How Does Business Identity Theft Happen?

   Back to Business Identity Theft: Part 1

• How do my business computers get infected?

  Infection of your business computers is frequently the result of non-business activities such as casual Internet surfing, gaming, checking personal email, etc. Employees may be using business computers, or their own mobile devices connected to company networks, to visit popular social networking sites such as Facebook, LinkedIn, or Twitter.

  Many employees also check their personal email at work and open forwarded humorous emails or videos. All of these activities put your business computers and networks, and ultimately your business, at significant risk. A single errant or careless click can compromise critical business systems, cause the loss or theft of sensitive customer and employee information, or result in cybercriminals cleaning out your business bank accounts.

  In other cases, an untrained or unsuspecting employee may open and respond to a phishing email designed to trick them into divulging log-in credentials or other sensitive information or to connect them to a bogus web page designed to trick them into attempting to log in (or update their log-in credentials) so as to capture their user name and password. Such emails may even appear to originate from within the business, such as from accounting, HR, or I.T. Phishing emails may be received by low-level employees, or may be specifically targeted at a manager or high-level executive (known as "spear phishing") because higher-level employees often have greater systems access and/or may have full computer administrator rights that will allow malware to install and execute.

  Another commonly used tactic is a malware attachment disguised as a Word, Excel, or PDF file. The email subject and message are designed to prompt the recipient to open the attachment, and may appear to be providing an invoice, shipping notification, travel itinerary, or any number of other common business documents. The attachment, however, is an executable program that launches and installs itself when opened.

  In other cases, malicious programs can easily take advantage of unsecured or un-patched Internet browsers and operating systems, as well as unsecured/un-patched versions of popular software such as Flash and Acrobat.

• Questions every business owner should be able to answer:

1. What security measures or controls does your business have in place with your financial institution to protect against fraudulent ACH and wire transfers?
2. What hardware and software security measures are in place to protect business computers and networks?
3. Are all business computer Internet browser, operating system, and software security patches up to date?
4. If your business utilizes a Wi-Fi network, is it secure?
5. Do you provide appropriate, documented computer and Internet security awareness training to all applicable employees at least annually?
6. Do you allow employees to use company computers for non-business-related activities?
7. Do you have properly enforced policies and procedures in place regarding Internet and computer/mobile device usage at work?
8. Do employees have limited or full computer administrator rights? (i.e. Does their user account allow them to install programs or make system changes?)
9. Do you allow employees to bring their own computers or mobile devices to work and connect to your business network? Do your employees connect to business networks or systems from home or on the road? If you answered yes to either, what hardware and software protective measures are required or in place?

The ITPA offers FREE employer training accounts that make providing your required employee information security and compliance training simple, painless, and affordable. Businesses of every size can easily manage and deliver world-class interactive training with no upfront costs, no I.T. requirements, and no minimum purchase requirements. Your online training center can be ready to use in just minutes. Learn more and get started today!

More information and resources

The national business identity theft resource website, BusinessIDtheft.org, offers a wealth of free information, resources, and tips to help you protect your business from thieves and cybercrime.

Back to Business Identity Theft: Part 1