BUSINESS COMPROMISE scams that use both technology and a human touch to steal funds from businesses are growing as criminals engage in social engineering tactics to dupe unsuspecting employees.

Businesses have lost millions of dollars to social engineering scams, where attackers impersonate a company president or executive who is authorized to approve wire transfers to trick employees into transferring funds into a fake client or vendor account.

According to the FBI’s Internet Crime Complaint Center, in 2019 U.S. businesses were hit with an estimated 23,775 e-mail compromise scams that
resulted in aggregate losses of $1.7 billion. Figures for 2020 are not yet available.

Vishing – or voice phishing – attacks have been growing. The FBI in January warned of an increase in vishing attacks targeting employees working remotely in the COVID-19 pandemic, and of the heightened risks companies face when network access and broadening of online privileges may not be fully monitored.

 

How to train employees

Providing practical employee phishing training is key to keeping your company safe. The following are activities and tips to help you train employees to stay vigilant.

Remote workers should be vigilant in checking internet addresses, more suspicious of unsolicited phone calls, and more assertive in verifying the caller’s identity with the company, the FBI recommends.

When training staff, you should:

• Explain what vishing and phishing is, how it happens, and what risks it poses on a personal and company level.
• Explain the different types of phishing attacks.
• Train your workers in identifying signs of phishing attacks, like e-mails with poor spelling and grammar, incorrect e-mail addresses (for example BobS@ Startbucks.com), and fraudulent URLs.
• Train your staff in recognizing phishing links, phishing attachments, and spoofed e-mails. Additionally, your employees should know what steps to take after they identify a threat.
• Conduct simulations that send employees fake phishing e-mails. The results should be shared with them to show how they fell for the scam and the damage that being duped into clicking on a malicious link can cause.

 

Insurance

As vishing and business e-mail compromise scams increase, more employers are seeking to add coverage in their commercial crime policies.
Typically, these policies have been used to cover losses for internal theft, but lately, about 50% of claims are for losses related to phishing and fishing scams.
The price of social engineering coverage varies by risk and limit, but it can often be added to a crime policy as a rider.
One thing though: social engineering coverage will often have lower limits than a typical commercial crime policy. This is because of the risk of much larger financial losses than a company could expect from internal theft or white-collar crime perpetrated by an employee.

 

ADVICE FROM THE FBI

• Consider instituting a formal process for validating the identity of employees who call each other.
• Restrict VPN connections to managed devices only (meaning not on employees’ personal devices).
• Restrict VPN access hours.
• Employ domain monitoring to track the creation of or changes to corporate brand-name domains.

IF YOUR business is reopening after a relaxation of shelter-in-place orders, you should proceed with caution and make sure you have safeguards in place to protect your workers, as well as customers if they are entering your premises.
Here are some recommendations from the Los Angeles Department of Public Health and other sources that can apply to any municipality anywhere in the country.

Measures to protect employees
• If someone can continue working from home, let them do so.
• Tell employees not to come to work if sick.
• If any employee tests positive for, or has symptoms that are consistent with COVID-19, you should:
– Ask that they isolate at home, and
– Ask all employees who may have come in contact with that colleague to immediately self-quarantine at home.
• Check employees for symptoms or a fever before they enter. This must include a check-in concerning cough, shortness of breath or fever, and any other symptoms the employee may be experiencing.
• These checks can be done remotely or in-person upon the employee’s arrival. A temperature check should be done at the worksite, if feasible.
• Offer at no cost to your employees cloth face coverings if they are going to have contact with the public during their shift. If they are disposable, masks should be thrown away at the end of every shift. If they are reusable, they should be washed after every shift in hot water.
• Instruct employees not to touch their masks.
• Disinfect break rooms, restrooms, and common areas frequently.
• Place hand sanitizer in strategic locations.
• Allow employees to take frequent breaks to wash their hands.

Signage
Place signs at each public entrance of your facility to inform all employees and customers that they should:
• Avoid entering if they have a cough or fever.
• Maintain a minimum 6-foot distance from one another.
• Wear a mask for their own protection, as well as for the safety of others.

Controlling crowds, lines
Limit the number of customers on the premises at any one time, to allow customers and employees to easily maintain at least 6-foot distance from one another at all practicable times. Post an employee at the door to ensure the maximum number of customers in the facility is not exceeded. If people are queueing up, mark the ground outside to ensure proper social distancing.

Spacing between employees
• Require employees to work at least 6 feet apart. You may need to reorganize workspaces to ensure proper spacing.
• In jobs where workers are on their feet, mark spots on the floor where they should stand to ensure social distancing.
• Space out tables, chairs, and microwaves in break rooms.
• Another option is to use partitions made of plexiglass so workers can communicate and make eye contact.
• In addition, you may want to abandon the popular open workspace concept and revert to using cubicles, which gained popularity in the 1980s and 1990s as a way to increase productivity by putting barriers between office workers. Having that divider will make your staff feel safer and can offer some protection.
• Reconfigure furniture placement in offices, public seating areas, and other work areas to support physical distancing.

Cleaning and circulation
Take steps to minimize air from fans blowing from one worker directly at another. Also, consider opening windows for circulation.
Also important are:
• Disinfecting surfaces in workspaces, as well as doorknobs, buttons, and controls. Pay special attention to areas that are frequented and touched more often.
• Providing workers and customers with tissues and trash receptacles.
• Employees who are cleaning and disinfecting should wear disposable gloves.
• Cleaning surfaces using soap and water, then using a disinfectant.
• Sanitizing any other personal protective equipment such as hardhats after every shift.

If you have not yet started on your efforts to provide antisexual harassment training to your California employees, you need to get working on it now. Law passed last year puts the onus on most employers in the state to provide anti-sexual harassment training to their staff every two years.
Starting this year, employers with five or more workers must provide:
• At least two hours of sexual harassment prevention training to all supervisory employees, and
• At least one hour of sexual harassment prevention training to all non-supervisory staff.

To be compliant by Jan. 1, 2020, as per the law, these trainings need to take place in 2019. They must then be provided every two years thereafter. This new law builds on legislation that has been in place since 2005 requiring employers with 50 or more employees to provide two hours of training to managers and supervisors every two years.

Timing of training

All employees – Under the new law, ushered in by SB 1343, most California employees must undergo anti-harassment training this year and every two years thereafter.
Supervisory employees – Supervisors and managers who are already covered by the aforementioned training requirements must continue to receive at least two hours of anti-harassment training within six months of becoming a supervisor, and at least every two years thereafter.
New employees – New employees must receive at least one hour of anti-harassment training within six months of being hired, and at least every two years thereafter.
Seasonal and temporary workers – This includes any employee that is hired to work for less than six months. These workers are required to receive training within 30 calendar days after the date they were hired, or within 100 hours worked, whichever comes first. Temp workers provided by an outside employment agency must receive anti-harassment training by the temp agency.

Training guidelines

Guidelines for what training should cover for employees have yet to be released.
The Department of Fair Employment and Housing is required to make available to employers on its website interactive training courses that satisfy the two-hour supervisory and one-hour nonsupervisory employee training requirements. Those materials are not scheduled to be available until “late 2019,” according to the department’s website.
The agency has on its website some materials to help employers, including a sample training kit, which you can find here.

Trainers

>nder the regulations for supervisory training, the training must be conducted by either:
• An employment law attorney, or
• A human resources or harassment prevention consultant with a minimum of two years of practical experience in sexual harassment prevention training, or
• A professor or instructor in a law school, college or university, and who teaches about employment law.

What training must cover

The training requirements for one hour of training have yet to be released. But you should use as a guide the following, which are in the California Code of Regulations:
• Definition of unlawful sexual harassment under the law.
• The types of conduct that constitute sexual harassment.
• Remedies available for sexual harassment victims in civil actions; potential employer/individual exposure/liability.
• Strategies to prevent sexual harassment in the workplace.
• Supervisors’ obligation to report sexual harassment,  discrimination, and retaliation of which they become aware.
• Examples that illustrate harassment and discrimination.
• Confidentiality of the complaint process.
• How to report harassment to management.
• The employer’s obligation to conduct an effective workplace investigation of a harassment complaint, and to take remedial action.
• Training on what to do if the supervisor is accused of harassment.
• The essential elements of an anti-harassment policy, and how to utilize it if a harassment complaint is filed.

Trainers

Under the regulations for supervisory training, the training must be conducted by either:
• An employment law attorney, or
• A human resources or harassment prevention consultant with a minimum of two years of practical experience in sexual harassment prevention training, or
• A professor or instructor in a law school, college or university, and who teaches about employment law.

What training must cover

The training requirements for one hour of training have yet to be released. But you should use as a guide the following, which are in the California Code of Regulations:
• Definition of unlawful sexual harassment under the law.
• The types of conduct that constitute sexual harassment.
• Remedies available for sexual harassment victims in civil actions; potential employer/individual exposure/liability.
• Strategies to prevent sexual harassment in the workplace.
• Supervisors’ obligation to report sexual harassment, discrimination, and retaliation of which they become aware.
• Examples that illustrate harassment and discrimination.
• Confidentiality of the complaint process.
• How to report harassment to management.
• The employer’s obligation to conduct an effective workplace investigation of a harassment complaint, and to take remedial action.
• Training on what to do if the supervisor is accused of harassment.
• The essential elements of an anti-harassment policy, and how to utilize it if a harassment complaint is filed.