In a May 2019 article, we warned contractors to beware of the dangers hackers looking to snag online payments.
Today, the danger is greater than ever, and it isn't limited to contractors.
Any business (and any person anywhere) using e-mail, remote access, or online programs to conduct their business or finances is vulnerable to hacking. Those vulnerabilities are magnified by the measures governments around the world and in the U.S. are taking to slow the spread of the novel coronavirus and the accompanying COVID-19 disease.
In an effort to protect their workers and customers, businesses are moving their operations online - at a level and to an extent that has never been done before. Employees are working remotely on an unprecedented scale, relying on e-mails, text messages, instant messages, and remote access to communicate within and outside of their business.
These online systems are only as strong as the weakest link in the digital chain of communications. And the greatest cyber security in the world can be defeated by one employee failing to realize they are communicating with a scammer. A hacker gaining access to an employee's email account - or worse, obtaining the credentials to remotely log in to a business's network - could devastate a business very quickly.
The reality of the current international crisis creates new targets of opportunity for hackers looking to make a quick, tax-free buck by stealing money from unsuspecting business and employees. Beyond the risks that hackers pose from intercepting large payments (the scheme addressed last year), a clever hacker could, as examples, direct a company's payroll staff to send an employee's paycheck to the criminal's bank account; impersonate a company's owner to direct business funds to a "new" business account (the hacker's bank); or use a company's assets to buy gift cards.
Under the current circumstances (but really at all times), it is imperative for businesses to take precautions. Best practices to minimize your risk of being hacked are to:
Use long, strong passwords.
Never use the same password for more than one website or e-mail account. Many web browsers, computers, and cell phones can generate and save strong, randomized passwords for you, so you do not have to remember them.
If any employee's e-mail (personal or business) is hacked, change everyone's passwords, and do not re-use any password that was used anywhere.
Use an identity monitoring service (free ones exist) that scan the internet and dark web to locate compromised passwords. Make sure your passwords are not out there; if they are, change them immediately.
Change your password regularly and any time you suspect a password has been exposed or stolen.
Require your employees to use two-factor authentication for their e-mails, remote log-ins, or any online system that your business uses.
Be on the lookout for suspicious e-mails, and always call to verify changed payment instructions. But remember to call a phone number saved to your phone or from the signature block of an old e-mail that you know was legitimate. Hackers can and will change the signature block of a compromised e-mail to trick victims into calling the hacker.
Always call to verify wire instructions, by phone call to a known number, that ask you to send money to a different bank account.
Protect yourself with carefully drafted contracts and subcontracts to minimize your risks from these kinds of hacks.
If you suspect an e-mail is fake, assume it is until you can verify it by something other than an e-mail to the sender.
A Note to Attorneys. Attorneys should be aware that an intercepted payment or hacked e-mail could have profound ethical implications and trigger obligations to inform other parties and persons of the hack. If an attorney's email is compromised, there could also be profound implications for attorney-client privilege.
Lang & Klain can help if you are the victim of hacking or are looking to protect yourself or your business from liabilities arising these threats.