40% of manufacturers fall prey to hackers - make sure you’re not next
John Allen is a Manager with Boyer & Ritter LLC, where he provides audit, accounting and tax services in the Manufacturing, Small Business, and Construction practice groups. For questions, reach out to your Boyer & Ritter representative or reach John at 717-761-7210 or jallen@cpabr.com.
From the ransomware attack on the Colonial Pipeline that caused a brief gas price spike to meat processor JBS Foods that caused similar consumer pain in groceries, hackers are increasingly hitting vital targets large and small.
Hospitals, municipalities, utilities, manufacturers and even police departments have all been compromised -- and all too often, the hackers are long gone before their victims realize what happened.
Four out of 10 manufacturers said their operations were impacted by a cyber incident in the past 12 months, according to a recent study by Deloitte and Manufacturers Alliance for Productivity and Innovation (MAPI). The average financial impact from a data breach in 2018 was $7.5 million, the study said.
For small businesses and manufacturers doing business internationally, the exposure has expanded to frightening levels.
An encrypted VPN with a firewall provides a good starting line of defense to prevent basic intrusion attempts.
But many business attacks start through your company’s email – and staying safe requires robust staff training as well as security software.
During my time as an inhouse CFO in the manufacturing industry, I found hackers employed strategies from the obvious to highly sophisticated. Many times, a hacker’s success came down to the alertness and training of employees, who either recognized the phishing attempt outright or double-checked with someone in-house before doing anything.
The following is a closer look at ways hackers try to leverage the human side. Training, combined with strong passwords and two-factor email authentication, can keep your company safe from ever-increasing digital banditry.
Common phishing ploys
Hackers try to make phishing emails look like they come from someone within your company or a trusted vendor. Typically, they say they either urgently need funds or ask you to click on an emailed link or attachment – something the bad guys hope your employee will do without much thought.
The hackers often choose to impersonate someone in a position of authority, such as a CEO or CFO, to add a sense of legitimacy and urgency.
Hackers access social media or listings on your company website to determine who oversees paying bills or maintaining the banking. Controllers, assistant controllers, accounts payable, and business managers are the number one targets.
Internal controls to avoid your staff getting hoodwinked
The best line of defense are strong internal controls:
- Documentation required: Always require documentation for payment – no exceptions.
- Verify internally: Always call or make some other non-emailed contact with the supposed person asking for the payment to confirm it is legitimate. Ensure your employees that no matter who the email is ostensibly from, do not be afraid to question the request. Better to be safe than give money to a fraudster.
- Authenticate vendor requests: If a vendor asks to change their bank information, call them directly to confirm – and do not use a phone number given in the email requesting the change. Requesting payment and giving instructions for the money to go to a new account is a common ploy. Almost every “vendor” phishing attempt involves a request to make a payment to a bank account the vendor has not previously used.
Additional precautions
As part of your employee training to combat hacking attempts, go over the following warning signs and actions to avoid:
- Look for email mistakes: Small signs, like a 1 in place of an I or a zero in place of an O, are indications that the email is not legitimate.
- Funky grammar: Many hackers are from foreign countries, and English is not their native tongue. It is not uncommon for these fraudsters to have misspellings or weird sentence structures.
- Email greetings and signatures: Signs of an outsider posing as an insider are commonly in the email signature or salutation. For example, if your CEO goes by Bob, but he is suddenly referring to himself as Robert, you have reason to be suspicious. Remember, hackers are getting names from official listings they find online that do not reflect nicknames or other deviations a coworker may commonly use.
- Beware of email links: It just takes one person in your company to make a mistake to allow a data breach. Hackers typically aim for clerical workers or secretaries and try to make the email seem like a routine message from a superior. Train your employees to carefully examine an email before clicking on a link, and then:
- Have them ask themselves, Is this something that I expected to receive?
- Even if it seems legit, call the sending party before doing any requested action – and use a phone number you know is good and not one in the email in question.
Warning signs that vendor is compromised
Sometimes, the hacker infiltrates a system owned by a customer or vendor, leading to the fraudster obtaining a fake domain, intercepting emails, and sending out messages that appear legitimate.
Usually, hackers try to get money through requests for payment emails, often sounding an urgent tone. Once you send funds, it may be difficult to tell which end the breach came from and, as in most hacking cases, little chance of recovering funds.
Having impersonation protection software can help immensely. It prevents emails that are either newer domains or are close impersonations of either your email address or an approved recipient from even getting to your employees’ inboxes.
Additionally, implementing the internal controls mentioned above – especially calling to confirm vendor requests – ensures against costly mistakes.
Bottom line
Safeguarding your company – and employees – again hackers is an ongoing process. After establishing internal controls, it is vital to continue educating and reminding employees about potential digital threats. There are also various types of software available that lets you test your workers’ ability to spot a suspicious email.
The best line of defense between you and a significant cyberattack are well-trained employees.