As businesses have migrated electronically and to online platforms, our interconnected world has made us more efficient than ever.

We process more data than ever before, faster than ever before, to remain more competitive than ever before.

But those benefits are not without risks.

Business infrastructures, networks, customers, and end-users are all subject to an unprecedented level of sophisticated intruders who understand the value of accessing data. We live in a world where the terms hacking, phishing, worms, viruses, ransomware, eavesdropping, denial of service attacks, and other similar illicit actions are commonplace.

Big breaches get the headlines.

For example, in 2017, Equifax was hacked, and nearly 148 million consumers’ names, Social Security numbers, birth dates, addresses, and driver’s license information were stolen.

But every business, big or small, is at risk.

Although firewalls, intrusion-detection systems, cryptographic enhancements, antivirus and anti-spam software, and other countermeasures solve many of these problems, there is still a real and credible threat to the cyber frameworks of businesses.

In short, the target keeps moving, making it impossible to create a perfect cyber-security environment.

Still, as a business owner, you need to do everything you can to protect your critical information and minimize your financial vulnerabilities if you are a cyber information victim.

That’s why you should consider cyber liability insurance.

What is Cyber Liability Insurance?

Cyber liability insurance covers financial losses resulting from cyber events that negatively impact your business.

These impacts may include intentional cyberattacks or other tech-related risks. Coverage can protect business owners from lawsuits following an attack or costs associated with privacy and security investigations that can disrupt a business’s normal course of activities.

Cyber liability insurance can also cover legal services to help meet state and federal regulations, including notification expenses to affected customers following a cyber compromise event. State and federal agency regulatory fines are also generally covered as well as lost income from network outages.

It is recommended for most larger businesses, but small businesses, depending on the nature of their goods and services, can benefit from this type of coverage as well.

Policies vary from insurer to insurer, and most policies are flexible and can be customized depending on your needs.

Also, most policies include first-party and third-party coverage.

Here’s what that means.

First-Party vs. Third-Party Coverage

First-party coverage insures against loss to your data or income or loss of any other aspect of your business as a direct result of a cyber-attack. This may include:

• Loss of funds from theft or fraud.
• Loss of income and costs if your business activities are interrupted.
• Legal, technical and forensic services. Business owners may retain these services to determine if a breach has taken place, the extent of the breach, and how to fix the problem.
• Cyber extortion costs such as when a hacker enters your computer system and threatens to damage your data, introduce a virus, or initiate a denial of service attack unless you pay a ransom.
• Replacement costs for the physical damage to business computer hardware and software.
• Investigation costs related to threats toward your business for future data breaches.

Third-party coverage insures your business against losses that third parties associated with your business have incurred due to a directed cyber event. This may include:

• Coverage for lawsuits or settlements resulting from a data breach.
• Coverage against claims for negligent acts, errors, or omissions.
• Cost to respond to government queries into cyber attacks. This can be especially important if there is a need to retain legal, technical, or forensic professional support.
• External communications costs (notifying customers, clients, employees, etc.)
• Public relations, advertising, or crisis management responses from the data breach.
• Liability costs associated with a breach of employee or customer privacy.
• Ongoing costs for credit or fraud monitoring.

The Difference Between Cyber Liability and Data Breach Insurance

If you’re considering cyber liability insurance, you probably should be aware that there is a difference between that kind of a policy and a data breach insurance policy.

They’re similar, and both offer some of the same benefits, but they have certain limitations as well.

Data breach insurance helps your business respond if there is a PII loss (Personal Identifying Information) or PHI (Personal Health Information). This may happen if a hacker breaks into your network or an employee accidentally loses their laptop containing sensitive information.

Data breach insurance will help pay for notifying customers, employees, and other impacted parties. This can extend to hiring a public relations firm to manage crisis communications and messaging. It also provides coverage so that you can offer credit monitoring services to potential data breach victims.

Policies can be enhanced by adding riders such as business income and extra expense coverage, prior acts coverage, and extortion coverage for times when your data may be held for ransom.

As you can see, there’s overlap, but you should at least be aware that both types of policies exist. Be sure to question your insurer if they carry both so that you fully understand the coverages and exclusions.

How Much Does Cyber Liability Insurance Cost?

The short answer is…it depends.

There are several variables to consider when putting together a policy. These include:

• Coverage limits. The more complex your coverage needs are, the more you’ll have to pay. If you store a lot of data, or you’re a larger, more established business with multiple servers or other data points of contact, you’ll pay more.
• Your industry. If you run your business primarily online and face more threats, you’ll be deemed a more significant risk and pay a higher premium. Healthcare and accounting businesses tend to store the most sensitive and private information, so they are also considered at more risk and will also pay more for coverage. Companies that also engage in many credit and debit transactions or store personal information such as Social Security numbers or birth information are considered to be at more risk.
• Who has data access? If you limit who has access to your electronic records, perhaps only to senior employees or other restricted classes of employees, you’ll be considered less open to breaches, and your premium should be less.
• Existing data security measures. Just like a good driver policy, if you already have things like antivirus software or network firewalls in place, you might be able to negotiate a lower premium.
• Claims history. If you have a bad track record of data security, and that’s reflected by claims you’ve made in the past, you might be subject to a higher premium.

According to insurance industry statistics, in 2019, the average cost of cyber liability insurance in the United States was estimated to be $1,501 per year for $1 million in liability coverage, with a $10,000 deductible.

The average annual premium for a cyber liability limit of $500,000 with a $5,000 deductible was $1,146. The average annual premium for a cyber liability limit of $250,000 with a $2,500 deductible was $739.

You’ll need to check with your carrier to define your needs so that you can get an accurate quote for your unique situation.

Final Thoughts

If you want to do some research, start by talking with your insurance agent who will provide valuable advice and answer questions you’re sure to have regarding coverage and costs.

You can also do some digging online on your own. Take a look at some of the industry leaders who offer cyber security insurance such as AIG, Travelers, The Hartford, Liberty Mutual, and others.

As cyber security insurance becomes more of a mainstream business issue, there are several general insurance industry articles that are excellent sources of information as well.

You can’t deny that 2020 has upended every part of our lives, including how we work.

Working at home was already a trend before the pandemic hit. Companies are now treating this trend as a new way of doing business, and with that come many new issues.

An area that cannot get overlooked is making sure workers have the appropriate security tools and safeguards in place to protect themselves and their companies while working remotely. And, while most companies work electronically, remain vigilant to secure assets on paper.

A reshuffled working world has created new kinds of cyber challenges and vulnerabilities that must be addressed. Cyber threats are real, and there are a lot of bad actors who are always looking for weaknesses they can exploit.

Fortunately, every business owner and work-at-home employees can take steps to become a harder target for criminal activity.

20 Tips You Take to Safeguard Your Cyber Assets

1. Educate yourself. Personal computers not controlled by a company may lack the necessary safeguards to protect against cyber threats. Also, employees may not understand certain actions, such as opening a suspicious file, could create a security breach. Employees may also not have adequate anti-viral software or may not erase sensitive company information from personal devices. It’s up to both the employer and the employee to learn and engage in best practices in these areas. New policies governing work-at-home cyber protection may need to be created.
2. Create a secure technical infrastructure. To create a work environment that protects a company’s assets and employee’s actions, it may be necessary to upgrade or install a new cyber secure system that allows staff to safely work remotely.
3. Understand that employees may be “patching” workarounds to maintain productivity. There’s a lot of pressure on employees to perform during the pandemic, and some enterprising employees may create their ways of maximizing productivity. For example, this may involve transferring company data onto personal devices which could create security breaches. Policies and protections must be put in place to ensure the level of security is not compromised.
4. Implement safeguards that prevent employees from transferring company data while they are connected to the company’s network. Double down on these efforts by also investing in data leak monitoring software.
5. Create a detailed policy that clarifies how employees should handle company information loaded onto their personal computer. As an alternative, a company may provide employees with work computers or laptops with cyber safeguards already installed.
6. Review and/or update all anti-virus protection for work-related computers. Many times, these updates are pre-programmed and automatic when new updates are created. Don’t be cheap when it comes to cybersecurity, either. You’ll want software that is equipped to offer automated remote working security against several kinds of threats, including:
   • Zero-day attacks
   • Malware, spyware, and viruses
   • Trojans and worms
   • Phishing scams, including those sent via email
7. Filter out unauthorized or unnecessary access to the company’s network. Limit user privileges and restrict administrative access to a small group of employees.
8. Discourage employees from using public Wi-Fi networks, which could provide easy access entry points for hackers.
9. Work-at-home employees need to keep all family members away from their work-related computers. There is a greater chance that children will hop on the computer in cramped quarters and could create havoc for the worker.
10. When participating in teleconferences, consider investing in a sliding webcam cover. Hackers have learned how to access webcams without permission, compromising security and privacy. Webcam attacks are a real threat, and hackers may view sensitive documents in the home workspace. Covers prevent this from happening. Also, some videoconferencing software has a “blur background” feature to prevent others from spying on objects in a home workspace.
11. Create a strong company Virtual Private Network (VPN). When more remote computers than ever are connected to company resources, a strong VPN is a crucial safeguard against back door hackers. Be sure to use the strongest possible authentication method, perhaps by using smart cards. Enhance the encryption method for VPN access. Make sure employees update and change passwords regularly. Also, make sure employees are logged on via secure networks.
12. Use a cloud or server storage as a centralized storage solution. It’s a lot safer than storing files locally and creates a safer backup solution to protect against compromised, lost, or destroyed files. These storage solutions also have firewall protections built-in for an added layer of security.
13. Confirm the security of third parties. Most organizations use contractors or vendors to keep their operations running. Often that involves sharing and integrating information and data. At the very least, government agencies and tax authorities must be accessed at some point or another. When organizations assess which controls must be extended to employees to secure new work-from-home protocols, they should do the same for third-party users and connections. If third parties cannot demonstrate adequate cybersecurity measures, consider limiting or suspending interaction until they can.
14. Home networks must be secured. Creating a strong and unique password, changing the SSID, and limiting access to specific MAC addresses are steps you can take to ensure the wireless network is protected.
15. Strengthen potentially weak passwords. The Federal Trade Commission recommends: “Use passwords on all your devices and apps. Make sure the passwords are long, strong, and unique. Use at least 12 characters that are a mix of numbers, symbols, and capital and lowercase letters.”
16. For work-at-home employees who have customer account or banking responsibilities, extra care should be given to maximizing online banking activities. Use only credited software and services to handle funds. Only use platforms and software you are familiar with. If you’re unsure about a particular type of transaction, ask questions first until your concerns have been addressed. When accessing a banking website, make sure you are logged on via a Secure Hypertext Transfer Protocol. This means the URL should include https:// rather than just http:// at the beginning. You should also see a lock on the left of the URL bar of most internet browsers, indicating that website has an authenticated security certificate. Fraudsters may trick at-home employees through email, social media, or over the phone. Be stingy with giving out any banking information whatsoever.
17. To protect your company, ensure work-at-home employees have the best tools possible. This may involve providing stipends or allowances to purchase approved hardware and software to upgrade as needed.
18. Make sure incident-response protocols are in place. When cyber breaches occur, employees must know how to report them and what immediate steps to take. Speed is the key to minimizing potential damage inflicted on an enterprise. Redundant systems should also be in place and ready to act to minimize disruptions to normal business operations.
19. Do not be pennywise and pound foolish. It may cost a bit more to make sure at-home workers have a secure system but consider the alternative if they are breached.
20. Be sure email security is protected. Email is still a primary form of communication, but this form can also be easily hacked and compromised. Phishing scams are as prevalent as ever. To protect against email attacks, do the following:
    • Make sure emails can only be securely accessed via a company’s VPN. This creates an encrypted network connection that authenticates the user and/or device. It also encrypts data in transit between the user and your services.
    • If you already use a VPN, make sure it is fully patched.
    • Staff is more likely to have their devices stolen (or lose them) when they are away from the office or home. Make sure staff devices encrypt data while at rest. This protects email data on the device if it’s lost or stolen. Most devices have built-in encryption, but it still needs to be turned on and configured.
    • Instruct employees how to spot phishing attacks.

Extend Security Policies to Other Types of Records

Even with more robust technology controls and investments in security and infrastructure, employees working from home must still exercise good judgment to maintain information security. This also includes paper security.

Work-at-home employees need to make sure they have access to shredders at home or that they can access shredding bins in their offices onsite as needed. Depending on the nature of the business, other measures for hard file protection should be in place. Any secure document policy should go beyond the cyberworld and extend to paper and computer drive storage issues.

It’s incumbent for employers to set norms for the retention and destruction of physical copies, even if that means waiting until the organization resumes business as usual.

Scammers are everywhere, and they’re continually coming up with new and more sophisticated ways to separate you from your money.

Recognizing this growing threat to consumers, in 2019 the federal government earmarked $15 billion for cybersecurity issues spread out across more than 70 agencies. The funds are being used to stop government security breaches, ransomware attacks, and various types of fraud that can impact millions of Americans.

This doesn’t even come close to fully addressing the problem, but it does help to point out the magnitude of a rapidly growing problem.

Vigilance is the Key

Scammers can come at you a thousand different ways. Your identity can be stolen as part of a significant data breach. A con man could rip you off in a Craigslist transaction. A thief could insert a card skimmer in the pump at your local gas station. A phony online retail site could induce you with a “too good to be true” deal that you fall for.

That’s why you need to adopt an overall philosophy about how you protect your identity and your financial information. Develop a set of guidelines that you won’t violate under any circumstances. Don’t give out personal information over the phone. Do some digging before you buy online. Make sure the government agency or company you’re dealing with is who they say they are.

Also, check your credit report regularly and be on the lookout for bills you don’t recognize that come to you in the mail.

If you set your radar on high and let your intuition play a part in protecting you, you’ll be in far better shape against scammers who want to victimize you.

Be on Alert for These Consumer Scams

Let’s take a closer look at some of the consumer scams you could encounter.

Phishing. Phishing involves a scammer passing themselves off as a trusted entity such as a bank or mortgage company. Their goal is to mislead you into passing your personal information to them, which they’ll then use to commit crimes.

Malware. If you visit a lot of websites, sooner or later you may fall prey to malicious software loaded on your computer. The software will scan your entire hard drive for information that could end up costing you a lot of money.

The Prepayment Scam. You’re asked to pay upfront fees to process contest winnings, loans, grants, credit cards, or an investment.

The Charity Scam. You’re contacted by phone, online, by email, or regular mail, asking you to donate to a charity. This is particularly prevalent after a large natural disaster such as an earthquake or hurricane. Stick to mainstream charities such as the American Red Cross or those that have been thoroughly vetted. If you don’t recognize the organization, do your homework first.

The Employment Scam. You’re looking for a job, and you’re extended an offer, but you must first pay for job-related expenses. You could be tricked into buying products up front that you would sell once you begin the job.

Extortion. This is particularly heinous because it involves threatening your life or the lives of your family members. Vulnerable populations are often at risk, including seniors and undocumented immigrants, among others.

Identity Theft. Thieves pose as you using your personal banking information such, Social Security number, or credit card info. These types of identity theft are far reaching and include opening new accounts, making purchases with your information, obtaining medical coverage, filing tax returns, and countless other ways.

The Military Scam. Fraudsters may pose as a member of the armed forces and solicit you for donations for their fake cause.

The Lonely Hearts Scam. With the rise of online dating, you could meet someone online, fall prey to their smooth-talking charms and end up having your bank account emptied before you know it.

The Social Media Scam. Hackers will access your personal information on Facebook, Twitter, Instagram, and other platforms and use what they find to rip you off. They may also be able to access personal information from the people in your network or make highly targeted pitches for money to friends and family.

Telemarketing Scam. If you don’t screen your calls, unscrupulous telemarketers could contact you with “free if you buy today” or “extremely limited time” offers. This high-pressure squeeze tactic can have the unsuspecting transferring money or giving up personal information.

The Children’s Social Security Card Scam. Thieves can obtain the Social Security numbers of children who don’t have any credit history. Their credit reports are seldom monitored, and a scammer can do a lot of damage before any irregularities are discovered as the child gets older.

The Mortgage Scam. Distressed homeowners are often targeted with foreclosure rescue scams, phony loan modifications, and equity skimming. And worse, actual real estate and mortgage professionals may take part due to their intimate knowledge of the home loan industry. It’s easy to get fooled.

Debt Collection Scam. A fraudster may call you posing as a collection agency to collect a debt that you may or may not owe. They may threaten you or put pressure on you threatening legal action to get you to reveal your account information as a means of settling.

What to do if You’ve Been Scammed

Report it. Don’t feel embarrassed if that there’s no hope of recovering what you lost. Scammers hope you’ll think that getting your money back is futile. Don’t fall into this trap. Reporting a scam helps law enforcement officials establish accurate statistics. In turn, this provides direction on where to devote resources. Spotting trends also makes it easier to alert other agencies on what to look out for. Many criminal enterprises extend throughout the country and internationally. If you’re not sure where to start, call your local police department for direction.

Match the enforcement agency to the crime. Some scams are local in nature; others can have far-reaching geographic implications. For scams involving goods and services, start with your state attorney general’s office or state consumer protection agencies. If you’re a scam victim that violates federal law, then you can go to a national enforcement agency. Start with the Federal Trade Commission or the FBI’s Internet Crime Complaint Center. If you are a victim of identity theft, the FTC has a separate website to assist you. For financial crimes, go to the Financial Industry Regulatory Authority to file a complaint.

Accept that you are a crime victim. Do not beat yourself up for feeling gullible. Highly sophisticated thieves have scammed millions of Americans. Focus on taking productive steps going forward, including shoring up access to your personal information. Become a hard target, and it’s more likely bad guys will move on. Work with friends and family to make sure they don’t become victims as well.

Revised – November 19, 2021

The vast majority of Americans have pulled together during the coronavirus pandemic.

There have been a lot of disruptions and a ton of misery for many businesses. While some of the pain has been a tragic byproduct of the pandemic, some has been intentional by a few dishonest souls.

Since the pandemic began, several scams have popped up. Some are variations on old scams, while others are new. Whether you are a consumer or a small business, you have to protect yourself more than ever.

Here are several scams that have been occurring more and more frequently since the start of the pandemic.

Watch Out for These Coronavirus Scams

Here are some of the coronavirus scams currently making the rounds.

Fake contact tracers. Contact tracers work for state health departments and track people who may have been exposed to Covid-19. They provide a vital function in stemming the spread from one person to another. The scammers pretend to be contact tracers to steal your identity and empty your bank accounts.

A legitimate tracer will contact you to discuss Covid-19 test results, either for you or someone you know. Legitimate tracers will only ask you for limited information (name, address, health information, and names and places you have recently visited). As we’ve progressed further into the pandemic, tracers are not as prevalent, but nonetheless dangerous.

Scammers posing as tracers may ask you for money, your Social Security, bank account, or credit card numbers. Also, do not share your immigration status or download any links sent to you from someone asking for this type of information. If you think you are dealing with a fake contact tracer, contact your state health department to see what steps you can take.

Fake stimulus payments. Many Americans have enjoyed one or more rounds of stimulus payments. But taxpayers have also been flooded by false information, calls, text messages, and emails from scammers trying to steal personal information.

Be alert for people attempting to trade your personal information for the promise of a payment.

The following will help you protect yourself if you have a special situation:

• If the IRS doesn’t have your direct deposit information, you can go to the “Get My Payment” feature at irs.gov/coronavirus and let them know where to send your direct deposit.
• If you don’t usually file a tax return, go to irs.gov/coronavirus to access the “Non-filer” portal and to determine what, if anything, you have to do to claim your money.
• To check on your payment status, you can now use the “Get My Payment” feature at irs.gov/coronavirus.

The IRS will not contact you by phone, email, text message, or social media with information about your stimulus payment, nor will they ask you for your Social Security number, bank account, or government benefits debit card account number.

You don’t have to pay a fee to get your stimulus money, and you will never be asked to send back your stimulus money after it has been sent to you because someone claims you were overpaid.

Fake charities. Now, more than ever, charities are desperate and need help. The pandemic continues to put many people in dire straits, and the demand for services continues to stretch a lot of nonprofits. Scammers know this and will reach out to you by phone or online to take advantage of your generosity. If you haven’t heard of a particular charity before, research the charity and ask lots of questions before committing to a donation.

Fake personal protective equipment. Masks, gloves, face shields, and hand sanitizers are still in relatively high demand for healthcare professionals, others providing essential services, and consumers. Websites may offer to sell you these items, but after paying for the products, you never get what you ordered. The scam is further legitimized by creating a shell company that sounds official or similar to a well-known provider to gain your trust. In other instances, when PPE equipment arrives, it is either the wrong size or defective, in part because companies substitute products without a customer’s permission.

By law, sellers are supposed to ship your order within the time stated in their ads or within 30 days if the ads don’t give a shipping date. If a seller can’t ship within the promised time, it has to give you a revised shipping date, with the chance to either cancel your order for a full refund or accept the new shipping date.

Fake test kits. Ignore offers for home Covid-19 test kits. One thing that has improved during the pandemic is the infrastructure to support rapid and accurate testing. That doesn’t mean scammers won’t continue to try and sell you products to diagnose whether or not you have the virus without proof that they work. Early on, most of the test kits advertised had not been approved by the FDA, meaning that they were not accurate and could put you at even greater risk due to giving you a false sense of security with a false negative result. The best advice here is to steer completely clear of any at-home Covid-19 testing and either find a public testing facility or contact your healthcare provider.

Fake cures. Let’s be clear up front. Right now, there is no cure for Covid-19. Vaccines provide a high measure of protection, but they only lessen symptoms and DO NOT provide a cure. You have probably already seen a lot of different homeopathic “secret,” or newly discovered ways to treat symptoms. Unless medical experts tasked with finding ways to address the cure tell you what is working, don’t believe what you read. Not only is it not smart, putting your faith in a remedy that does not work could be deadly.

In May 2020, the FTC announced that it had sent out more than 120 warning letters to marketers making false claims about cures for Covid-19.

In late July 2020, the Federal Trade Commission filed charges against two companies for making false remedy claims. The companies, Golden Sunrise Nutraceutical, Inc., and Golden Sunrise Pharmaceutical, Inc. advertised dietary supplements that claimed these products were “uniquely qualified to treat and modify the course of the virus epidemic,” which was not the case, claiming the FDA had approved the products for use, which was also not the case.

Do your homework on cures. It could save your life.

Nursing homes and stimulus payments. As stimulus payments have largely stopped, this scam is not currently relevant to any significant degree, but you should still be aware it is part of pandemic-related fraud and could pop up in other situations. In some cases, people living in nursing homes or assisted living facilities were forced to sign over their stimulus payments if they were on Medicaid. Homes were claiming that because the person is on Medicaid, the facility gets to keep the payment. Wrong! Those economic impact payments are a tax credit under the CARES Act. Tax law says that tax credits don’t count as “resources” for federal benefits programs such as Medicaid.

This part IS still relevant. If a loved one is at a facility that took it already, contact your state attorney general and ask them to help you get it back.

Phishing, fake emails, robocalls, and texts. Scams that were popular before the pandemic are still popular among thieves. Scammers will use fraudulent emails and text to induce you into sharing valuable personal information. Be highly suspicious of any requests to share account numbers, Social Security numbers, passwords, and other information that makes you vulnerable to losses.

As economic conditions have worsened for many people, scammers are now pitching all sorts of remedies ranging from work at home schemes to low-priced health insurance.

Phishing emails may induce you to click on a link, often appearing to be from a legitimate organization (state or federal government agencies, The World Health Organization, etc.). A scammer can install ransomware or programs that lock you out of your computer or steal your personal information when you click on a link.

Scammers have also used personal computer access to install and infect computers with malware. Recently, malicious websites used the real Johns Hopkins University interactive dashboard of coronavirus infections and deaths to spread password-stealing malware.

Another recently revealed phishing scam was uncovered, showing scammers impersonating the World Health Organization. The scammers offered a fake e-book to victims, and when they attempted to access the book, malicious code for a downloader called GuLoader was instead installed on their computers.

Student loan forgiveness. There have been a lot of discussions about helping students with relief from burdensome student loans during the crisis. At this point, the only thing that has happened is that student loan payments have been suspended as part of the stimulus package passed by Congress. Payments are slated to resume in early 2022.

Scammers will prey upon your fears about paying your student loans and may reach out with an offer that promises you student loan forgiveness if you pay an upfront fee.

The federal government can forgive or restructure student loans through public service loan forgiveness or income-driven repayment. But private companies cannot cancel student loan debt, so don’t fall for it.

How to Protect Yourself

New scams pop up every day, making it impossible to track every instance. So, you need to heed general precautions to continue to protect yourself from Covid-19 scams. Here are some things you can do:

• Never give out personal information over the phone. If a charity contacts you to donate, check out the name of the charity before you even consider giving. Use a credit card instead of cash or a check to provide yourself with more protection.
• Hang up on robocalls immediately. No exceptions, and don’t press any numbers for more information. That tells the robocaller you might be interested and will likely result in more robocalls.
• Never pay in advance to get money or help from the government. Also, the government will never call and ask you for personal information (i.e., Social Security number, birthday, credit card numbers, etc.).
• No private student loan company can help you with loan forgiveness. If you’re approached about this, you are being scammed.
• If you’re buying in-demand products, know those from whom you are buying. Online sellers may claim they have cleaning, household items, medical and health supplies available when they do not.
• The same rule applies to charities. Do your homework and verify that you are donating to a legitimate charity. Or donate to a well-known and established charity like the Red Cross. You can also keep your donations local and give them to a food bank, shelter, or other community-based nonprofit to keep your assistance close to home.

The Federal Trade Commission is in charge of consumer fraud in the United States. You can subscribe to alerts for consumers and businesses to keep up with the latest scams. You can also like the FTC Facebook page.

What to do If You’ve Been Scammed

If you feel you have been the victim of a coronavirus scam, you can contact your state attorney general.

You should also report any scams or suspicious claims to the FTC at ftc.gov/complaint.

Also, file a criminal complaint with your local police department. It may not have the resources to help you directly, but it can provide valuable tracking information to state and federal law enforcement agencies who can more accurately direct resources to fight coronavirus scams.

Contact your banks and credit card companies to be on the lookout for fraudulent activities in your accounts. Also, change your password information and try to use different combinations for different sites. Closely monitor your credit as soon as you can if a scammer has gained access and used your information before you have had a chance to lock it down.

Consider contacting national credit bureaus (Experian, Equifax, and TransUnion) as part of a strategy to maintain and access your credit reports. You can also freeze your credit, which prohibits anyone from viewing your credit report unless you lift the freeze using a PIN that has been provided to you.

If you don’t want to freeze your credit, consider requesting a fraud alert instead. You only need to request an initial fraud alert with one of the three bureaus, and that agency will pass along your request to the other two. An initial fraud alert stays on your credit reports for 90 days. You can renew it as many times as you want. You can also place an extended alert that will last for seven years.

Corona virus image provided by CDC/ Alissa Eckert, MS; Dan Higgins, MAMS

 

When you’re a small business owner, as if you don’t already have enough to worry about, crooks have become a lot more sophisticated in trying to scam you out of your hard-earned money.

Many scams fall into the same overall types of scams. According to a recent Better Business Bureau survey, the six most common of these that small businesses need to protect against are:

• Imposters posing as a bank or credit card company and pretending to verify account information but with the actual intent of gaining access to a business’s accounts.
• Scammers pretending to represent various government agencies who threaten to impose fines or take similar enforcement actions if a business does not pay fees or taxes.
• Fraudsters who offer businesses increased visibility through advertising, advanced search engine techniques, and business directories.
• Sending a business an invoice for services never rendered or trying to induce a business to pay for products it never ordered or received.
• Paying for goods and services with fraudulent checks from non-existent accounts.
• Scams involving tech support or ransomware demands.

Spotting a scammer

Although every scam and every scammer are unique, most all share the same general characteristics. Here are some red flags to look for:

• They pretend to be someone you trust, either in the guise of a company, person, or government agency.
• They create a sense of urgency by setting a short deadline to respond.
• They use fear and intimidation, pressuring you to send a payment before you can check out their claims.
• They use wire transfers, gift cards, or other untraceable payment methods.

Business Case Studies

It’s impossible to list even a small fraction of all the scams targeting businesses today. However, the following case studies will give you an idea of some of the tactics scammers use.

Business email compromise (BEC)

This is sometimes referred to as CEO fraud. Losses are estimated at more than $5 billion globally, and that figure continues to rise as scammers refine their already sophisticated tactics.

BEC involves a crook gaining access to a business owner’s corporate email account. The scammer then spoofs the owner’s identity to defraud the company. Favorite targets include companies that often conduct business with overseas suppliers of who routinely transfer money through wire transfers.

This form of transferring money is especially vulnerable because legitimate wire transfer requests are often urgent, and in most cases, the resulting wire transfer will be processed immediately. Companies that work using this model often don’t take the time to sign forms or wait for callbacks to confirm the transfers, creating further exposure.

It’s estimated that about 40% of all business victims of BEC are small or medium-sized businesses.

BEC remains an ongoing problem despite the requirements that banks are required to implement enhanced security measures to verify transfers.

An example of how BEC can happen

In 2018, an authorized wire transfer originator for a non-profit business client of First Business Bank made a wire request transfer of $28,626 to a person at Wells Fargo Bank. First Business Bank verified the documentation and initiated an authentication process to verify the legitimacy of the request. Later that day, the non-profit’s Executive Director contacted the bank to report the wire request was fraudulent and that it should not have been approved.

The Executive Director had approved the request, which he thought was from a colleague who was also an authorized account representative. But upon closer inspection of the request, it was determined the request was a fraud.

WannaCry ransomware attack

In 2017, the WannaCry ransomware cryptoworm hacked into computers running the Microsoft Windows operating system. It encrypted data and demanded Bitcoin ransom payments. Although the attack stopped when Microsoft issued an emergency patch in just a few days, it was estimated to have infected more than 200,000 computers in 150 countries.

Losses ranged from hundreds of millions of dollars into the billions of dollars. In late 2017, the United States, U.K., and Australia formally accused North Korea of being behind the attack.

Petya cyber-attack

Also, in 2017, The Petya ransomware attack took place. The software took over computers and demanded $300 in bitcoin. It also exploited Microsoft operating systems, specifically something known as the EternalBlue vulnerability. It appears to have started through a software update mechanism for companies working with the Ukrainian government.

It affected banks, power utilities, and even the radiation monitoring system at Chernobyl had to be taken offline. Ultimately, Petya caused serious disruptions at companies throughout the United States and Europe.

The IRS W-2 phishing scam

In recent years, phishing scammers have sent out fake emails that look like they are being sent from various businesses and corporations. These emails request personal information of employees under the guise of obtaining important tax and compliance information.

This scam requires that bad guys know who has access to W-2s in your business who has the authority to ask for this information.

In one year alone, this scam impacted more than 120,000 employees at 100 different businesses in the United States.

The phony Amazon attack

Under this scam, hackers send out what appears to be legitimate deals to businesses and consumers who are Amazon customers. When a recipient attempts to purchase the deal, the transaction is not completed. Instead, customers are redirected to a page to input data that can be stolen and used by hackers.

A variation of this is a scammer who will send out an email appearing to be from FedEx or USPS with the subject line “Shipping Information.” When a recipient opens a link in the email, they are directed to a page that downloads a virus on to the person’s computer, which can then be held for ransom.

The non-profit filed an incident report with the Internet Crime Complaint Center, worked with law enforcement, and contacted the beneficiary bank, among other actions.

Chipotle data breach

The vast majority of 2,000+ Chipotle employees were hit by a data breach that occurred when Eastern European hackers sent emails to staff that turned out to contain malware.

For three weeks, this malware allowed the hackers to gain access to each store’s POS system and access customers’ “track data,” which includes credit or debit card numbers, expiration dates, and verification codes that are stored on a card’s magnetic strip. The breach affected restaurants in 47 states.

Shell companies are often inside jobs

A shell company exists only on paper. It provides no goods or services. It is also one of the easiest ways for an employee to execute a fake invoicing scam.

The employee will set up a company in a friend’s or relative’s name, and then invoice their own company as a means of collecting payments. Most of the time, the employee will have some level of knowledge on how invoices are processed, or they may even be the employee doing the actual processing. That means they know what dollar amounts to stay under to avoid detection, making it easy to scam an employer for years.

Lawyers are not immune

Believe it or not, attorneys are often victims of business scammers. It happens in a couple of different ways.

A lawyer may be contacted by a “client” claiming a business owes them money and that if the lawyer collects this money, they’ll earn a fee. The lawyer reaches out to the “debtor” who sends a fake check to the law firm to pay the debt. The firm deposits the money, and the client directs the lawyer to deduct their fee and wire the balance to an account, which turns out to be untraceable or in another country.

Similarly, attorneys in divorce settlements may receive a supposed settlement, which is actually a fake check. They deposit the money, distribute the funds, and then find out from the bank that the check is a fake, leaving them on the hook if they’ve already sent out money to a client.

The overpayment scam

In this type of scam, a “vendor” or customer may contact a business, purchase a product or service, and then send a payment in for more than the amount they should have paid. Fraudsters then ask the business to wire them a refund using a wire transfer or other similar means.

This type of fraud is also prevalent on Craigslist for people who are selling big-ticket items like cars or boats.

A few more “inside job” hits…

From CFO Daily, here are some brief real-life examples of how employees scammed businesses:

• An IKEA employee mastered the company’s phone and mail order system and issued himself $400,000 in refunds for purchases made by customers in a single year.
• A Calgary Transit employee swiped almost $375,000 by pocketing about $200 a day in coins while he was a fare counter.
• A U.S. postal worker in Washington, D.C. took the agency for $40,000 by claiming he was stuck in jury duty for a case that lasted 144 days.
• A former embezzler turned theft prevention specialist put his talents to use by scamming Block Communications out of more than $1.1 million for a firm he was supposedly trying to protect.
• The FBI caught a former Quest Diagnostics manager who stole more than $1.2 million through false expenses using fake companies and invoices. His reward was five years in prison.

By better educating yourself as a business owner, you can harden your business against scammers, hackers, and fraudsters. Your business’s very survival may depend on how well you proactively fend off attacks from criminals looking to take advantage of you.