Andrea Shaw Discuss How to Address Cybercrimes for Businesses
Learn what cybercrimes businesses face and what to do if you are a victim.
This video dives into prevention tactics small and medium sized businesses (SMBs) can take to be protected and secured. She also covers some helpful resources that most banks offer for SMBs.
Andrea is a well-versed consumer finance, bank regulatory and privacy lawyer with over 15 years of experience as a regulator and counsel to both state and federally chartered banks. Andrea has a deep understanding of the unique challenges SMBs face, and guides them through the process with clear communication and focus.
To learn more about Andrea’s legal expertise and background, click here to view Andrea Shaw’s bio page.
Featured Topics on Preventing Cybercrimes
- Overview of the most common cybercrimes and cyber threats
- What a corporate account takeover is and what to do
- How SMBs can keep from becoming victims of cybercrime
- What companies can do if they become victims of cybercrime
Read the Video Transcription of Part 2
Jill Malandrino: Welcome to NASDAQ Trade Talks. I’m Jill Malandrino Global Markets Reporter at NASDAQ.
Criminals are the original entrepreneurs. They are always looking for a new way to make a lot of money and, as our world becomes more and more digital, criminals are digitizing too. They are finding ways to access business banking accounts and help themselves to your money.
Fall has had a lot of national cybersecurity awareness so you’re probably hearing about this from various places right now.
Joining me to discuss is Andrea Shaw, partner at the law firm, Practus, LLP, who has extensive experience on the regulatory and legal side of cybersecurity enforcement.
Andrea it’s great to have you with us. Welcome to #TradeTalks.
Andrea Shaw: Thank you so much for having me.
Jill Malandrino: Let’s start with an overview of cybercrimes impacting businesses and what to do if you find yourself in this unfavorable position.
Andrea Shaw: Sure, we’re only going to touch upon a couple of cybercrimes today because if we wanted to go through the whole litany, we’d be here all week. So, things that are common that businesses see a lot.
The low-hanging fruit if you will, are the things that are common that businesses see a lot. This includes phishing with the “P-H” not an “F”. Phishing is when somebody is trying to contact you, usually via email or a link through text. Email is the most common.
They’re trying to learn more about you and get enough information about you so they can access other data and things that you possess because you use that information as your passwords or in your security questions.
Another common cybercrime the bad guys put is malware on your computers. They usually need
phishing first so they can get access. The malware gives them access to more information on your computer. It can have a keystroke logger to track your passwords. It also gives them a backdoor to get in to add things like ransomware which is another thing we’re seeing right now a lot of.
Ransomware is just like it sounds. Criminals get in there and encrypt all your data to then ransom it back to you.
Last but certainly not least, is corporate account takeover. This one makes me particularly nervous because I think this has a big impact from the financial standpoint. Especially for a small business where the bad guys get the credentials to your online banking account. Once they get in there, they can transfer that money anywhere they want. They can wire transfer it if your system has that capacity or they can do an ACH. They can basically clean out your online accounts. As a business, you’d feel incredibly vulnerable and helpless.
Jill Malandrino: Can you provide some context and give us a recent example of a corporate account takeover? How it was discovered and resolved?
Andrea Shaw: Interestingly enough, you don’t hear about corporate account takeovers a lot in the news. That’s because when they happen, and they have those sorts of losses, no one wants to publicize it because it could mean loans getting called. They worry now that you’re going to file for bankruptcy. So, unless something eventually gets litigated, because oftentimes businesses and the banking institutions end up in lawsuits over it, you aren’t going to really hear about it.
These aren’t the sexy ones like ransomware. Those are the ones you hear about all the time. The way this is discovered is when you, the business owner, goes to log into your account and there’s no money there. Or you get an overdraft notice from your bank and think, “Golly, that’s not quite right.” It’s really usually discovered by the business owner once the money’s already gone.
Jill Malandrino: How do you keep from becoming a victim of corporate account takeover?
Andrea Shaw: Of course, it’s all practicing good online security, which starts with virus protection. And strong passwords, which everybody hears about all the time. But the other important thing is to have strong internal policies.
If you have employees that have access to your online banking credentials, make sure that those machines also can’t access high-risk online sites. Like social networking sites: block those. There’s no reason most employees need access to that while they’re working, unless of course you’re a journalist because you probably need to have access to those types of things. But these are some unique exceptions.
Be mindful of that wherever you’re banking, or even accessing your computer systems, you’re using what’s called multi-factor authentication. That’s when you have different levels of security just to get in. So, it’s always something you know and something you have. Your login name and password is something you know. And, something you have could be you a text message that says, “Please type this code in order to get full access.” Multi-factor authentication is really important.
Another important thing is banks actually offer products, especially in the small business area to help prevent these types of things from happening. I feel like this is something a lot of small businesses have never heard of.
For example, a great product (and you have to pay for it, but I really believe an ounce of prevention is worth a pound of a cure) is called “positive pay”. If you’re making payments from your online bank account, it will say, “I know I only make payments to these five vendors, so if you see a payment being asked to go out to anybody but these five vendors, put that on a special list and send it to me so I can say ‘Yes, I really want to send this.’”
Banks have it for checks, ACH, and they have it for different types of transactions. Your bank may have a cute product name for it, but talk to your banking specialist about what they have available to help prevent this. Your bank doesn’t want this to happen to the small businesses, their consumers, or anybody either. Because even if you can stop it or get the money back, it costs everybody a lot of time and money in that process.
Jill Malandrino: What should companies do if they fall victim?
Andrea Shaw: The first thing they need to do is notify their bank immediately as fast as they can. Pick up the phone. Don’t send an email because [the hacker] can block the transfers. Depending on how it was done, they may be able to recall the transfers. Wire transfers are the most difficult but there are ways to try to claw money back that go out from a wire transfer.
Of course, you always want to file a police report. Even if it’s unlikely that they’re going to be able to strongly assist with recovery of any funds. You never know what types of large schemes they are investigating and what will be the key to unlocking it.
You need to change all your passwords to something strong and you want to make sure your virus protection is always updated.
Jill Malandrino: Andrea, that’s valuable advice. Thanks for joining us on #TradeTalks.
Andrea Shaw: Thanks for having me
Jill Malandrino: Thanks for joining me. I’m Jill Malandrino, Global Markets Reporter at NASDAQ.
Practus, LLP provides this information as a service to clients and others for educational purposes only. It should not be construed or relied on as legal advice or to create an attorney-client relationship. Readers should not act upon this information without seeking advice from professional advisers.