We are under attack. And by this I don’t mean by the usual suspects. Zika virus seems to be relatively under control. And I’m not referring to Russia, either, although that is probably being debated by people at a much higher pay grade than myself. No, what I am saying is that our industry is officially under cyberattack. Criminals have figured out that we handle very large sums of money, and have created the opportunity to take advantage of our increasingly technology-dependent ways of doing business. And it is getting worse every day.
In the past month, I’ve had at least five members of IYBA relay that they have been spoofed to the tune of several hundred thousand dollars. Even though they thought they had checks and balances in place to prevent this from happening, the thieves got through. And our industry seems to be evolving into an even bigger target.
Rarely do I glance at my inbox and not have some nefarious-looking note telling me to click here to confirm, or open this attachment to verify its contents. The IYBA office gets no fewer than 15-20 solicitations per day for activity that is quite obviously phishing. As a result, we have adopted a no-click through policy for any email that is not specifically from a member or vendor we know well, and verified by the return email address.
But the problem has grown even bigger. Recently I received a pop-up from Windows that it was time to do a system update on my computer. Without thinking, I clicked on it because it looked authentic. The install took much longer than normal, which then lead to a lot of second guessing on my part. I was literally holding my breath, waiting for a ransom demand to pop up on my screen in exchange for my precious hard drive contents. Fortunately, all seems to be in order, but the insidious practices I was afraid of are here and they are not going away. Beyond the spyware and ransomware fears, hackers are now able to intercept outgoing email communications in which they then alter banking account numbers and information, while at the same time deleting the original correspondence to and from the sender. It is completely invisible to the parties involved, and when it happens, no one is any the wiser.
The main culprit is of our own making. Personally, I hate to memorize multiple passwords. Try as I might, no matter how disciplined I try to make myself, I can never manage multiple unique passwords for every application. My attitude was always, nothing to hide here, so hack away! Now, 10-plus years later, I am still using some lazy derivative of that original password, and that is stupid.
My plea to everyone is to take a step back and consider going a little lower-tech in your financial transactions. We have an article on page 6 that reviews some basic best practices to consider integrating into your business if you’ve not done so already. It’s worth a look, and a review of your own internal procedures.
It also brings me back to why this association was formed to begin with: for professional cooperation. Ours is a small enough industry that we typically know one another. When I first started attending FYBA’s seminars back in the day, the banking protocol was moving away from sending paper checks. If you weren’t using wire transfers, you were old-school and out of touch. Now the hackers have figured out a way around that too. We all need to look at adding a commonsense layer of picking up the phone and calling the other party, and verbally verifying those banking details. I’m not suggesting we go back to paper checks, God forbid. But too often, in our rush to get to the paycheck, we overlook basic protocols and open ourselves to opportunities to be exploited. No, it’s not high-tech, but as stewards of such large sums of money, perhaps an ounce of prevention is worth a pound of cure.
P.S. If you do get hacked, immediately contact your bank, the Broward County Economic Crime Division and the FBI at IC3.GOV. In a few cases they have been successful in recovering some if not all of the money.
Executive Director, IYBA