Category Archives: General Business Best Practices

Cyber Security Article from the FBI

October is National Cyber Security Awareness Month. When our staff spotted this article, we knew it was something we wanted to share with our clients and readers. We contacted the FBI for their permission to reprint it on our blog, and they were kind enough to agree. You can find this article, as well as many other articles you may find valuable to keep your business and staff secure against cyber crime, at this web address: https://www.fbi.gov/news/stories/2015/august/business-e-mail-compromise/business-e-mail-compromisescreen-shot-2016-09-13-at-11-07-51-am

For more information about fraud protection tools and product features provided Regents Bank, please visit our website.

RB1

Business E-Mail Compromise
An Emerging Global Threat

08/28/15

The accountant for a U.S. company recently received an e-mail from her chief executive, who was on vacation out of the country, requesting a transfer of funds on a time-sensitive acquisition that required completion by the end of the day. The CEO said a lawyer would contact the accountant to provide further details.

“It was not unusual for me to receive e-mails requesting a transfer of funds,” the accountant later wrote, and when she was contacted by the lawyer via e-mail, she noted the appropriate letter of authorization—including her CEO’s signature over the company’s seal—and followed the instructions to wire more than $737,000 to a bank in China.

The next day, when the CEO happened to call regarding another matter, the accountant mentioned that she had completed the wire transfer the day before. The CEO said he had never sent the e-mail and knew nothing about the alleged acquisition.

The company was the victim of a business e-mail compromise (BEC), a growing financial fraud that is more sophisticated than any similar scam the FBI has seen before and one—in its various forms—that has resulted in actual and attempted losses of more than a billion dollars to businesses worldwide.

Screen Shot 2015-10-20 at 6.10.47 PM

“BEC is a serious threat on a global scale,” said FBI Special Agent Maxwell Marker, who oversees the Bureau’s Transnational Organized Crime–Eastern Hemisphere Section in the Criminal Investigative Division. “It’s a prime example of organized crime groups engaging in large-scale, computer-enabled fraud, and the losses are staggering.”

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013, it has compiled statistics on more than 7,000 U.S. companies that have been victimized—with total dollar losses exceeding $740 million. That doesn’t include victims outside the U.S. and unreported losses.

The scammers, believed to be members of organized crime groups from Africa, Eastern Europe, and the Middle East, primarily target businesses that work with foreign suppliers or regularly perform wire transfer payments. The scam succeeds by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques. Businesses of all sizes are targeted, and the fraud is proliferating.

According to IC3, since the beginning of 2015 there has been a 270 percent increase in identified BEC victims. Victim companies have come from all 50 U.S. states and nearly 80 countries abroad. The majority of the fraudulent transfers end up in Chinese banks.

Not long ago, e-mail scams were fairly easy to spot. The Nigerian lottery and other fraud attempts that arrived in personal and business e-mail inboxes were transparent in their amateurism. Now, the scammers’ methods are extremely sophisticated.

“They know how to perpetuate the scam without raising suspicions,” Marker said. “They have excellent tradecraft, and they do their homework. They use language specific to the company they are targeting, along with dollar amounts that lend legitimacy to the fraud. The days of these e-mails having horrible grammar and being easily identified are largely behind us.”

To make matters worse, the criminals often employ malware to infiltrate company networks, gaining access to legitimate e-mail threads about billing and invoices they can use to ensure the suspicions of an accountant or financial officer aren’t raised when a fraudulent wire transfer is requested.

Instead of making a payment to a trusted supplier, the scammers direct payment to their own accounts. Sometimes they succeed at this by switching a trusted bank account number by a single digit. “The criminals have become experts at imitating invoices and accounts,” Marker said. “And when a wire transfer happens,” he added, “the window of time to identify the fraud and recover the funds before they are moved out of reach is extremely short.”

In the case mentioned above—reported to the IC3 in June—after the accountant spoke to her CEO on the phone, she immediately reviewed the e-mail thread. “I noticed the first e-mail I received from the CEO was missing one letter; instead of .com, it read .co.” On closer inspection, the attachment provided by the “lawyer” revealed that the CEO’s signature was forged and the company seal appeared to be cut and pasted from the company’s public website. Further assisting the perpetrators, the website also listed the company’s executive officers and their e-mail addresses and identified specific global media events the CEO would attend during the calendar year.

The FBI’s Criminal, Cyber, and International Operations Divisions are coordinating efforts to identify and dismantle BEC criminal groups. “We are applying all our investigative techniques to the threat,” Marker said, “including forensic accounting, human source and undercover operations, and cyber aspects such as tracking IP addresses and analyzing the malware used to carry out network intrusions. We are working with our foreign partners as well, who are seeing the same issues.” He stressed that companies should make themselves aware of the BEC threat and take measures to avoid becoming victims (see sidebar).

If your company has been victimized by a BEC scam, it is important to act quickly. Contact your financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent. Next, call the FBI, and also file a complaintscreen-shot-2016-09-13-at-11-07-51-am— regardless of dollar loss—with the IC3.

“The FBI takes the BEC threat very seriously,” Marker said, “and we are working with our law enforcement partners around the world to identify these criminals and bring them to justice.”

screen-shot-2016-09-28-at-7-28-21-pm_______________________________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-am Linking to Non-Regents Bank Websites

This icon appears next to every link that directs to a third party website not affiliated with Regents Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Regents Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Regents Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

fbtwitterLinkedIngp

Nine Tips for Better Cyber Security

cyber4

Our Increasing dependence on information technology and networks has brought tremendous efficiency to our work and personal lives, but with these efficiencies come risks; particularly risks from cybercrime. According to an October 2014 independent study conducted by Ponemon Institute, the percentage of businesses impacted by malware and other kinds of cyber fraud is up 144 percent, and a survey by Experian↗ found that 60 percent of small businesses that suffer a cyber attack are out of business within one year due to the costs of customer notification, lawsuits, etc. Small and medium-sized businesses can be especially vulnerable since they often do not have the same level of resources as larger companies to defend their information technology systems and track their financial transactions on a frequent or daily basis. While protecting your business against cyber criminals may require a combination of special resources and a change in workplace procedures, here are a few basic steps that you can take at work and at home to reduce your risk of being hacked, spoofed, falling victim to computer viruses and Trojan horses or having your identity stolen.

  1. Keep your computer secure. Install and run anti-virus and anti-spyware and make sure you keep these up to date to protect against new threats. Use the latest versions of Internet browsers, such as Firefox, Google Chrome and Internet Explorer, and make sure your operating system and applications are updated regularly.
  2. Use a separate, dedicated computer for online banking – this decreases your chance of infection with malware because you are unlikely to encounter these programs on trusted banking sites. Do not use this computer for general web browsing and email.
  3. Never share usernames and passwords –use strong passwords with a combination of lower and upper case letters, numbers and symbols, and change your passwords if you suspect they could have been compromised. Use different passwords for the main applications you use. For example, your online banking password should be different than your email password.
  4. Use email safely. Don’t click on links within your email – instead, open your browser and search for the company that supposedly sent the link. Be cautious about opening attachments or downloading files from unfamiliar sources. These files can contain viruses or other software that can jeopardize your computer’s security.
  5. Don’t give out personal information over the phone or via email unless you have initiated the contact. Even if the email looks like it’s coming from someone you know, the person’s email may have been hacked.
  6. Never use unprotected Internet connections – In addition to using only secure connections, make sure websites asking for sensitive information are secure. These websites will show up in your browser with a lock icon in its toolbar that, when clicked, should display an info sheet, including the company’s name. Also, the URL should start with “https” instead of “http.”
  7. Educate your employees, family, housemates or anyone else who has access to your computer network and/or your financial information about cyber security best practices. You should also discuss monitoring account information and billing statements regularly for unauthorized charges and withdrawals.
  8. Do not keep your passwords on your computer in a Word document. While this practice is convenient for cutting and pasting and may protect against key logging software that can grab your keystrokes, this technique leaves the user vulnerable to clipboard loggers that capture the contents of the clipboard. Documents on your computer, even when password protected, are also vulnerable to skilled hackers. A better idea is to use a password manager program – some of which are free. PCMag.com offers an overview of these programs here.screen-shot-2016-09-13-at-11-07-51-am
  9. Ask your bank what they are doing to assist you in cyber fraud prevention. At Regents Bank, our online banking platform offers tools, such as Trusteer Rapport,screen-shot-2016-09-13-at-11-07-51-am which works alongside your current security software to add protection and decrease your susceptibility to criminal behavior, protecting you and your business from threats your antivirus cannot. We also offer features like Security and Transaction Alerts that can help clients protect themselves from fraud. Businesses using online banking also have access to security features such as dual control and user limits, along with Treasury Management products like ACH Fraud Protection, Positive Pay, and out-of-band authentication and secure access codes to protect ACH and wire transactions. And, we continually invest in back office resources to help detect potentially fraudulent transactions.

screen-shot-2016-09-28-at-7-28-21-pm_______________________________________________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-am Linking to Non-Regents Bank Websites

This icon appears next to every link that directs to a third party website not affiliated with Regents Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Regents Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Regents Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

Tips for Employers to Prepare for Major Health Care Reforms

We cannot thank our Affordable Care Act seminar panelists enough for the valuable information they imparted to our 100-person audience on Tuesday, June 11 at Morgan Run Club & Resort. In case you missed it, check out the highlights below.

Sefton Intro with Panel-r

(left to right) Gary Levine, Steven Sefton, Ross Afsahi, Kristin Kahle and David Cartano

Many San Diego employers are looking for help in preparing for the potentially massive changes to insurance benefits under the Affordable Care Act reforms, parts of which will take effect in less than six months. Recently, Regents Bank, in association with GS Levine Insurance Servicesscreen-shot-2016-09-13-at-11-07-51-am, assembled a panel of experts on the Affordable Care Act to address the questions and concerns of local business owners.

The symposium, attended by nearly 100 business owners and professionals, featured panelists Ross Afsahi, president of GS Levine Insurance Services, Inc.; David J. Cartano, a partner in the law firm of Barton, Klugman & Oetting, LLPscreen-shot-2016-09-13-at-11-07-51-am; and Kristin L. Kahle, senior vice president of Benefit Exchange Alliance.screen-shot-2016-09-13-at-11-07-51-am Gary Levine, CEO of GS Levine Insurance Services, Inc., served as moderator.

During the discussion, Cartano noted that the law applies differently to companies of varying sizes.  He explained how different parts of the Affordable Care Act will apply to companies with one or two employees; companies with at least $500,000 of gross revenue; companies with more than 20 employees; companies with less than 25 employees; companies with less than 50 employees; companies with less than 100 employees; and companies with more than 250 employees.  He commented that companies with fewer than 50 employees are generally not required to provide health insurance for their employees.  Employees who are not covered by an employer plan will be responsible for obtaining their own health insurance with after-tax dollars or paying a penalty to the IRS.

Cartano noted that beginning in 2014, small employers with less than 50 employees and uninsured employees may purchase standardized insurance policies at standardized prices through the exchanges that are now being established.  The exchange in California is entitled Covered California.

The panelists agreed that for small businesses, the cost of health care benefits will likely increase. Kahle advised that one way to keep costs down is to opt for early renewal with one’s current benefits provider.  By renewing in the fourth quarter of 2013, instead of in 2014, a company can delay implementation of the effects of the law until the next renewal date in the fourth quarter of 2014.

The panelists noted that all employers with at least $500,000 of revenue must provide a notice to employees by October 1, 2013.  The notice is called “Notice of Health Care Exchange.”  It is a boilerplate notice advising employees of certain benefit options and requirements under the new Affordable Care Act.   The notice must be given to all existing employees and to all new employees on the date of hire.  The government provides the form of notice online.

Employers that have more than 50 employees are required to provide health insurance for their employees or pay a penalty.  The Obama administration announced after the date of this presentation that this category of employer will now have until 2015 before they will incur penalties for not providing health insurance. This extension was based upon the government wanting to readdress the complexities in the reporting guidelines employers must follow.

Determining whether the employer has 50 or more employees is, in some cases, complicated.  Part-time employees may be treated as full-time equivalent employees.  There are special rules for seasonal employees and affiliated groups of employers.  Afsahi suggested that companies work with their payroll vendors.  The vendors can help determine eligibility much more effectively than a business can on its own.

Much attention has and will continue to be given to whether a company with more than 50 employees should “pay or play” – i.e., should a company provide benefits coverage to its employees or not provide health insurance coverage and pay the resulting penalties.  Afsahi suggested a financial analysis for each company considering pay or play as an option.  He advised that for most large companies in Southern California, it will usually make financial sense to keep providing coverage since the penalty for not providing coverage is nondeductible, and uninsured employees will be required to obtain individual policies with after-tax dollars.  He also advised that it is important to start reviewing and analyzing payroll and employee data sooner rather than later.  He cautioned that health care benefits should be considered from a recruiting, incentive and morale perspective.

According to Afsahi, health care reform is likely here to stay. The goal of the law is to address access to and affordability of health care benefits.  He believes that access to health care was addressed in the new law, but that the cost of providing health care has not yet been fully addressed.

screen-shot-2016-09-28-at-7-28-21-pm_______________________________________________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-am Linking to Non-Regents Bank Websites

This icon appears next to every link that directs to a third party website not affiliated with Regents Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Regents Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Regents Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.

Who or What Symbolizes Your Business?

Today’s consumers are bombarded with choices because they can be marketed to with so many different approaches, both online and offline. It’s very easy for a business to get lost in the crowd. There are many success stories of companies that either have a person, a logo or a product with which consumers instantly identify: the Apple Computer logo, a Coca Cola bottle, the name “Kleenex”, Warren Buffet representing his investment firm Berkshire Hathaway…and the list goes on.

Your local company is probably not in the same size category as those mentioned above, but the strategy is still the same. Let’s take Warren Buffet for example. Fresh out of college, a very shy Buffet started working out of a bedroom in his tiny home in Omaha, Nebraska calling neighbors and family friends and telling them about an investment company that he was starting. He eventually, after many attempts, convinced enough people that he had an idea, and the talent, to increase the funds provided him by these people who mustered enough trust in him to write him a check. The rest is history. He eventually named his company “Berkshire Hathaway” and he and his company have become synonymous with creating multimillionaires for those initial investors, as well as many other people along the way.

A good example in the San Diego area of an ordinary person building a business by becoming the voice and symbol for the business is a very unassuming individual named Jerome Navarra, owner of Jerome’s, a local home furnishings company which has grown from a single location 40 years ago to seven locations today (soon to be eight). Today’s San Diego Union Tribune contains a very interesting profilescreen-shot-2016-09-13-at-11-07-51-am on Jerome and his company.

The article details how Jerome, never intending to work in the business his father started, volunteered to help out part-time to give his father some rest and is still at the helm after all of these years. He has filmed over 4,000 thirty second television commercials and one of his sons in the article marvels at how much of a local celebrity Jerome is, saying, “It’s totally surreal, people wanting  your dad’s autograph when he’s just the spokesman for a furniture chain.” With Jerome’s selling one out of every four mattresses in San Diego, the argument can be made that he’s much more than a television commercial celebrity.

The point: no matter how mundane your product (mattresses are not exciting), or that you you’re a shy person (i.e. Buffet and Jerome), personally becoming the symbol of your company (a “brand ambassador” in today’s jargon), having a unique logo or a great story to tell about how and why your company has grown and is successful provides you with much needed leverage in today’s world of information overload. Gaining this public recognition which separates you from the pack is what can take a small or medium sized businesses to that top 5% of their industry.

Don’t despair if you’re business hasn’t arrived at the level you aspire to yet. Think of the austere beginnings of Buffet and Jerome. You’re already further along the road than when they started working their way to the top of their industries. What can you do to stand out from the crowd? What unique story do you have to tell and how can you get it told to the masses? A few suggestions: consider hiring a reputable public relations firm to help. Use the Internet and social media for all they’re worth. Don’t stop using offline media (print, radio, television) just because you’re marketing online, budget for both. Be visible in the public through executive and community forums.

Stories like these of Buffet and Jerome serve as motivating messages that ordinary businesses and owners can go on to become industry icons. It happens every year. You won’t become an overnight success; it will take consistent marketing day in and day out. But it can be done. And to an entrepreneur, those are the only words needed to get the adrenaline pumping once again.

Regents Bank can help you with your financial needs as you grow your business. Visit with a local Regents business banker today. You also can learn more about us at the Regents Bank website.

screen-shot-2016-09-28-at-7-28-21-pm________________________________________________________________________________________________________________________________

screen-shot-2016-09-13-at-11-07-51-am Linking to Non-Regents Bank Websites

This icon appears next to every link that directs to a third party website not affiliated with Regents Bank. Please be advised that if you click this link you will be taken to a website hosted by another party, where you will no longer be subject to, or under the protection of, the privacy and security policies of Regents Bank. We recommend that you review and evaluate the privacy and security policies of the site that you are entering. Regents Bank assumes no liability for the content, information, security, policies or transactions provided by these other sites.