Tips to prevent your business from being scammed
It is recommended businesses consider undertaking:
- Establishing enforceable and workable (with accepted penalties for noncompliance) Standard Operating Procedures (SOPs) detailing the use of computing devices, network connectivity, password management and other IT related security issues.
- Obtaining independent IT network and system penetration testing and security assessments on an annual basis, or whenever there is a major system or hardware change or update.
- Reviewing system and application logs on at least a weekly basis, particularly those related to user logins, remote access and anti-virus scans.
- Performing a daily review of SENT emails for any unusual addressees.
- Performing regular (6 monthly) staff scam email awareness training sessions.
Scammers can make use of a compromised employee email account to send a bogus message such as advising of a change in payee information, transferring payments to the perpetrator’s account, tighter access security is vital. In some of these real-life bogus message examples, it is disturbing to see the amount of monies being defrauded, the implications for the exploited parties, and the hurt caused to the unsuspecting person authorising the fund transfers.
In the real estate industry, these attacks are often directed against those in the legal fraternity involved in legal aspects of conveyancing. A greater awareness of the required from all businesses to safeguard against these scams.
To achieve this it is recommended:
- Businesses, no matter how small, should invest in using robust email services which offer greater user access security and storage of critical information.
- Ensure computer networks are maintained within a sound security management regime.
- Recommission old network systems and computers where a compromise has occurred or is highly likely to have occurred.
- Have a regular review of system security by IT security professionals with a reputation for providing a sound service.
- The real estate industry should undertake some regular security awareness straining to enhance the security initiative. Formal security awareness competency should also be an integral and ongoing part of IT technicians’ professional qualifications.
- Tread carefully with requests for remote desktop access to computers, even legitimate requests, and ensure the applications such as Team Viewer are deactivated and uninstalled promptly once they are no longer required.
- Ensure the network and connected mobile and offsite devices, are dedicated to business use and not for private activities.
- Companies and organisation need to be aware of these scam transactions and develop a security culture which encourages its personnel staff and financial institution employees to verify all information before finalising any transaction.
- Responsible personnel should, as a priority, reconcile bank statements, particularly payment related activity, as timely as possible and promptly report anything suspicious.
- Ensure all account password security is maintained at a high level and reviewed regularly. Mandatory logging of failed and successful logins, including remote access, is recommended for the purpose of monitoring events for security audit purposes.
- In terms of sound email practice, users should avoid using the 'Reply' button but instead use the 'Forward' option and either type in the correct email address or select it from the email address book to ensure the real email address is used.
- Ensure antivirus protection is installed and appropriately configured.
- Delete generic spam immediately and never click on any link, attachment or picture image in unexpected emails.
- Emails are deliberately directed against an agency should be saved as a message file for future investigation by WA ScamNet if safe to do so.