The Risks of Allowing Employees to Use Tablets

iStock_cell & tablet-000022454376SmallTablets and other such devices have become increasingly common in the average workplace. And, while these devices can be important for your employee’s daily work, they also represent a cyber risk if they are not properly managed.

The following are just a few of the major risks associated with having tablets in the workplace:

  • Mobile malware. Tablets are typically infected by malware via malicious apps and phishing scams. When this happens, a cyber criminal can gain unauthorized access to the device and associated network systems. In general, iOS tablets like iPads are safer from malware than Android tablets. However, mitigating the risk of malware typically comes down to the user. Workers should avoid downloading unfamiliar apps.
  • Loss of data. Following a security breach, data loss is inevitable. For tablets, this could mean that users are locked out of their devices altogether. To protect your business, employees should always back up their data, and ensure that no sensitive or proprietary information is stored on it.
  • Unsecured networks. Unsecured networks are a particular concern for tablets because they are easy to take on the go into areas with free and public Wi-Fi connections, like cafés and airports. These connections are not always secure and can be easily hacked by cyber criminals. To prevent this, employees should be reminded that no public Wi-Fi is safe. For further protection, offer a virtual private network (VPN) that your employees can utilize to safely use the internet off-site.
  • Theft. In addition to virtual threats from hacking and phishing scams, cyber criminals could just as easily steal the tablet itself. This could give them unlimited access to proprietary or personal information. To combat this, employees should never leave their devices unattended. Using a secure password can also help prevent theft of information.

Above all, employers should have a personal device policy in place that accounts for security threats. Employees should know what they can and cannot do with their devices and how to protect the sensitive information contained within. These policies should be extended to other personal devices with internet access, such as smartphones.

©  Zywave, Inc. All rights reserved.

The Fake President Cyber Fraud

CThe “fake president fraud” is a type of scam in which a criminal posing as a company executive convinces an employee to voluntarily transfer a large sum of money directly to the criminal’s account. It may be hard to imagine that any of your employees would authorize a wire transfer to an unknown account, but law enforcement officials have seen a marked rise in the occurrence of this scam over the past several years.

What’s especially dangerous about this particular type of fraud is that many companies—even those with both crime and cyber policies—might not be covered unless they have a social engineering fraud endorsement on their crime policy. Read on to better understand how the scam works and what you and your employees can do to mitigate the risks.

Understanding Social Engineering

The scam’s success relies on criminals using something called “social engineering.” Social engineering refers to tactics that exploit common psychological weaknesses and preconceived notions about authority and social relationships to make people engage in certain behaviours. Often, that means exploiting patterns of behaviour that are automatic and subconscious, so that victims might not even realize what they’ve done until after the fact.

Because social engineering relies on exploiting your employees’ assumptions and subconscious thought patterns, it can be hard to recognize unless someone points it out. That’s why the best way to defend your organization is to learn how a scam works and educate your employees about it.

How Does the Fake President Fraud Work?

The fake president fraud may vary in some of its details, but it always contains four major elements.

  1. The “president” makes contact. Someone posing as a high-level executive in the company—often the president, CEO or CFO—will reach out to the target employee. This contact often occurs via email, either from a domain that is deceptively similar to the company’s actual domain, or via a “personal account.”
  2. The “president” asks for a wire transfer. The “president” asks the employee to wire a large sum of money to a foreign bank account. The employee might be told that the money is for a host of seemingly legitimate purposes (recent acquisitions, paying off debts, paying vendors, etc.).
  3. The “president” pressures compliance. At this point, many employees may question the unusual request or the break in typical company protocol. That’s when the “president” deploys psychological pressure on the employee to accept the scenario as genuine and comply with the request. Those pressures can rely on a number of different factors, including the following:
    • Authority: The criminal will emphasize his or her rank to convince the employee. This offers the criminal many options, such as using that authority to intimidate the employee or preying upon the employee’s desires to impress a superior.
    • Time pressure: Criminals will often claim that the transfer is an urgent matter, forcing the employee to ignore typical protocol and eliminate the chance that he or she might disclose the transfer to another party or verify the information before making the transfer.
    • Secrecy: Often deployed in conjunction with time pressure, the “president” may emphasize that this deal must remain secret for strategic or legal reasons. Having the employee “in” on the secret can make him or her feel special and thereby increase the chance that the transfer will go through.
  4. The employee makes the transfer. The employee contacts the bank, and the bank then makes the transfer. Even if it is unusual, the bank will transfer the funds to the account if the employee making the request is authorized to do so.

Why This Scam is NOT Covered by a Cyber Policy

This scam bears similarities to certain cyber scams, like spear phishing. Insofar as both kinds of scams involve sending emails targeted to specific employees, the tactics are similar. However, there are some crucial differences.

Spear phishing targets an employee in order to convince him or her to open an email or click a link, which downloads malicious code onto the employee’s computer and allows the criminal to access the company’s network. With phishing scams, the crime is an unauthorized data breach, and, as such, the exposure would be addressed by a cyber policy.

By contrast, in the fake president fraud, the employee willingly authorizes a wire transfer to the criminal’s bank account. Even though the crime was initiated via email, the fundamental criminal act is fraud, not data breach, and will not be covered by a cyber policy.

Mitigating Risks

There are a number of things companies can do to reduce the risk of falling victim to such a scam. These include the following.

  • Educate Employees. It’s essential that all employees—especially those who are authorized to make wire transfers—are aware of the scam and how it works. Ultimately, this scam works by preying on a number of psychological blind spots, including ignorance. Combat that by making your employees aware of the risk and diligent about company procedure.
  • Demand Adherence to Protocols. Your company should have protocols for authorizing the transfer of funds. Reinforce the importance of adhering to these protocols.
  • Verify Identities. This can be especially important if employees have infrequent contact with C-suite executives or if requests are frequently made remotely. Establish guidelines for independent means of verification if requests fall outside of established protocols or if timelines must be accelerated.

Make Sure You’re Covered

Insurance solutions for the fake president fraud are available, but they often come in the form of a specific endorsement on a crime policy.

© Zywave, Inc. All rights reserved.