Digitization has left loopholes for cybercriminals to attack all of us. With companies already losing millions of dollars to cybercriminals, we see an urgent need to keep you informed with cybersecurity measures and the best tips for you to keep your business safe.

Cyber attackers are working around the clock to try to attack systems, computers, emails, bank accounts and every other element that could be compromised. The CBC Information Security and Risk Teams are dedicated to maintaining processes that keep our organization – and our client’s money – safe.

Staggering Cyber Attack Statistics

In 2021, there was a 238% rise in cyber-attacks and fraud attempts, and a recent Intuit Quickbooks survey proved that 40% of small businesses have been hit with a cybersecurity breach. These attacks include a 105% rise in ransomware attacks according to Sonicwall, a cybersecurity company, and a 60% rise in phishing attempts. In a recent report by the FBI, Americans lost $4.2 billion to cybercrime in 2020.

Top Cyber Attack Threats

There are many different and creative threats today. As we’ve all gotten more accustomed to a virtual world, it requires a much larger effort to validate identities and requests–and protect ourselves and our clients’ businesses.

Targeted Digital & Phone Phishing Attempts

Targeted phishing (or spear phishing) is becoming increasingly popular. Unlike phishing, which casts a wide net, spear-phishing emails are highly targeted. Voice phishing or vishing is telephone-based version of this. Cybercriminals use social media and other public information to create personalized emails for specific individuals and adopt the guise of a trusted sender.

Spear phishing and vishing examples:

• Attacker sends a spear phishing e-mail related to a bank transaction, etc.

• Once the person clicks on the link, they receive a phone call where the attacker claims to be the bank’s fraud department

• The attacker claims that someone is trying to withdraw money from the target’s account, and that the target needs go to the branch to withdraw the money immediately

• The attacker states that once they withdraw the money, instructions will be provided to send the money to a “secured” account

• The attacker asks the target to stay on the phone for the entire transaction process

Business E-mail Compromise Attacks

The FBI publishes an annual report on cybercrime in the U.S. While most complaints were for phishing, non-payment scams and extortion, about half of the losses are from business-email compromise (BEC), romance and confidence scams, and investment fraud. According to the report, BEC scams recorded 19,369 complaints in 2020, as 19% drop from 2019, however it generated a $100 million increase in losses.

BEC scams are carried out by compromising business email accounts to modify transaction details so that funds are transferred to a bank account controlled by the attacker.

Business E-Mail Compromise Example:

• A customer or vendor had their e-mail account compromised and was asked to change the payment instructions

• They didn’t inform the bank customer (e.g., your business) of the security breach

• The bank customer also didn’t confirm the validity of the payment instruction change request

• Payment information was provided to an attacker, and multiple bank accounts were affected

What Can You Do to Protect Yourself and Your Business?

Simply stated: be politely paranoid. You may have heard these before, but it warrants a friendly reminder. Don’t open attachments or click on links from senders that you do not recognize. When in doubt, verify the email or phone call’s authenticity through a return phone call or text using previously known numbers, not any numbers provided in the email or the caller.

General Reminders

• Consider upgrading your antivirus solution to an Endpoint Detection and Response or Managed Detection and Response for advanced threat protection

• Apply Extended Detection and Response to your email spam filter if available

• Use multifactor authentication (MFA) for your email and other systems

• Schedule a time often to apply security updates to your computer and applications

• Back up your data daily and store it off site

• Use a DNS service, such as Quad9 or Cloudflare, or URL filtering software/appliance to block known malicious sites

• Stay alert to any abnormal signs within your bank account or business systems

Keeping Passwords Safe

Keeping your passwords private and complex is the best way to keep them secure. Keep in mind that support services will never ask you for your password by phone or email. Consider using a password management system and create a unique password for every website, system and application that you use.

Check The Source Prior to Clicking

For Services and People: If you receive an unexpected email or request, do not click the link and make sure it’s really them. Instead, visit the online store or service the way you normally would to check for a notification, or contact the person via previously known numbers–not the email as it may be compromised.

For News or Entertainment: If someone sends you a link to the latest viral video or interesting news article, you can skip the link and use a search engine to find the content is a safer way.

At CBC, our focus is on client confidentiality, availability of financial systems and the integrity of the bank to ensure we continue to operate in a safe and sound manner. This includes following industry best practices on cybersecurity, data protection, system security hardening, security training and supporting our clients in every way we can.

Kevin Tsuei, CISSP, CISA, CEH Kevin is the Information Security Officer at Commercial Bank of California. Prior to joining CBC, he worked for a boutique audit firm for 12 years, catering specifically to financial institutions. During his tenure, he led and oversaw hundreds of IT audit and network penetration tests. Kevin is a graduate of UC Irvine, and earned his master’s degree from Harvard University.