BST & Co. CPAs, LLP, one of the Capital Region’s leading accounting and management consulting firms, through its alliance with cybersecurity consultant West Point Security, LLC, is sharing tips and strategies with businesses and individuals to arm themselves against online attacks focused on capturing sensitive information and personal data.
Norm Massry, CEO and founder of Albany-based West Point Security, is a seasoned compliance attorney and engineer with more than 14 years of experience in information security governance, operational risk management, audit of information systems and networks, incident response and business continuity and disaster recovery.
“Cybercrime has many faces and often uses fear tactics to elicit responses from unsuspecting victims,” Massry said. “Current scam headliners include fake E-ZPass violation warnings, fake DMV warnings, and countless others. But there are simple ways to avoid becoming a victim.”
Massry recommended becoming familiar with the terminology and characteristics of Social Engineering, or “Phishing,” which refers to when a hacker/scammer impersonates someone a victim knows or trusts, such as a coworker or governmental agency, to access account information or sensitive systems. Pretexting (setting up a future attack) and Phishing (can be an attack itself) are the most common forms of social engineering.
Massry offered the following tips for recognizing potentially fraudulent online activity and communication:
1. Beware of suspicious or unfamiliar senders. Phishing emails and texts may appear to originate from governmental agencies, well-known companies such as UPS and FedEx, banks and even friends; however, upon closer inspection they may reveal something inaccurate about the sender's email address or phone number.
- Emails - Pay attention to the sender's domain. Legitimate companies will used their official domain (support@yourbank.com), whereas phishing emails may originate from random, albeit closely aligned address (support@yourbank123.com).
- SMS Texts - Phishing text messages may come from phone numbers that don't look quite right. Phishing messages generally come from long numbers that resemble international phone numbers.
2. Be on the lookout for spelling and grammar mistakes. Phishing emails and texts often contain poor spelling, grammatical errors, or awkward wording. A legitimate business will typically proofread its messages carefully before sending them to customers.
- Emails - Watch for sentences such as "Your account has been lock!" or "Click here to verify your detail." Such errors are red flags.
- SMS Text - Similar to poorly written emails, phishing text messages may use odd phrasing, such as "Urgent action required to protect your account!!"
3. Examine the tone of the message Phishing and pretexting messages often create a false sense of urgency or fear, pressuring the recipient to act quickly, presenting a limited time to respond, and that failure to act will result in a severe, negative action. Always take your time to read and understand the message.
- Emails - A typical phishing email might say "Your account has been compromised! Please click the link below to verify your identity immediately!"
- SMS Texts - A phishing text may claim "Your E-ZPass account is past due and will be locked if you don't pay fines within 24 hours! You will be sued"
A reputable organization will not threaten you via email if you do not comply with the message. Call the sender's business directly to discuss the email message using a verifiable phone number. Never reply to these emails or use the phone numbers within the message.
Massry offered additional topics to raise awareness of ways cyber criminals gain personal and sensitive information, which include:
- Suspicious links that lead to fake websites with spoofed logos. Do not click the link. Instead, simply hover the mouse above it to see where leads; If an email looks suspicious, do not click on any email links.
- Beware of phishing emails that request the recipient to confirm the recipient’s password or request account details.
- A salutation that does not address the recipient by their name as opposed to one that simply says “Dear customer” or “Dear user”;
- Beware of unexpected attachments, as these may infect your computer with malware, ransomware or viruses. Avoid downloading any files from unsolicited messages.
- Always verify suspicious messages through official channels. For example, if an email or text message appears to have been sent from your bank, online service or a familiar business, do not click any links, but rather call the bank or business directly to verify the legitimacy of the message;
- Beware of attractive, “Too-Good-To-Be-True” Offers. Unsolicited offers or rewards are other ways cyber criminals lure unsuspecting victims. If it seems too good to be true, it probably is.
Phishing attacks are becoming increasingly sophisticated, but by remaining vigilant and knowing what to look for, it’s possible to avoid becoming a victim of these scams, Massry said.
Another way to protect your computer is with up-to-date spam filters, anti-virus/anti-spyware software, and a firewall. A spam filter can help reduce the number of phishing emails you get. Anti-virus software will scan incoming messages for malicious files, and anti-spyware software, looks for malicious programs that may have been installed on your computer.
West Point Security has provided cybersecurity consulting services to a variety of government agencies and entities, including the Metropolitan Transit Authority, Port Authority of New York and New Jersey, Empire State Development, dozens of colleges and universities, engineering firms, businesses and healthcare organizations. For more information about West Point Security visit https://westpointsecurity.solutions/.
BST offers a broad portfolio of accounting and auditing, tax, consulting, valuation, forensic accounting and litigation support. The firm’s expansive outsourcing division includes accounting, talent strategies, marketing, philanthropy, and cybersecurity services, available either a la carte or in combination with one another, to deliver tailor-made strategies for businesses and nonprofit organizations at all phases of development.
