Cybercrime comes in so many variations that it’s hard to keep up: Phishing, spear phishing, smishing, whaling, pharming … it’s enough to make your head spin. All have one thing in common, though, and that’s an attempt by a cyber thief to separate your business from its money by pretending to be someone else. The end result may vary from a ransomware lockdown to cleaning out a bank account, but most attacks begin with some sort of business email compromise (BEC), the exception being smishing, which uses texting to accomplish the same thing.
A common scenario is an employee receiving a legitimate-looking email that appears to be from a client, or a vendor, or even the boss. The email requests some type of electronic payment, or the routing of a payment to a different financial institution. If the ruse works, that money is most likely gone, as most of these bad actors are offshore, making tracking or recovery of funds difficult or impossible.
This is why many businesses use a callback verification process as a means of avoiding such attacks. Callback verification is simple and low-tech, confirming with a phone call that an invoice or other request for payment is authentic. The procedure and the telephone number to be used are pre-established and are not communicated electronically, keeping the arrangements out of view of thieves.
The two things to know about callback verification are that it’s probably your best defense against such attacks, and that you may not have a choice. Just as with Multi-Factor Authentication (MFA), virtually every cyber liability carrier is now insisting that businesses have callback verification in place, and most existing policies have language stating that coverage will not apply in the absence of such a process. Even if you have the rare policy that does not mandate callback verification, it’s certain to come up as part of your renewal application.
There are tools available to help you establish and document your own process. For now, know that callback verification belongs on your ‘must-do’ list.
Questions about establishing a callback verification process? Contact Consolidated Insurance.