What does it mean to get hacked? And how might we mitigate cybercrime?
Hacking is unfortunately far from uncommon. By some counts, more than 2,200 cyberattacks occur per day, which means that one cyberattack occurs every 39 seconds.[i] These hacks carry a tremendous financial cost, with some estimates putting them as high as $6 trillion per year or $500 billion per month, $115.4 billion per week, $16.4 billion per day, $684.9 million per hour, $11.4 million per minute and $190,000 every, single, second.[ii]
The figures are mind-boggling and scary, which is why it is more important than ever to understand what can occur when a business network is hacked. Without grasping the basics, it becomes more difficult to assess your risk and start proactively protecting your company.
What is the origin of the term “hacking”?
The use of the term “hacking” in a computer science context began all the way back in the 1950s at MIT. In those days, hacking simply meant dealing “with a technical problem in a creative way.”[iii] It wasn’t until the late 1970s that hacking started to refer to illicit activity, a definition it retains to this day.
These days, hacking primarily revolves around the compromising of digital devices and networks. While there is “ethical hacking,” which focuses on improving security systems and keeping data safe, most is “black hat,” which means that it is often motivated by money, such as:
Wanting to sell private network information on the black market.
Obtaining access to sensitive information and then attempting to coerce victims into paying money.
Desiring to obtain confidential data and use it for financial benefit.
Holding data hostage until a payment is made.
How do hacks occur?
Typically, business networks are targeted through the multiple endpoints that are vulnerable to criminal activity. Just think about it. Every day, employees access business networks with numerous devices that may or may not be secure. But that’s not all businesses need to be concerned about. Similarly vulnerable areas include:
Any cloud-related services
Passwords
Unsecured WiFi
Malicious websites
Email accounts
Hacks come in every shape and style
There is no “one way” that hacking occurs, which makes it important to cover the different variations of hacking to gain a more complete understanding of the threat landscape. Here are seven distressingly common strategies that cybercriminals routinely employ:
Phishing: By far, phishing is one of the most popular forms of hacking today – in part because it is so effective. To better understand the prevalence of phishing, look no further than to recent data that shows 1 in 99 emails is a phishing email.[iv] There are several different types of phishing emails, such as:
Malware delivery emails, where malware is unleashed if the email recipient clicks on a malicious link.
There are also credential harvesting emails, where the sender will impersonate someone the recipient knows to get them to hand over sensitive information.
Denial of Service (DoS): DoScyberattacks occur when cybercriminals make an online property or service unavailable by inundating it with requests. This attack will frequently result in your website crashing or becoming unusable.
Spyware: Spyware involves malicious code being embedded to monitor email correspondence or worse. Keying (key-logging) to obtain passwords is just one example.
Malware: You’ve likely heard of malware before – and for good reason. Referring to any computer virus, worm, trojan horse, spyware, ransomware, adware or other malicious software, malware has been sneaking into user devices and business networks since the beginning of the computer age.
Brute Force Password Decoding: In this type of hack, finesse or secrecy go out the window. The cybercriminal simply attempts to force his or her way inside your devices or network through automated tools that seek to decode your network passwords.
DNS Attacks: With Domain Name Server (DNS) attacks, cybercriminals utilize an elaborate strategy where they take domain names and transform them into IP addresses, which often results in the domain name server redirecting web traffic to fake websites controlled by the criminal.
Social Engineering: Social engineering cyberattacks are exceptionally difficult to guard against because they focus on manipulating human attributes like empathy, fear and urgency to gain access to personal information or a corporate network. Phishing is one example of such an attack, but there are many others that fall into this bucket.
Are we powerless against hacking?
With such a wide range of illicit cyber activity, it can feel almost impossible to keep up. However, there are numerous things business owners and employees can do to protect themselves and reduce the possibility of harm or financial loss. From following password best practices, to keeping your systems updated, to deploying new techniques like security awareness training (SAT), even the smallest firm can dramatically increase its security posture. The situation is not hopeless. In fact, by following expert advice and remaining vigilant, we all have the power to reduce our risk profile and stay safe online in both our personal and professional lives.
You just received an unusual email from your boss. Better answer it, right? Not so fast.
As an internet user, you likely have some awareness of cyberattacks, and chances are, you may have already been impacted by a cyberattack in one form or another. This is particularly likely considering some of the massive data breaches that have affected large companies over the past few years.
One cyberattack you may be less familiar with, however, is called CEO fraud. CEO fraud is a targeted type of email attack where the scammer poses as the boss and tricks an employee into taking a detrimental action. CEO fraud can affect any type of business, from a large corporation to a small agency. Essentially, if you have a job or work for a company that is larger than just yourself, you are vulnerable to this type of malicious behavior. Here’s how you can be prepared to stop CEO fraud and avoid jeopardizing your company.
The Internet Weaponized
Let’s say you work for a small title agency. There are only a few employees in addition to you and the CEO. A cyber attacker will use the internet to research who your boss is and then create an email pretending to be them. What makes these types of emails especially dangerous is that they don’t contain any malicious links or infected attachments that your average email filtering software will catch. Instead, they appear like your average, ordinary email.
A Fraudulent Sense of Urgency
One of the most defining features of a fraudulent email is urgency. They will urge you to take a specific action right away. These requests are often fiduciary, like handling an invoice, changing payment information, or instructing you to send documents that contain sensitive information.
Two Different Scams
It’s important to take a more granular look into how these scams often work. The first way is wire fraud, a particularly pertinent subject for anyone working in the field of real estate or title insurance. When a cybercriminal is attempting to pull off a scam like this, they will usually spend time identifying those who handle accounts payable and then send them an email pretending to be their boss. The email will direct them to change something about an upcoming money transfer, typically the account where the money will eventually go.
The second way this scam occurs is in the form of tax fraud. In this instance, a similar process will play out, where the criminal will again send someone within your business or organization a fraudulent email pretending to be a superior. The difference this time, however, is that the email will urgently instruct its recipient to send employee tax documents, sensitive information that could be extremely damaging if it fell into the wrong hands.
Stay Vigilant and Stay Safe
Faced with the possibility of such threats, what can an average worker do to practice due diligence and protect themselves or their company from becoming victimized? Most of the time, exercising common sense will be sufficient. But there are also some common signs that can alert you to an email not being on the up-and-up.
Fraudulent emails will almost always be short, with the message consisting of only a few lines of text. They will also mention that the email was sent from a mobile device. They will include instructions that run contrary to your business’s policies, basically conveying that you should ignore standard procedure for the sake of urgency. The actual email address that the message was sent from will also be a dead giveaway. Be on the lookout for any email ending with a common domain name like “@gmail.com” or “@yahoo.com” instead of your company’s email domain name. If you’re in charge at your organization, encourage your employees to give you a call to double check any emailed request from you that may seem out of the ordinary. Practicing these easy steps will go a long way toward helping avoid any potentially dicey situations. Even better, they will alleviate unnecessary stress and let you focus on far more important professional priorities.
What exactly is malware, and how can you safeguard against it?
You’ve heard the term. You’ve seen the warnings. You may have even been unlucky enough to experience an attack. But what exactly is malware, and what can you do to safeguard against it?
Malware: A Catch-All Term
Malware is an umbrella term for any type of malicious software. This can include anything from computer viruses, worms and Trojan horses (a malicious piece of software disguised as a legitimate program) to ransomware, spyware, adware or scareware.
Typically, anything that secretly works against the interests of a computer user can be classified as malware. Malware can infect almost any type of computer or digital device. Some but not all machines that are vulnerable to malware include: Windows computers, Macs, iPhones, iPads, Android devices and network servers. Viruses and worms are the most common types of malware, and both are spread by becoming embedded in executable software.
Why it Matters
Malware is used by hackers to gain access and pilfer the personal, financial, business or governmental data of unsuspecting individuals or organizations. Once this information is acquired, cybercriminals frequently seek to exhort money from their victims – either directly through ransoms (where the criminal blocks access to files or programs until the victim pays them money) or by engaging in identity theft.
Recent studies indicate that cybercrime is on the rise. A 2019 report revealed a 67 percent increase in security breaches over the past five years.[i] The cost of these attacks is truly staggering. According to the White House, “malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.”[ii] The average cost of a data breach is $3.9 million according to IBM.[iii] While it may be tempting to think that only large multinationals are the targets of these attacks, 43 percent of breach victims were small or medium-sized businesses.[iv]
What Can be Done?
As with other industries, identity theft, fraud and other crimes are increasing throughout the insurance and financial services sectors. Still, there are numerous actions you can take to better safeguard your data.
A great first step is to purchase high-quality anti-virus software and install it across your devices. It is essential to purchase one from a well-known and trusted provider, and to have it consistently run scans on any machine that may be vulnerable.
You should diligently update both your operating systems (Mac/IOS, Windows, Android, etc.) and internet browsers (Internet Explorer, Google Chrome, Firefox, Safari and Microsoft Edge). Not only do these updates patch security holes, but they also better protect your data and offer enhanced features that can make your work life easier and more enjoyable.
When safeguarding your devices through the previous steps, it is always a good idea to back up your data and store it on an external hard drive where it will be retrievable in the future. By taking this precaution, you will ensure that you do not lose access to your most valuable data even if you are unlucky enough to experience a malware attack and have to consult a professional to repair your device.
Avoiding Phishing Scams and Ensuring Safe Title Transactions
One of the most common threats that occur during real estate transactions is a phishing scam, where criminals seek to gain access to nonpublic personal information (NPI), place malicious code on your device or convince you to change wiring instructions. To protect yourself from these scams, agents should be mindful of the following warning signs within a suspicious email:
Poor spelling, grammar and generic greetings
Requests for personal information
An unusual sense of urgency
Instructions to change wiring information
Questionable-looking attachments or links that encourage a click.
Additionally, agents can reduce risk by transmitting data through encryption, using two-factor email authentications, maintaining a contact log for all transaction participants, eliminating the need for urgency and performing a risk assessment to identify security gaps.
Commit to Safety
Considering the fiduciary responsibilities that title agents possess, data security is of the utmost importance. Of course, no system is foolproof, but by knowing the risks and taking necessary precautions, agents can make significant progress toward protecting the integrity of their clients’ transactions.
Wire fraud attempts are very common in the title industry. A typical wire fraud scheme, encountered by some of our agents, is known as a business email compromise (“BEC”). In this scheme, the fraudster has hacked into a party’s email account.
The fraudster then lies in wait, they read the outgoing and incoming emails waiting for a sales transaction to occur.