Access to the internet is now second nature for those of us working online everyday. It has fast become a business imperative to connect to customers, transact business and network across geographies and industries. Likewise, a concern for individuals and companies operating online is keeping sensitive data and information secure from cybercriminals and hackers. These cybercriminals are targeting businesses – big and small across many industries including the finance sector.
Supporting customers with security
As Head of Security at Xero, leading a team that works around the clock to monitor and detect suspicious activity, we’ve seen an increase in email and invoice fraud and account takeovers. These have been targeting small businesses and the accounting industry over the past few years, as more and more businesses manage their operations and do business online.
The day to day impact of cybercrime has become a fact of life and a permanent reality for businesses. We continually remind our customers – small businesses, accountants and bookkeepers – to take precautions to keep their data safe from hackers. Like a hospital is charged with protecting patient security, businesses operating online need to take measures to ensure they and their client data are safe online, and they understand how they can become a target.
Way to be aware of scammers
There are a number of ways small businesses and their advisors may be targeted so it is important to be aware of how scammers look for a way in. It might be:
- Via hacked email accounts, which are then used to send out fraudulent invoices that look just like the real thing, but with a fraudulent payment bank account number
- With a phishing email, to gain access to information like usernames and passwords, credit card details, and bank account numbers
- Or through a bogus invoice email containing links and/or attachments that deliver malicious software to your PC, such as ransom-ware, password stealers, or remote access tools (RATs) to take control of your PC
Another scam to be aware of is that of account takeovers, where businesses have sensitive client information stolen because their system is accessed following the theft of their login credentials (username and password). This information is sometimes obtained by hackers using phishing, malware or taking login credentials stolen from one website and testing them against other websites to see if they work there too. This is called credentials stuffing.
Advice for staying safe online
The Xero Security Team monitors around the clock and across every timezone for patterns of malicious activity using the latest account takeover detection technology. We investigate and respond to suspicious activity by notifying users with steps to take to protect their account. In some cases, we disable the account as a precautionary measure and notify the user to change their password and scan for malware.
But it is critical for everyone to take measures to ensure they are safe online. So I want to remind people everyone of some simple, easy-to-implement steps to better protect their information and that of their clients’ online.
- Always use strong, unique passwords for each site or service you login to, and never share passwords. Having a unique password helps prevent a compromise of one login becoming a compromise of many. Password-safe software can help you manage your multiple logins
- Use two-factor or multi-factor authentication (2FA/MFA) wherever this is available. This is particularly important for your email account, which is usually the means to resetting your passwords for other sites
- Update anti-malware (anti-virus, anti-spyware) software. It is one of the easiest and most effective things you can do to protect yourself
- Keep all of your software up to date with security patches
- Make sure your data is backed up regularly, and backup copies are kept separate to the source systems
Security is a priority at Xero and like any online businesses, we are no stranger to the potential for phishing attacks and account takeovers. We all need to take responsibility to protect our data with strong security controls, investing the time and resources to strengthen online security every day.