Mainebiz

V O L . X X I I I N O. X I M AY 1 5 , 2 0 1 7 12 S ay you work in accounts payable at a widget maker in Wiscasset and get an urgent email from the company's CEO instructing you to wire money by the end of the day to a designated account. What do you do? While most people would probably check directly with management before transferring any funds, a small percentage would proceed without realizing that the email came not from the manager, but an imposter. at's the bet fraudsters make when they tweak email addresses and malware-infected web links to appear legitimate, save an extra letter that goes unnoticed. CEO email fraud "happens all the time," says Daniel Mitchell, a Portland-based partner with Bernstein Shur who co-chairs the law fi rm's litigation and dispute resolution practice group and data security team. He explains that hackers will do research on a company, dummy up an email address "very close" to the real thing, and request a money transfer. "Seven times out of 10 the person will say, 'I'm not sure,' but three times out of 10, they'll go ahead and do it." Another spoofi ng technique involves sending an email that looks like it's from a company executive to payroll or human resources requesting a list of employees and their W-2 forms. When the recipient replies, the information goes directly to the cybercriminal. Both scams fall into a common fraud category known as social engineering. "Hackers will use social engineering techniques to get information. ey don't have to get it from some sophisticated way into a computer system," Mitchell says. "Even at organizations that train people, employees still click on email links they shouldn't." 'Easy prey' for attacks About one out of four small businesses surveyed by the Better Business Bureau in 2016 said they had suff ered one or more cyberattacks that aff ected their business in the preceding 12 months. e report found that cybercrime is growing rapidly, costing the global economy more than $400 billion a year. Industries including manufacturing, real estate and construction reported the highest incidence of attacks, resulting in an average loss per company of $4,387 and up to $150,000. e authors concluded that while the risk was lowest for businesses with 10 employees or less, the danger is still present. Despite growing awareness of online threats, seven out of 10 businesses surveyed considered an attack unlikely in the next 24 months, leading to a "false sense of safety" the report attributed in part to a lack of expertise and information. It also pointed to common misconceptions like believing the bank would cover a substantial loss if credentials were stolen, when it fact the burden of proof lies with the business. Small businesses are "easy prey" for cybercriminals, says Bill P. Fanelli, chief security offi cer with the Council of Better Business Bureaus in Arlington, Va. He says this is partly because while large businesses spend more overall on cybersecurity, smaller fi rms have to spend more per employee. " e second hurdle is that a larger business has got the resources to fi gure out all the things they need to do, even if it didn't cost them more." Both these factors make small businesses more vulnerable to attacks, especially with increasing digitalization. "Ten years ago it was a manual process, so the bad actors wouldn't necessarily spend the time on a small business," Fanelli says. Now that everything is automated, "it doesn't matter anymore … Whether I get 100 million customer records in a huge data breach, or 100 over here and 200 over there, I can sell each one of those records for 10 to 50 bucks apiece." Phone phishing also remains a danger, with two Maine hospitals, MaineGeneral Medical Center in Augusta and Redington Fairview General Hospital in Skowhegan, both recent victims of scams. Although statewide statistics are hard to come by, Sgt. Kyle Willette of the Maine State Police Computer Crimes Unit said that credit card fraud and card 'skimming' scams are frequent. "We're not a primary investigative agency," he says, "but a lot of times businesses will call us." Defense strategies Some companies have responded to growing online threats by writing paper checks. at includes Patco Construction Co. Inc., a small property development and contractor business in Sanford, in the wake of a high-profi le case of a few years ago. e dispute centered on $588, 851.26 in fraudulent withdrawals from Patco's bank account after the perpetrators supplied Patco's customized answers to security questions. P H O T O / T I M G R E E N WAY Cybersecurity scams continue to snag businesses Hackers are finding new ways to pull old cons B y R e n e e C o r d e s Daniel Mitchell, a Portland-based partner with Bernstein Shur who co-chairs the law fi rm's litigation and dispute resolution practice group and data security team, warns businesses that email fraud "happens all the time." SMALL BUSINESSES TARGETED IN THE U.S. AND CANADA S O U R C E : Better Business Bureau, "The State of Cybersecurity Among Small Businesses in North America," September 2016 A survey of 1,500 businesses showed how many were affected by at least one cyber attack in the last 12 months. 0–10 employees 25+ employees 11–24 employees Overall average 24% 34% 31% 26%

• Cover