Cybersecurity Social Engineering: Email Security Recommendations

Date April 2, 2020
Article Authors

Cybersecurity attacks are occurring at such a rapid pace during the COVID-19 crisis that it has become difficult to keep up with all the fraud attempts.

Fundamentally, everyone should:

  • Have up-to-date antivirus software
  • Use a Spam Filter
  • Use VPN (Virtual Private Network) software
  • NEVER trust public Wi-Fi
  • Use Encrypted Filesharing, if necessary


Beyond those basic directives, there is an additional offline layer of controls that build on the “Defense in Depth” concept that every company can easily incorporate to help prevent bank fraud. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among team members, clients, vendors. We rely more on email conversations than phone calls. Hackers see this situation as an opportunity and are developing schemes to take advantage of it.

Our recommendations for email payment security include (Your businesses may already have some or all of these in place):

1. Assemble a directory—mobile or landline—with pre-arranged telephone numbers
  • Include your company leadership or C-suite
  • Include your finance and/or accounts payable teams
  • Include vendors that you have a history of paying electronically
  • Include your bank(s) and regular contacts at your bank(s)

2. Require any team member receiving an email requesting a new or altered electronic payment to reach out to the “requestor” as listed in your new directory of “pre-arranged” phone numbers to verify that the request is real and to verify the account numbers.

Never rely on the contact information or account numbers provided in the email!

3. Require a secondary authentication from a pre-designated member of your company who is included in your directory of pre-arranged telephone numbers, such as your CFO or Director of finance. Additionally, you can add another layer of security by using a pre-designated “code word” with the members of the pre-designated directory.

4. To protect your pre-arranged telephone directory, store it inside your password vault. (Most have the capability to store secure notes).

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Also, if you were unable to join us in February for our Risk Advisory Service Webinar on Banking Controls, you can access a recording of the session at: https://attendee.gotowebinar.com/recording/8846183878460240903

Speak to one of our professionals about your organizational needs

"*" indicates required fields