BEC Attacks Are on the Rise. Here’s What You Can Do.

Date July 30, 2020
Article Authors

In April 2019, Saint Ambrose Catholic Parish near Cleveland was scammed out of $1.75 million in a Business Email Compromise (BEC) attack. According to the investigation by the FBI and the Brunswick, Ohio police, the hackers accessed the church’s email system and tricked the administrative staff into altering the banking information for the construction firm doing a major renovation at the parish. The parish made the $1.75 million payment to the hacker’s bank account, discovering the fraud only when the construction company called to inquire about the late payment for services.

Business Email Compromise (BEC) attacks target commercial, government and non-profit organizations as well as individuals. According to the 2020 Verizon Data Breach Investigations report, BEC frequency increased nearly 225 percent in the past year. Median losses were $1,240 for individuals and $44,000 for organizations.

If you learn that you or your company has been the victim of a BEC attack, you should immediately do the following:

  1. Contact the bank where the funds were drawn.
  2. Ask your bank to contact the corresponding bank where the fraudulent transfer was sent.
  3. Contact your local FBI office as well as the U.S. Secret Service.
  4. File a complaint, regardless of the dollar loss, with the Internet Crime Complaint Center (www.IC3.gov). Note that it was a BEC attack.
  5. Inform your cybersecurity liability insurer.

The best approach for preventing BEC attacks is to implement a security awareness and training program that includes test phishing emails and design preventative controls into your payment process.

HBK Risk Advisory Services can help implement a cybersecurity awareness training featuring phishing simulations, IT security policy development and payment controls assessments to evaluate the security of your payment processes. As always, we’re happy to answer your questions and discuss your concerns.

Note: For more information on BEC attacks, listen to the HBK Risk Advisory Services BEC webinar at: http://hbkcpa.com/ras-bec-attacks/

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Protect Your Identity: SBA Website Bug Exposes Personal Information of Loan Applicants

Date April 27, 2020
Article Authors

On March 25, the Small Business Administration (SBA) discovered a programming error on its website that exposed the personal information, including social security numbers and addresses, of businesses applying for Economic Injury Disaster Loans (EIDL) to other EIDL applicants. The agency said it has corrected the website and notified the businesses that were impacted. As well, the agency said it will provide a year of credit monitoring to the affected organizations.

Cyber-criminals and hackers are likely to try to take advantage of the SBA EIDL website error. It is their habit to use such situations to wreak havoc on businesses and individuals through social engineering attacks such as phishing. Recently, the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the U.K.’s National Cybersecurity Security Centre (NCSC) issued a joint alert regarding the growing use of COVID-19 related themes by malicious actors.

A few suggestions to help you protect your identity:

1. Scrutinize emails pertaining to COVID-19, the CARES Act, EIDL and PPP:

  • Would the entity that the email is “supposedly from” typically request personal information or account information via email?
  • Use “hover over” technique on the hyperlink contained in the email.
  • Carefully examine the resulting URL for the website/entity that will process the request.
  • Verify the request via a different method (i.e., phone or online chat instead of email).

2. Consider freezing your credit files:

  • A provision of the Economic Growth, Regulatory Relief and Consumer Protection Act eliminates the fees associated with freezing and un-freezing your credit files.
  • Consider how often your information is public and vulnerable and what purchases might impact your credit or warrant a credit check.
  • Learn more about freezing your credit files at the Annual Credit Report website. Follow these prompts:
    • Choose the “Protect Your Identity” tab.
    • Then choose “Security freeze basics” on the left-hand side of the screen.

3. Review your annual free credit report via the Annual Credit Report website:

  • It is authorized by federal law.
  • You are entitled to one free report from each of the following credit bureaus every year.
    • Equifax
    • Experian
    • TransUnion

4. If your bank offers it, enable Multi-Factor Authentication (MFA) for all your online financial accounts.

While these are easy steps to take to provide some protection, our list is hardly all-inclusive. As well, there is no comprehensive list of COVID-19-related malicious cyber activity. Individuals and organizations should remain alert to increased activity relating to COVID-19 and take proactive steps to protect themselves.

The HBK Risk Advisory group can answer your questions about identity theft and other cyber security matters. For more information, contact me at WHeaven@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Cybersecurity: Expense or Investment?

Date November 11, 2019
Article Authors
HBK CPAs & Consultants

As a business owner or chief executive you focus on increasing the value of your business. Costs that don’t produce a return, if sometimes necessary, are unwanted expenses.

As the practice of cybersecurity has emerged, many organizations have looked at implementing a cybersecurity program as an expense. But even beyond protecting your organization from potentially catastrophic data thievery, a cybersecurity program is an investment that adds real, quantifiable value to your business—added value clearly evident as owners look to merge or sell their businesses.

Consider the many businesses spanning myriad industries that have fallen victim to cyber attacks or data breaches subsequent to being acquired. FitMetrix, a MindBody acquisition; Starwood Group, a Marriot acquisition; MyfitnessPal, an Under Armor acquisition; and Bongo International, a FedEx acquisition are glaring examples.

All markets and industries have been affected. As a result, a company’s cybersecurity program –or lack thereof– is a central consideration in current M&A due diligence.

In a recent survey conducted by the International Information System Security Certification Consortium, or (ISC)², 96 percent of respondents say they take the maturity of cybersecurity programs into consideration when determining the value of a company. (ISC)² is a non-profit organization offering training and various certifications to cybersecurity professionals.

Moreover, 53 percent of respondents said values can vary widely depending on the maturity and effectiveness of the cyber program; 45 percent agreed that a cybersecurity program adds value but said that they assign value via a plus-or-minus or pass-or-fail indicator.

Perhaps most interesting, the study revealed cybersecurity infrastructure—including “soft” assets such as a risk management policy, security awareness training programs and other governance initiatives that might not traditionally be considered infrastructure—actually has a greater impact on value than IT.

Conversely, the lack of cybersecurity infrastructure indicates a liability potentially devaluing the company.

To illustrate the value of your cybersecurity initiative, we recommend you develop a formalized and documented cybersecurity program. The program should be continually improved and reviewed at least annually by an appropriate third party firm.

Simply put: Invest in cybersecurity. Secure the future of your business and its value.

HBK can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Contact Matthew Schiavone, CPA, CISSP, CISA for questions or to schedule an assessment.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Welcome to Cyber Security Awareness Month

Date October 1, 2019
Article Authors

October is Cyber Security Awareness Month, in accordance with the 16th consecutive year of the Department of Homeland Security’s (DHS) annual campaign. The goal of the initiative is to raise awareness about the importance of cyber security.

Did You Know? (From the 2019 Verizon Data Breach Investigations Report)

  • C-level executives are 12 times more likely to be targeted by social engineering campaigns.
  • Ransomware attacks are still going strong and remain a valid threat to all industries.
  • Mobile users are more susceptible to phishing attacks, likely due to their user interfaces, among other factors.
  • In 2019, 43% of cyber breaches involved small businesses.

Action Item Reminders:

  • Implement cyber security awareness training and associated programs to measure effectiveness.
  • Implement network vulnerability scans to identify security holes that a hacker could potentially exploit.
  • Back up your data and verify the completeness and accuracy of individual backups.
  • Implement vendor-supplied updates on both your hardware and software on a timely basis.

As always, HBK Risk Advisory Services is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613; or via email at wheaven@hbkcpa.com. HBK is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Cyber Security: It’s Everyone’s Job

Date August 13, 2019
Article Authors
HBK CPAs & Consultants

HBK is in the cyber security business. Our Risk Advisory Services group exists to serve our clients and help ensure they remain healthy, active and viable. That is our business, ethical and moral purpose. We also realize that we alone cannot entirely handle your cyber security needs, because so much of cyber security is a function of business culture and self-awareness.

Here are five reasons cyber security starts and ends in the business setting:

1. Laws put the burden on your business to protect cyber data. If you peruse the California Consumer Privacy Act, the New York Department of Financial Services Cyber Security Regulations, the Ohio Cyber Security Safe Harbor Law, the Florida Information Protection Act, and the mother of all data regulations, the General Data Protection Regulation of the European Union, you will find two common denominators: none of them make it illegal to steal data and all of them make it incumbent on the business to protect data.

Each regulation sets forth actions businesses must take to protect data. This type of law used to be reserved for national security matters—power plants, national emergencies, disaster recovery—but state governments in the U.S. and foreign sovereigns are delivering a clear message that these laws apply generally. You are responsible for protecting data, and if you do not you will be punished.

2. The burden to protect cyber data is being pushed by big businesses to small and medium businesses (SMBs) under contractual mandates. Large multinational businesses are being attacked through their vendors. Target took a data breach hit because of an HVAC vendor. Capital One just announced a data breach allegedly caused by an employee of one of its vendors.

Large businesses are now insisting that their vendors adopt safe cyber hygiene practices or risk losing the business. The role of “vendor risk manager” has risen to the top of the charts as supply chain logistics expand and state laws mandate cyber security measures. SMBs risk losing their best customers if they do not tow the line on cyber security.

3. Blind Faith in outsourced IT and cyber security measures does not work. Pay close attention. Pushing problems to a third party does not solve problems, it merely hides them. Many SMB’s outsource IT and presume that their vendor has cyber security covered. This is flawed for two major reasons. First, IT vendors are only one part of the cyber security solution. Second, IT companies are particularly susceptible to data attacks because they are an entry point into your systems. SMBs must be assured that the people they pay are addressing cybersecurity. As one CFO recently told me, he is afraid of what he doesn’t know. That type of self-realization is healthy. Have your vendors demonstrate their cyber security.

4. Cyber Insurance underwriting guidelines will not accept cyber security indifference from management. Financing a cyber data breach or a ransomware heist is a big financial deal. CEOs, COOs, CFOs and BODs are tasked with managing the business vessel. Running afoul of cyber insurance guidelines can deprive a business of the requisite financial resources provided by insurance during a cyber data calamity. Good business management practices as well as operating agreements, by-laws and partnership agreements entrust these levels of decision to management. If C-level management and boards do not fulfill their obligations, they place the financial status of the business in peril. Study the cyber security laws and regulations listed in item 1 of this article. They are aimed directly at management.

5. Fiduciary Duty of Company Officers. Talk to your business lawyers about the respective duties owed to companies by their officers. Most state laws place this high level of responsibility upon the company officers. Fiduciary duties are non-delegable.

We do not have the luxury of cyber police patrolling the data streets of homes and businesses. Security always begins with the individual. Never confuse law enforcement with security. It is incumbent upon each person to do their part in cyber and data security because each person is a link in the cyber data chain. HBK understands this reality and bases its cyber security services on understanding the human, technical and management elements as being inextricably intertwined. In the end, you are only as secure as your weakest link.

For more information or to review your cyber security responsibilities and readiness, contact Steve Franckhauser at 614.228.4000 or sfranckhauser@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Don’t Be a Boeing: Strengthen Your Cybersecurity

Date June 24, 2019
Article Authors
HBK CPAs & Consultants

There are no more excuses to bury your business’s head in the sand. The data and cyber theft threats are real. And imminent. And not just for big corporations or large government organizations. Attackers are at your front door … or worse.

There are three areas that need your consideration when it comes to protecting your data from cyber attack.

FIRST: To Error is Human: Have your processes and controls assessed and take stock of your level of cyber preparation. Pay special attention to your “human” vulnerabilities, as most cyber thefts are the result of someone either unwittingly or purposely allowing a breach to happen. The best software in the world can’t keep someone inside the organization from gaining access to your systems and processes.

Do it now. If you are defenseless you could have to pay ransomware to stay in business. Or worse, you might not be able to afford to stay in business.

SECOND: Assess your vendors and third-party providers. It’s much like going to a doctor’s office in the morning for a checkup, then having your immune system attacked by the malady of the day by a virus you picked up from someone sitting next to you in the waiting room. It’s the same with vendors and those who service them. They can infect your systems in spite of your best efforts. It was the root cause of the Target data breach in 2013 that extended to as many as 70 million customers. Boeing continues to struggle as its fleet of 737 Max passenger jets – and its stock price – remains grounded due to problems with third party software described as “fatally flawed” and that has been at the root of two major airline catastrophes.

THIRD: Assess the data you transmit, process and store. Make a pecking order of data to determine which are more critical to your operation, and start at the top. Then proceed through it all.

Cybersecurity is no longer a check-the-box process; it is a way of doing business, a part of your business that must be addressed continually and methodically. We can help. Contact HBK Risk Advisory Services at 614-228-4000 or email us at SFranckhauser@hbkcpa.com with your cybersecurity questions and concerns. We can meet with you to discuss precisely when, how, where and why you need to protect your data. You can take baby steps. The one thing you shouldn’t do is nothing.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.