we’ve actually seen this, the example that you just gave as actually, um, we have seen this and our process us is to call, uh, via the phone now because we’ve started to see things from some of our clients that seem odd or just not nothing they would ever do before. Why would they tell us they want us to change their, um, their account? So it’s, we have seen this. So it’s definitely happening.
(00:30:44):
It’s Def it is definitely happening. And, um, here are some suggestions to you, uh, check to make sure it’s really coming from your customer. And Angie said it best. So I said it earlier, pick up the phone, don’t rely on the emails, pick up the phone and make sure that it is from the person you think it’s coming from. Uh, and that, that they know you didn’t send two sets of instructions.
(00:31:15):
So cyber crime. Um, so I’m gonna go through a couple of different industries to, um, industries where cyber crime has taken place over the last year. A boof state of fashion is a, uh, apparel industry magazine. And it said, it tells us that retail, including fashion retail was the fourth, most cyber attacked industry in 2020. And here was one of them Brazil’s largest clothing store chain. Lojas Rena based on ransomware attack on its e-commerce system in August, 2021, which resulted in the shutdown of its systems and operations. Um, it has never been proven or, or confirmed, but allegedly they paid something like 14 million in Bitcoin in, um, ransom. Cyber risk is an upper, a long term upward trend that has accelerated during the COVID pandemic, particularly because of the work from home patterns and technologies and soaring demand for eCommerce. Most of us probably used zoom once or twice a year in, in 2019.
(00:32:36):
And now my entire calendar has zoom for where the, the meeting is going to take place all over it. So breach of intellectual property, proprietary designs are often kept on computer systems. Now that could be any one of you, and it may be a, a bicycle design. It may be a, a shoe design. It may in the construction industry, a blueprint for a new building, these are often kept right on your computer system and they are all at particular risk digitals data, online transactions, supply chains, personal information, and all of these computer systems breaches is, can result not just in the loss of your design, but you could be, you could lose your reputation because they may say, well, that company can’t be trusted because if systems are no good and they allow their systems to be breached and it could even lead you to a lawsuit.
(00:33:39):
So what happened, of course, in 20, we all migrated to remote work. Some, some companies are back in the office, a hundred percent of the time. Some companies say they’ll never go back to the office a hundred percent of the time. So most firms migrated their workers to remote protocols, just test a COVID pandemic was beginning into unfold. And what happened was in the haste to get everybody to working at home security gaps were left in the systems. So we found a proliferation of mobile devices contributed to security oversights. Well, we all probably thought about our laptops or a, our desktop at home, but how many of you thought about that iPad that you used to browse movies or Facebook? Did you protect your iPad? Did you all make sure your iPhones were protected? And sometimes even laptops were overlooked in 2021, we had four top active threats, crypto mining, well, crypto mining absolutely is the ability to send financial information or mining is the ability to send financial information electronically.
(00:35:02):
Crypto mining is when they go into their mining, your data, they go into your data electronically in order to steal your financial information in 2021, crypto mining generated the most internet traffic out of any other category, Phish business, email compromise, seemingly legitimate emails from colleagues, coworkers, or customers I have received from even fellow attorneys from clients. Um, hi, Wanda. I just thought you’d be very interested in this article and there’s a link for me to check, click on the article. I won’t click on that article. I’ll pick up that phone or I’ll send a separate, completely separate email saying, Hey mark, did you really just send me a link with an article? And the answer is nine times outta 10. I didn’t send you any such link because the minute I would’ve opened that link, I would’ve opened my computer and given access to the criminal to get into my system.
(00:36:20):
Ransomware is the type of malicious software or malware that blocks access to your computer until the ransom is paid. What I have found very interesting. Uh, some of the shows that I particularly enjoy watching are, um, lone star 9 1 1, or, or regular 9 1 1, and, um, Amsterdam new Amsterdam. I have noticed on those three shows and on other shows over the last, I’d say three or four months, every single show contained at least one episode on how the hospital was hacked. The, the fire department was hacked. The police department was hacked and I’m like, wow. And all, every one of them with not just, you know, a caution ransomware as I put up here, but with some kind of crazy face across the screen of the computer with a ha ha ha. You’ve been hacked, which kind of reminds me all the way back to ju park.
(00:37:22):
When that guy who was in fact, a criminal had his face up on the software going, ah, ah, ah, so we’re seeing more and more ransomware. Has it hit any of you? You don’t have to answer me. Has it hit me? Yes, it has. Yes it has. When shortly at the beginning of, of, uh COVID and I was working at home and I made the mistake of responding to it until I realized within about five or 10 minutes that, oh God, this is not for real. Cuz it came across my screen as a Microsoft message that my computer had been corrupted and I needed to contact Microsoft immediately. And when I phoned the number using a separate item, my iPhone, it answered Microsoft technology. And I said, oh yes, your system has, let me walk you through, may I have access to your laptop? And that’s when I said, oh, this is not good. And I just cut the, the call disconnected my laptop called my it guy. And he said, Wanda, how could you be so dumb? But I fell for it for a few minutes anyway. And he was able to, it took about two hours cuz they had already crept in, but he was able to clean my computer without me having to pay ransom a Trojan horse. I hope you all remember your Greek mythology.
(00:38:47):
Of course in the Greek mythology, the Trojan horse was all, um, contained hundreds of soldiers inside this, a horse that was supposed to be given as a gift to the king of Troy. Well what’s happening now. They call Trojan horses because it’s disguised as legitimate software. And it’s usually employed by cyber thieves or hackers trying to get inside your systems where you’re looking at thing that looks perfectly innocent, perfectly friendly, and you let them in once that Trojan horse is in your system warning, it can sit there for months. Um, our office computers were hacked about six years ago and what my it fellow told me was you, you probably did not pick up that in that virus. Now that Trojan horse was, looks like it was sitting in your computer for several months and it would just kind of sit there, gathering information, spying on you, stealing your sensitive data, getting backdoor, access to your system, then waiting until you just clicked on something.
(00:40:00):
And no one knows what it is except them. And once you click on that, that is when that Trojan horse activates and your computer becomes completely corrupt. So here’s a sample of crypto mining. And um, this actually hit my email box, which is very interesting because my office does not bank with bank of America, but it came into us exactly like this action required online banking system update. If you’ve already responded, you can ignore this notice and telling me that they have to update my system. Please follow here to get started. Well if I had made the mistake of clicking onto that follow here, link it would’ve corrupted my entire system, knowing that we don’t deal with bank of America. I just deleted the well before I deleted the email. I made a copy of it to use as a sample on this program, but then deleted the email.
(00:41:05):
So Phish and business, email compromises. This is a social engineering attack where they’re going to use a message as bait the same way you would use bait to catch Phish. The cyber attacker will send millions of emails in hope that somebody’s going to take the debate. And they’ll fool you into taking action such as clicking on a link or opening an attachment. Recently I actually received from Citibank, which is my bank, a notice that they had to update my, um, information. It was a federal requirement that the bank update their information on my account and this was the time to do it. I ever even got back to her. I deleted that email and I called my local branch officer and I asked him and he said, I don’t know anything about that. Well, as it happened, it was legitimate and he checked on it.
(00:42:08):
He says, oh no, apparently the bank is going through their periodic every five or 10 years or so. And they need you to update all your information. I’ll get the, do the documents and I will email them to you please download them, fill them out and send them back. And I did. So sometimes we’ll see a more sophisticated method called spear fishing, which targets individuals you in the credit department may receive an email, a fake email from your finance department saying, Hey, um, here is an invoice for the, um, transcript you ordered recently, please take care of it. Well, it may not happen to the credit department, but certainly to us, if attorneys, we are offer ordering transcripts periodically from the court or from a court reporter. So for somebody to send me a, an email saying, Hey, here’s the, the invoice for the transcript you ordered or wouldn’t be a surprise.
(00:43:11):
What would be a surprise would be to make sure that it is in fact coming from the, the correct person or it could be a shipping department with a fake purchase order. And it happened to one of my clients. They received a purchase order and it was a purchase order for $80,000 worth of product. And they were quite excited about it because while the purchase order came from a legitimate client had never sold to that client, that particular product before. And therefore they said, wow, they’re finally ordering it from us. Cause we know they always order it from a competitor and they grabbed that $80,000 purchase order and they shipped the product to a new location. Well, the $80,000 was gone. The location didn’t exist. It turned out to be nothing other than a vacant block. And um, that was outright theft that came in through an email purchase order and the purchase order looked perfect.
(00:44:14):
And when they got to their actual customer and said, well, we got, because they were demanding payment and the customer said, we never ordered that from you. And they said, but this, this purchase order is perfect of yours. And they said, yes, including that purchase order number, which is the exact purchase order number that we used to order that $80,000 worth of product from your competitor. So who had the thief, the competitor, the customer had a thief within their company somewhere very hard to detect. And in this case, fortunately, the creditor had, uh, insurance and was able to recoup the loss. Here is another example of business mail, email compromise. And in this you’ll notice four different places where they wanted us to click on the word release and then, or I could have clicked on the bottom where it said deliver messages. Well, you know, that would be similar to, I have clients that will send me a dozen documents at one time.
(00:45:23):
And if I download, they download all of them and they go into a zip file. And then when I click on extract, I can extract them one of the time or extract all of them to a folder all at once. So to see something like this, it, the, the content made sense, except this came from somebody I didn’t know. So I just deleted it. I didn’t do anything with it other than got rid of it. So fear for is even worse. And it will often come from a bank, a colleague or a friend. And again, hoping you will reveal confidential information. So here is one example of spear fishing. Now this is an actual email text that I received on in September. I’ve changed the name of the law firm, but this email supposedly came to me from a law firm that I know and a law firm with whom I do work.
(00:46:27):
And it says, I, you have received, you have an encrypted message from Walnut Figman and Justin click here to open the message. Well, Walnut Figman and Justin never sent me that message. And if I had clicked on that thinking, oh, I know them, they send, they are sending me an encrypted message. I would’ve ended up opening my system to fraud. Now, recently I did have, um, someone that I did know, send me an encrypted message and I just assumed it was fraudulent. So I deleted it. And then about a week later, I got a phone call. Wanda, I’ve sent you two encrypted messages and you have, and, and I, I have no indication that you received them. And I said, next time, you’re going to send me an encrypted message, kindly text me, or phone me beforehand and tell me to look for an encrypted message. I receive encrypted messages and I delete them because I am not going to be hacked. He says, gee, I never thought about that. All right, I’m going to send it to you in the next five minutes. Fine. And he did send it to me and it was perfectly fine. And I opened it.
(00:47:45):
Whaling is a kind of a specific malicious hacking with a, within the more general category of fishing. And what they’re doing is they’re hunting for data that they can use. So they’re looking for bank account information or wire information or personnel information. Usually the targets are high ranking bankers or executives. So it could be director of credit, treasury controller. And the message may sound urgent, um, requesting a transfer of funds. It could sound like it’s coming from your vice president. Please approve the email or pre please approve the wire to X, Y, Z company. Um, if has to come out of your department and you may say, wow, okay, fine. I can approve that because my vice president just told me to do approve it, pick up the phone and call and say, did you really just send me this request and this way, you know, whether it’s legitimate or not.
(00:48:49):
So again, message is addressed to dear customer. Other generic reading. I get messages frequently from dear respected counselor. Well, we all know in the United States, nobody’s going to call us dear respected counselor. So I know automatically it’s from a foreign country and it’s probably false a messages requesting immediate action or urgency such as threatening to your account unless we get payment from you immediately, but closing your account and you’re sitting there scratching your head, saying payment payment for what or messages. And we’ve seen these too from ups or FedEx saying, um, you know, there’s, I’ve had, we’ve had difficulty delivering something to you. Please click on this link to very your delivery information. Don’t click on that link. It’s usually not from ups or from FedEx or messages requiring or asking for sensitive information such as your credit card number or your password. Never, never, never, never give your credit card number across an email. If I must give my credit card information to somebody legitimately, I will often put half of it in an email and half of it in the text message. So that only the person that I am dealing with can put it together and get my correct credit card number.
(00:50:18):
Before you click on a link, hover your mouse cursor over the link. It will tell you the true destination. And even though you might think it’s from a company called, um, south work, Southwest molding and millwork. When you click on it, it may say T Jones at Gmail. So, you know, somebody is just using a name to try to fool you and the same thing on mobile devices sometimes by pressing and holding the link without clicking on it. And there’s a difference between clicking on it and pressing and holding it. You can see truly where it came from, or just go into a separate browser window and type in the website and see if it’s legitimate. And you know what? You’re gonna find something like one or two letters don’t match. Uh, and again, when messages have attachments, don’t open them unless you’re expecting it.
(00:51:17):
And it’s from a legitimate source. So now we’ll talk about ransomware. Ransomware is this type of malicious software where it’s gonna block access to your computer. And generally you downloaded completely inadvertently. And it may say something like your computer is infected with a virus, click here to resolve the issue. Don’t click your computer is used to visit a website with illegal content to unlock your computer. You must pay a hundred, a all fine or any of these others. Now these three examples were given to us by the department of Homeland security. So the minute you click on that ransomware link, you are going to infect your computer. Don’t pay the ransom most so often. It doesn’t work and will like, cause more damage. The next couple of slides, I’m not going to take the time to go through them, but I offer them to you as research or resource material.
(00:52:20):
This is the cybersecurity and infrastructure security agency, which is a standalone us federal agency. And these several slides are going to contain, uh, bullet points for what you should do to protect your computers. And you’ll see there are three, um, or four slides. So please that your own leisure look at these bullet points and get an idea of what you can do to make sure your computers are safeguarded. So cap perky, which is a well known virus protector, um, they provide a, they provide a software that will help to block Trojan horses or any other kind of cyber thief or hacker, uh, because they know that one’s activated. And again, it could be sitting there for months until you activate it. It’s gonna get in and seal everything. So it, you could do it just by clicking on an email attachment or a link. Um, or you may download a program that you think is a legitimate program and it comes from a trustworthy site and you may find out it really is a lie, or it could be a software that you purchased from someone else.
(00:53:39):
And that there’s a Trojan horse sitting in the, in the software. So are possible signs of a soft of a Trojan horse. Is your computer frequently crashing since we have a file server in our office, and most of you work with a file server in your office. And since Friday, um, we are several of us work remotely every day. And since Friday, we have had to reboot our file server Friday, Monday, Tuesday, well, three days in a row to have to reboot the file. Server tells me something’s going wrong either there’s a hardware problem, or we’re trying to, somebody’s trying hack us. So yesterday I said, or Tuesday evening, I said to my staff, uh, tomorrow, before anybody gets online at all, I’m going to contact our it guy and have him come in. Well, when he found it’s an older file server, and we’re now going to upgrade our file server.
(00:54:48):
He said it was showing that it was only at a 70% performance. So that’s what was causing us to have to remove the file server periodically. And what was happening to one, uh, of my employees in particular was she’d be in the middle of working and she’d get kicked out of the server. So it could be a legitimate prop. That’s not a hack, but if it’s continually crashing or kicking you out, it could be, somebody’s trying to hack you desktop desktop changing. It might be to, somebody’s trying to get in or your task bar changing or all of a sudden, you look at your desktop and you see program who didn’t download, how did they get there? Or a lot of popups more than usual, or you click on what you think is a website that you wanted to go to. And all of a sudden, you’re in an unknown website. These are signs that’s, there’s a possible trillion who sitting in your computer.
(00:55:51):
So be very cautious about downloads, never download or install software from a source. You don’t trust completely be aware of phishing threats, never open an attachment, a link, or run a program unless, you know, it update your operating system software. As soon as the updates are available. Yes, it annoying when we get those notices that windows wants to do another update because now you, you can’t shut down your computer or you have to get out of what you were doing, but those are essential for keeping your computer safe. When you go on to a URL, make sure it has a padlock, because if it doesn’t have a padlock, it could be UN unsafe. Don’t click on unfamiliar, UNT, trusted, popups telling you that your device is infected or offering you this wonderfully magical program to fix it, protect your accounts with complex unique passwords. And don’t use the same password across the board and keep your personal information safe with firewalls.
(00:56:57):
And back up regularly, it occurred to me this week, while we were real, that we were having an issue with our file server that, um, I do have employees working at home and I had never asked them, um, if they were backing up every night and one was able to tell me, yes, I back up all the time. The other one was able to tell me, um, whatever I do at home during the day I throw to the file server. So it it’s in the office. And the other one said, oh, no, I haven’t been doing that, but I’ll, I’ll be doing that from now on. So here we are, you know, two years into COVID thank God nothing’s happened to us, but I had not. It not had not occurred to me to double check to make sure that my associates, my staff working remotely were making sure they were backing up every night. So you are particularly vulnerable to cyber fraud by all of these fishing, Trojan horses, ransomware when working remotely and here I, I get this probably once or twice a week. Your password has a expired. Ignore it, delete it. Or, uh, thank you for choosing Intuit payment solutions. I happen to use an Intuit pro uh, program in my office, but I don’t pay through Intuit. So it’s telling me that my last deposit could not be click on.
(00:58:47):
In Intuit payment is a legitimate program and I actually use, um, an Intuit payment program, an Intuit, um, timekeeping program in my office, but I don’t make deposits into it. So I got this email saying, thank you for choosing us. Your last deposit could not be completed. You’re gonna have to verify your transaction in order it to complete click here below log below to verify. Well, I knew it was a lie because I never make deposits into it. Even though I did know that into it is a program I use. So I just deleted this and I would recommend that you would delete it as well. Cause they were trying to get into my accounting system.
(00:59:33):
So, and so here you may receive instructions to send payments to a new bank account. We talked about that at the very beginning of this program. Um, and you may get instructions that come to you. Your customer may remit accordingly and then you never get paid or your company never gets paid. And the customer insists, I made the payment. Here’s my proof that I made the payment, but it didn’t come to you. So this may be a letter, a false letter saying, please be advised. We have recently changed. Thanks. Please make all future payments on your account too, with this information. Well, clearly this is a lie. And if you get anything like this and you, if you should tell your customers bar and every one of you on this call on the zoom meeting should tell, tell all of your customers, uh, you will never receive an email from me telling, uh, telling you that we have changed banks.
(01:00:33):
If we are going to do that, I will pick up the phone and let you know, before I send you an email or I will send you a letter in the mail, but it, you will not get this kind of email telling you to send money to a new bank. Sometimes small and midsize businesses are the most vulnerable, but not always dark side crippled dark side is a, is a malware crippled colonial pipeline, the largest fuel supplier in the Northeast United States. And they paid 4.4 billion, uh, I’m sorry, million dollars in Bitcoin, gr tag, a chemical distribution company also targeted by Darkside lost their data and paid $4.4 million in ransom reveal or Reval group attacked JBS a global meat supplier and caused a similar shutdown and JBS paid 11 million to get their system clean and restored ASER computer manufacturing manufacturer also as attacked by revive and they paid 50 million in ransom attacks.
(01:01:53):
So we think it, it happens to the small and mid-sized businesses, but it happens to everybody. So here are some other industries where it happened. Eland suffered a ransomware attack, pausing half of its stores to close guests in the, our industry ha lost their personal data, passport numbers, social security numbers, uh, from employees and contractors, apple supplier Quanta was hit with a 50 million ransom demand. Um, there’s no confirmation that they ever paid. The demand, SJ Lewis, a national construction contract company based in Rockville, Minnesota was held high for over a hundred thousand dollars after being infected with ransomware. So you can see large and small or medium. It happens 61% of small mediums or medium size businesses experienced a cyber attack in the last 12 months. One in five businesses experienced 25 or more hours in downtown downtime because of ransomware attacks in 19, in 2019 54% resulted from suspicious emails and websites.
(01:03:15):
And we don’t have final numbers yet, but in 2021, the estimate was that there would be $6 trillion worldwide in losses resulting from cyber attacks. So when you’re working from home, remember it presents challenges to you, to your it systems and to your staff. You need to be very self aware. You need to know what you have, how it is supported. Um, how, for example, I log in to my office file server from my home computer and my it guy set it up. So I never questioned it. But yesterday, while we were talking about upgrading the et cetera, I said, by the way, would you please, I know it’s protected because you did it, but how am I protected when I log in from home and I log into my file server and he explained the technology to me and how I was, how my laptop and my office computer were protected.
(01:04:22):
I was like, okay, I knew you handled it. I just now never knew what was there that was handled. Make sure all employees have very clear and concise instructions regarding laptops computers that they have to have a strong password. They should all have encryption installed when 10, uh, bit locker is available on all windows 10 and more and higher, but it’s not automatic. So when I, when I was first asked this question about a year and a half ago from a client, um, well, if you’re working from home, do you have bit locker on your home computer? And I hesitated answering him because the answer was, I have no idea, but I went into it and I found that I did have it, but I never, I had not enabled it. So of course I enabled it. And then I went back to him and said, absolutely, I have bit locker on my computer.
(01:05:24):
So we, we need to learn these things. I’ve learned a lot. Um, frankly, I’ve learned a lot as a result of presenting these kinds of programs to all of you, because the more I learned, the more I pass on to you and the more questions you have, the more I have to go look up something new. So don’t let outsiders work on your computers. And I’ve seen this happen at business conferences where somebody may have a laptop and somebody else didn’t bring their laptop down with them and say, Hey, can I just go on my emails for a minute on your laptop? You, well, it better be somebody you really trust very, very well. Otherwise don’t let them do that. And um, some companies have a way to monitor their employees when they log in. And when they’re on the computer only use organization approved devices.
(01:06:14):
Don’t let anyone else use it. Lock your device with a pin code, make sure there is encryption. If your device supports VPN capabilities, you may be required to use them and do use them, protect your device, get your updates all the time and don’t let anyone else connect their devices to your laptop. Even something as simple as a flash drive, I don’t have one handy, but we all know what a flash drive is. I had, um, theater tickets on my flash drive once and I went to a hotel out of town. I was taking a client to a show that night. Um, it was a Christmas show and she was a friend as well as a client. And I said, I need to print these tickets. And your business office is closed. Can you please print the tickets off my flash drive at? And I asked this at the front desk and she says, I can print those for you, but not here.
(01:07:13):
Please give me your flash drive. Uh, tell me what I’m looking for and I’ll go print them because her desk up at the front desk was networked throughout the, throughout the system. If my flash drive had been corrupted, I could have corrupted that entire hotel system. What they had was in their back office. They had a standalone computer. So if anything, if my flash drive was corrupted, it would corrupt their hand alone, but wouldn’t harm anything else. So if somebody says, Hey, do me a favor, can I just plug my flash drive into your computer so I can print it again? You’d better trust that person very well to allow anybody to attach their flash, drive to your computer, protect your personal computer again, with the latest patches, always updated. If you’re no longer using a program, get rid of it. Don’t let it just sit there.
(01:08:09):
If you log into your file server remotely, as I do, when you’re not using it disconnected, I tend to log into my file server to obtain documents or to do something in particular on a, on a particular software. And when I’m done, I close it out. One of my other staff is working on our, uh, litigation software. Well, she has to be by the new nature of her business has to be in that file server probably five or six hours a day. So she never shuts it down. Probably even when she takes the lunch break, she probably doesn’t shut it down. She probably walks away from it. Um, but when you walk away from your computer, you should shut it down. You should not be logged into your file. Server enable firewall. Uh, I have a colleague who said, oh, I took firewall off. It was locking me from being able to get into websites.
(01:09:07):
Well, it was protecting you dummy. So always keep your firewall up, uh, new what malware is constantly being developed. And again, back up daily, you are the shield. Your actions will protect you and your organization. So security awareness training skills that you are now learning are gonna be used at home. Cyber attacks can attack happen anywhere anytime. Um, don’t leave your computer on overnight. That would be a best time for a cyber attacker to attack your computer. We have our computer file server on at night in the office, cuz it’s never shut down. And at night is when it is backing up to the cloud, but everything is backed up to the cloud and we have that technology as tight as can be. But you at home, don’t leave your computer running because somebody could get in and hack it while you’re fast asleep, identify the data you need to protect and make sure that you implement those methods to encrypt that data.
(01:10:13):
Make sure you know, who’s on your, who has access and how many and get of any unauthorized and unsupported hardware or software from your systems. It’s everyone’s responsibility, how you store it, how you access it, how you process it, make sure you are always in compliance with your company policies, regulations, and standards. So again, if somebody calls and asks for sensor of information, first, find out who that person is. That’s calling you. Even if I get a call from my bank, I know my bank manager. If I get a call from somebody saying, hi, Wanda, this is uh, Sheila McKenzie. Um, and I need to get some information from you. Well, what happened to Joe? Oh, Joe is out today. He’s sick and you’re calling me why. Well, I need some information from you. Okay, let me call you back. And then I’ll call back.
(01:11:13):
And what I’ll usually do is call Joe and he will always leave something on his voicemail saying I’m out today. But for any further information, please contact Sheila McKenzie. Well then I know the person I was talking to was legitimate. And then I’ll call her back and say, okay, Sheila, what is it you need from me? Like also as well as locking down your computer, um, take your flash drives with you. Don’t leave them sitting there. If you are at a con conference and you’re using your laptop while you’re sitting at the conference and you’re using a flash drive, I don’t suggest you walk away and leave your laptop there. But if you’re going to way and leave your laptop and maybe John Smith is sitting there and John, are you gonna be here for a few minutes because I’m gonna run and use the, you know, restrooms, fine, leave your laptop, but just grab that flash drive and put it in your pocket.
(01:12:10):
Recognize the sensitivity of information you may be working with know and respect the boundary boundaries only use authorized information, authorized systems for sensitive information, don’t copy or store anything on your personal laptop or email account. Um, only use license software, cloud services and a screen lock, leaving your computer. My screen will automatically lock when I walk away from my computer, even here at home, I think I have it set for three minutes and then it will automatically lock down. Same thing on my iPhone. My iPhone will automatically will lock after three minutes, data storage, um, USB or external hop, uh, hard. They should be password protected and encrypted. And if you, if you don’t want to use an external hard drive or USB, then make sure your laptop is being backed up to a cloud service. So let’s talk about these cloud services. They are an outside service provider where they’re gonna store manage or process data.
(01:13:17):
And it’s called the cloud because we really don’t know where it is, but you may have Google docs or you may be sharing files by Dropbox or OneDrive or I, uh, apples, iCloud. These are all various I various cloud services that are available to you. And uh, they’re probably all very, very well protected when I suggested to my it fellow that, um, am I safe using Google? He laughed. He says, do you think a company like Google, isn’t gonna have the tightest possible security system there. Uh, they have a VPN network and you’re using that VPN network and yes, you are safe. Okay, fine. But make sure your cloud service encrypts your data. We back up to a cloud every night. And I, when I was first asked that question, I had to go to them and ask them do is my data encrypted. And yes, when my data leaves my file server in the office, it gets encrypted and it gets sent to my cloud service and is stored there.
(01:14:22):
And when, if, and when I need to restore something from my cloud service, it comes down back to my server in an encrypted for. So when you’re using cloud services always get permission before you use it only approve cloud vendors should be used, follow your office policies, make sure you know, what kind of data you’re storing. Some data is protected by legal or regulatory or contractual information obligations. If it’s work related, don’t store it on your personal cloud account. Be extremely conservative as to who can access business cloud accounts. We have a cloud account for boards and associates, LLC.
(01:15:09):
We all, everyone in my office knows we have it. Um, but I only one that accesses to cloud account. Would I trust somebody else in my office to do it? Yes. If I had to, if I were not around, if I were on a business trip or on vacation, yes, I would probably trust my senior litigator or my bank as the associate to go in and, and go to the, to the cloud. But I’d probably would more, more than that. I would probably go to my it guy and let him go into the cloud. So make sure, you know, who’s accessing it again with a unique password. Always run up to date, antivirus software and make sure, you know, what’s allowed. If you are keeping paper fine, keep it in a locked file cabinet or secure paper of places. Um, electronic, make sure again, it’s encrypted.
(01:16:06):
It’s passworded, nobody can access it. Um, if you’re discarding it at your remote location, go and spend a hundred bucks and get yourself across shredder. They’re not that expensive. And um, I actually bring some files home for the purpose of shredding them. After they’ve been closed down, this is just easier for me to do it while my husband’s lodging TV and I’m sitting there and I can go through documents and shred them, uh, email by the way is legally binding just as a paper letter. So if you engage in a contract with a client or a customer by email, it is binding. So use email as a tool for documenting your activity, make sure you know, and understand that anything you do is discoverable in litigation and it could also be leaked to the public. So before you send an email, next message, pause and ask yourself, do I really want this to be there forever?
(01:17:05):
And maybe be in court or maybe printed in a newspaper? If not, don’t put it in an email. Never assume that by deleting something that’s gone, it’s not, it can be found through backups and a forensic scientist can. In fact find what you thought was purged on your desk, desktop, if you don’t need anything anymore, get rid of it. It, but if you are in litigation or you think you might be in litigation, do not destroy anything. If you destroy something because you think it’s gonna be embarrassing. Well, guess what, if you are guilty of foliation of evidence, you can lose your entire a case and you can be fined when you do dispose of sensitive information, such as, um, social security numbers, cell phone numbers, home addresses emails, make sure you dispose them and authorize shred bins only use secure communications networks. Don’t go to your local, um, Panera or Starbucks and use the public wifi for company business.
(01:18:20):
You wanna browse, you wanna go on Facebook, knock yourself out, but don’t use it for company business. And I know a lot of people have done that when Northeastern storms take out our electronic, our electrical systems, a lot of people found little coffee shops or, or Panera or the local library, and they, that had electricity and they used it. Don’t use it for company business and make sure encryption tools are used video conferencing, such as what we’re doing. Now, keep your staff engaged in it so that they’re not multitasking, but something else conduct these calls weekly so that your staff doesn’t feel abandoned when they’re working at home. Make sure there’s a secure site. Um, even hackers can get into a video conference. Don’t again, don’t use that public wifi for a zoom meeting and encrypt any documents that are may be being sent, create a very long secure password and maybe use a password manager.
(01:19:24):
If you have multiple, multiple passwords, use a two factor authentication or multifactor authentication where any critical financial services. So here’s a tip for strong passwords. Well remember, of course, when the coronavirus began in 2020, so we, I created this password, uh, kind of to have fun with it, but also to show how you can take a crazy phrase and create a strong password Corona, not the beer 2020 act. So you see it’s got all caps, it’s got numbers and it’s got the ampersand use a different unique password with each account. Don’t use the same password, for example, for all of your bank accounts or for all of your emails or for all of your websites, use a password manager, make sure the it team okays it, um, keep the password secret. Don’t share it with anyone else. And if there are security questions, make sure there’s something only, you know, the answer to. Of course I laugh when I, when I say that because, um, my sister and I shared a password, uh, for something that had to do with our mother when my mother was getting old and we were, you know, taking care of her and the security question was our mother’s made name and being Hispanic.
(01:20:48):
The, we, I don’t, but most of the older generation used two names for their surname. And my sister called me and she said, I can and get into mom’s account. And I said, what was the problem? She says, they said that her maiden name was wrong. I said, and what did you say? What did you put? And she told me what she, and I said, Cindy, that’s not mom’s maiden name. So we laughed over it, of course. Um, but make sure it’s a security question, a that you only, you know, and B that you’re gonna remember and again, use the two step verification process when possible, so that not only do you type in a password, but you get that text code to your cell phone, plugin safety, these plugins, or add-ons, there’s small pieces of software that might be used for you to play a video game or watch movie or, or text editing.
(01:21:43):
Uh, they add additional vulnerabilities. So make sure you have approval to use them at only use the latest protected version. When you’re finished with a website, get off it, say, browsing, strengthens your shield. If you’re clicking on a quiz or other link, by the way, the way I got hacked was I do love quizzes. I love clicking on those. I haven’t done it again since I got hacked with, with ransomware. Um, but I enjoyed these quizzes that popped up and said, how well do you know your north American geography? Or how well do you remember your, you know, history? I used to enjoy doing that. I don’t do it anymore because well, it took was to one time that there was a ransomware or a Trojan horse buried in there. It, if your browser is taking you to unwanted or random websites, you can’t get out of them, get a hold of your it guy immediately. If your password doesn’t work, get a hold of your, of somebody who will fix it. Not, not the person telling you you’ve been hacked. Your friends are coworkers are sending you strange messages. You’re getting unauthorized charges or extremely high battery usage. All of this could be a sign that something is happening to your system. Mobile devices are great. They’re fabulous, but make sure you know where it is at all times.
(01:23:09):
I’m sure every one of us I’m guilty of it as well, who has gone have gone. My office at home is on my third floor, the kitchen, uh, living room, et cetera, is on the first floor. And sometimes I will remember to bring my phone. Sometimes I won’t. And many times I turn to and my husband and say, do you have any idea where I put my phone? I’m, we’re all guilty of that. Fine in our home. Don’t do that. When you’re at work, certainly not in a hotel or at a conference, always protect your device with a lock or a pattern or fingerprint enable remote wiring, a, a wiping. So the, you can erase that information once, if your device is lost or stolen, always keep it updated. Don’t break into your own device. Teenagers know how to do that. I don’t because once you do it, you’ve destroyed all the protections and disable wifi and Bluetooth when you’re not using it, it a improves your view from automatically be being connected to a dangerous network, and it improves your battery life. Choose mobile devices only, um, trusted sources before downloading an app, make sure you know, how many people are using it. And if it’s safe, if it’s make sure it’s authorized for work and that it doesn’t ask for excessive permissions always keep an updated. If you lose it, let your it guy know immediately. And we are at, uh, an hour and 15 now. Uh, but I will still say if there are any questions I see. Yes, I see that you did try to tell me that and that 15 minutes ago, that’s
(01:24:48):
The way I was literally just gonna pop in and say, if, if anybody needed to jump to that, they could, because we will be, we are recording and we will be se, um, sending out copies, um, as well of the webinar. Um, I will definitely make sure all questions are answered. If you have any at all, please feel free to jump in now. Um, we’ll leave it open for about another five minutes. Um, but please, if you, if you have anywhere to be, and I’m happy to send you, uh, the recording and any of the answers with the questions that you missed.
(01:25:17):
And also, if any of you have a question, um, after you hang up or whatever tomorrow, next month, uh, and you wanna, uh, drop me, uh, an email. You have my email at, at the first slide of your screens and please feel free, uh, to go and, and call me or email me. I do actually prefer emails. It’s easier for me to answer them sometimes at midnight. Um, and I will certainly be happy to answer them at absolutely no charge to you whatsoever. It’s my courtesy to bar, um, as your bar’s clients, and I’m looking at your names, and I know many of you either bar or through NACM Homeland, uh, NA cm, Heartland.
(01:25:58):
Thank you so much, Wanda. This was really wonderful. I learned quite a bit. Thank you. It’ll be very interesting to see cuz I’ve everything you said. We’ve kind of started to see kind of slowly start to pick up on it, but they’re getting more and more creative as time goes on. And it’s incredible to see some of the things that these people have, um, have thought of. And I don’t know if anybody’s heard of this, but we actually had someone warn us about a, um, a interviewing scam that’s happening right now, where they’re having people that are ho doing interviews via zoom. And they’re actually not the people that are, that you’re going to hire.
(01:26:39):
There’s people selling their, the ability for them to do the web, to, to, for them to do their interviews. And I think it’s fascinating, terrifying. Um, but it’s getting creative. It’s very interesting. Hmm. Yeah. And the themes will come up with something new every day.