How Contractors Can Defend Themselves From Cyberattacks
Construction contractors and sub-contractors are being increasingly targeted by online hackers. For instance, a security breach at a heating, ventilation, and air conditioning (HVAC) contractor initiated events that ultimately led to the now infamous Target breach.
In another example, an employee at an electrical contractor clicked a link that appeared to come from a legitimate source. The web page that appeared contained malicious software — the Zeus online banking Trojan that gave the hacker unfettered access to the contractor’s bank accounts. The contractor ultimately lost $250,000 when the hacker used this access to send a fraudulent wire transfer.
These examples are far from unique; construction companies of all sizes are being targeted by malicious cyberattacks.
“Contractors that never considered themselves targets are becoming victims of credit card fraud, automatic clearing house fraud, and wire fraud,” says Mark Eich, information security principal with CliftonLarsonAllen. “These crimes are often perpetrated from outside the country by attacking the online cash management features that banks provide their customers.”
There are steps you can take to protect your entity, but you must also understand how the fraud occurs and why this is a growing threat to contractors.
Online banking malware
By far the most common method of attack is a phishing message that delivers malicious software (malware) and hits online cash management systems. Once the malware has been delivered, it monitors and records system activity, stealing personal information, login credentials, and codes for the internet banking services.
Attackers then use this login information to pose as the victim — they simply login and create fraudulent automated clearing house (ACH) entries or wire transfers. More sophisticated malware, like the Zeus Trojan horse, can even be used to bypass more robust defensive measures, such as multi-factor authentication tokens like RSA SecurID tokens. This type of attack is often called corporate account takeover.
Email spear phishing
Malware code is often delivered via email, either by a file attached directly to the message, or by a website link directing the user to a rogue website. In the latter case, the malware returns with the web page and attempts to install itself on the victim’s computer. This type of phishing attack has been dubbed “spear phishing” since only one email is often sent to the victim’s organization.
Spear phishing emails have improved significantly in their sophistication and effectiveness and can be very difficult for users to identify as fraudulent. They often use carefully crafted messages to entice the user to click the link. In some cases, the emails are even “spoofed,” that is, crafted to appear to come from someone inside the victim’s organization (e.g., the company president).
In other cases the emails are spoofed to appear to come from a legitimate business or organization, such as UPS, American Express, PayPal, or the IRS. These tactics are designed to increase the likelihood that the recipient will act quickly, clicking on the link without much thought.
Protecting your business
Preventing these attacks is no small task — it requires a multi-layered approach. Construction companies should consider each of these tactics.
- Keep current on technical defensive measures such as firewalls, intrusion detection systems, and spam filters.
- Keep up-to-date on the anti-virus software on each device, and complete regular scans to keep them clean.
- Keep all network servers and PC workstations current with the latest security updates and patches.
- Limit the number of PCs used to conduct online cash management. If possible, isolate them from the rest of the company network.
- Encrypt sensitive data, such as intellectual property and personal financial information.
- Utilize all key bank security tools for online cash management, including:
- Multi-factor authentication
- ACH blocks and filters
- Daily and individual transaction limits
- Wire call-back features
- Positive pay systems to reduce check fraud
- Make regular backups of key data and systems and store them in a secure off-site location.
- Monitor activity and balance online accounts daily.
- Perform periodic vulnerability or penetration assessments to validate that controls believed to be in place are functioning as intended.
Relationships, communication, and training
- Educate users to spot potentially fake emails and to be wary of website links and file attachments.
- Read and thoroughly understand agreements with your bank related to online activity.
- Identify the primary contact at your bank who will be your first call for help in the event of a breach.
- Have an incident response plan so staff know who to contact immediately if they suspect malicious activity on their computer.
- Establish a relationship with local law enforcement agencies that are familiar with online crimes.
How we can help
Reliance on technology is a reality for even the smallest organization — pulling the plug is not an option. Conducting business securely in an environment of ever-increasing threat is possible with the right strategy and implementation. Contractors must embrace security as part of their technology strategy. View our recent webinar on Payment Fraud Trends to help prepare your company against online attacks.