Cybersecurity Social Engineering: Email Security Recommendations

Date April 2, 2020
Article Authors

Cybersecurity attacks are occurring at such a rapid pace during the COVID-19 crisis that it has become difficult to keep up with all the fraud attempts.

Fundamentally, everyone should:

  • Have up-to-date antivirus software
  • Use a Spam Filter
  • Use VPN (Virtual Private Network) software
  • NEVER trust public Wi-Fi
  • Use Encrypted Filesharing, if necessary


Beyond those basic directives, there is an additional offline layer of controls that build on the “Defense in Depth” concept that every company can easily incorporate to help prevent bank fraud. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among team members, clients, vendors. We rely more on email conversations than phone calls. Hackers see this situation as an opportunity and are developing schemes to take advantage of it.

Our recommendations for email payment security include (Your businesses may already have some or all of these in place):

1. Assemble a directory—mobile or landline—with pre-arranged telephone numbers
  • Include your company leadership or C-suite
  • Include your finance and/or accounts payable teams
  • Include vendors that you have a history of paying electronically
  • Include your bank(s) and regular contacts at your bank(s)

2. Require any team member receiving an email requesting a new or altered electronic payment to reach out to the “requestor” as listed in your new directory of “pre-arranged” phone numbers to verify that the request is real and to verify the account numbers.

Never rely on the contact information or account numbers provided in the email!

3. Require a secondary authentication from a pre-designated member of your company who is included in your directory of pre-arranged telephone numbers, such as your CFO or Director of finance. Additionally, you can add another layer of security by using a pre-designated “code word” with the members of the pre-designated directory.

4. To protect your pre-arranged telephone directory, store it inside your password vault. (Most have the capability to store secure notes).

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Also, if you were unable to join us in February for our Risk Advisory Service Webinar on Banking Controls, you can access a recording of the session at: https://attendee.gotowebinar.com/recording/8846183878460240903

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.



Encryption: A VPN Building Block

Date October 21, 2019
Article Authors

When working remotely to improve “cyber posture,” we typically recommend a Virtual Private Network (VPN) as an encrypted “tunnel” between sending and receiving networks to protect the confidentiality of data in the communication. A VPN would not be viable without encryption.

Encryption is a mathematical function. It is the part of a broad science of secret languages, called cryptography, that involves the process of converting plaintext into ciphertext, or “encryption,” and back again, known as “decryption.” Encryption has been around for centuries; one of the first examples dating back to ancient Rome, the Caesar cypher and uses the substitution of a letter by another one further in the alphabet to protect the secrecy of a message.

Central to understanding how encryption—and, indirectly, how VPNs increase security because of encryption—is the number of encryption “keys” that are used during the process of converting plaintext to cyphertext and back. At the highest level, there are two types of encryption:

  1. Symmetric, where the same key is used to both encrypt and decrypt the data
  2. Asymmetric, where “The Public Key” is used to encrypt, and “The Private Key” is used to decrypt. (The Public/Private Key Pair are “related” mathematically.)

Neither type of encryption is better than the other. In fact, both of these technologies are critical in achieving cybersecurity when utilized properly.

As always, HBK Risk Advisory Services (RAS) is glad to offer recommendations on your cyber security program and practices. Contact Bill Heaven at 330-758-8613 or via email at wheaven@hbkcpa.com. HBK RAS is here to answer your questions and discuss your concerns.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

HBK uses the contact information you provide to send you information about our products and services. You may unsubscribe from these communications any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.