If it seems like you’re hearing about cybercrime more frequently, that’s because you are. According to the FBI’s Internet Crime Complaint Center (IC3), cybercrime complaints have doubled since 2015 with over $10 billion in associated losses1 and in March 2020 alone the IC3 complaints added up to $2 billion in losses from business email compromise scams targeting cloud-based email services.2
Closer to home, New Jersey residents and businesses filed 18,220 identity theft reports in 2019, pushing the state to 10th place on the Federal Trade Commission (FTC) rankings list.3
Business identity theft comes in many forms, including stolen credit card information, phishing scams, and fake documents filed with the state. With the ever-increasing practice of working remotely and the vulnerability of IT environments, it’s more critical than ever to protect your business against identity theft and take steps to educate your employees. Here are three ways to get started:
1. Build a data security plan
Pablo Zylberglait, a senior attorney with the FTC, believes safeguarding sensitive data stored in files and computers is “just plain good business.” Featured in the FTC’s ID Theft for Business video, he recommends following five key principles to build a sound data security plan:
- Take stock. Identify the personal information stored in files and computers.
- Scale down. Keep only what you need for your business.
- Lock it. Protect the information in your care.
- Pitch it. Properly dispose of what you no longer need.
- Plan ahead. Create a plan to respond to security incidents.
2. Set up business protocols
If you haven’t already done so, now is the time to establish business protocols for these three areas:
- Require a photo ID for payments with credit cards or checks
- Request debit and credit card verification codes for phone or online orders
- Do not collect birth dates or other unnecessary information from customers
- Use encryption to transmit and store sensitive customer information like a credit card, bank account, and social security numbers
- Use firewalls and install operating system updates immediately to help fix potential security risks
- Store business records in locked file cabinets or closets and limit access to them
- Shred old records to keep them from ending up in the wrong hands
- Develop security policies to determine who gets access to what information and who is responsible for regulating the security of business-related information
- Create secure account numbers and avoid using birth dates or social security or driver's license numbers that make it easy for identity thieves
- Establish file retention policies to define how long customer information such as credit card and account numbers will be retained and make arrangement for proper disposal
3. Teach employees the cybersecurity basics
Once you set up data security policies, you’ll want to train and empower your employees to recognize cyber threats. Focus on these three areas:
Procedures. Ensure employees understand your document management system and notification procedures – they should know what to do if a business computer gets a virus or operates improperly. A quick training session on how to identify warning messages can go a long way.
Passwords. Insist on strong, secure passwords. Reinforce the importance of using a mix of uppercase and lowercase letters, numbers, and special characters. Discourage including personal information or writing down passwords. The general rule of thumb: Keep passwords simple but memorable.
Internet and Email. Train employees to avoid clicking on suspicious links or opening attachments, which could launch malicious software designed to infect computers and steal company data. Your staff should learn how to recognize and respond to scam emails. Follow these simple guidelines:
- Make sure the email comes from someone you know or a familiar address.
- Check to see if it’s an email you were expecting.
- Scan the email to ensure it looks legitimate (i.e., no misspellings or poor grammar).
4. Reporting a Cybercrime
If you become a victim of cybercrime, immediately notify authorities to file a complaint and contact your bank to ensure the proper steps are taken to protect your finances. Keep and record all evidence of the incident and its suspected source. Here is a list of the government organizations you can file a complaint with or use as trusted resource for information related to cybercrimes:
- FTC.gov: use the free resources at the FTC Identity Theft website for help to report and recover from identity theft. Report fraud at ftc.gov/OnGuardOnline or reportfraud.ftc.gov.
- US-CERT.gov: report computer or network vulnerabilities to US-CERT at 1-888-282-0870 or us-cert.gov. Forward phishing emails or websites to US-CERT at phishing-report at us-cert dot gov.
- IC3.gov: file a complaint with the Internet Crime Complaint Center at IC3.gov.
- SSA.gov: contact the Social Security Administration’s fraud hotline at 1-800-269-0271 if you believe someone is using your SSN.
As 2020 winds down, make plans now to protect the identity of your business and your customers. Check out our other blogs on Privacy & Cybersecurity and visit the Lakeland Bank identity theft information center for more great resources on this topic.
1Federal Bureau of Investigation, “2019 Internet Crime Report,” on internet at: https://pdf.ic3.gov/2019_IC3Report.pdf (viewed August 11, 2020)
2Federal Bureau of Investigation, “Cyber Criminals Conduct Business Email Compromise through Exploitation of Cloud-Based Email Services, Costing US Businesses Over Two Billion Dollars,” on internet at: https://www.ic3.gov/media/news/2020/200707-4.pdf (viewed August 11, 2020)
3Federal Trade Commission, “Consumer Sentinel Network Data Book 2019,” on internet at: https://www.ftc.gov/system/files/documents/reports/consumer-sentinel-network-data-book-2019/consumer_sentinel_network_data_book_2019.pdf (viewed August 11, 2020)