Computer Cellphone

Cybersecurity Social Engineering: Email Security Recommendations

Cybersecurity attacks are occurring at such a rapid pace during the COVID-19 crisis that it has become difficult to keep up with all the fraud attempts.

Fundamentally, everyone should:

  • Have up-to-date antivirus software
  • Use a Spam Filter
  • Use VPN (Virtual Private Network) software
  • NEVER trust public Wi-Fi
  • Use Encrypted Filesharing, if necessary


Beyond those basic directives, there is an additional offline layer of controls that build on the “Defense in Depth” concept that every company can easily incorporate to help prevent bank fraud. Now that we are working remotely, business is being conducted with almost no face-to-face interaction among team members, clients, vendors. We rely more on email conversations than phone calls. Hackers see this situation as an opportunity and are developing schemes to take advantage of it.

Our recommendations for email payment security include (Your businesses may already have some or all of these in place):

1. Assemble a directory—mobile or landline—with pre-arranged telephone numbers
  • Include your company leadership or C-suite
  • Include your finance and/or accounts payable teams
  • Include vendors that you have a history of paying electronically
  • Include your bank(s) and regular contacts at your bank(s)

2. Require any team member receiving an email requesting a new or altered electronic payment to reach out to the “requestor” as listed in your new directory of “pre-arranged” phone numbers to verify that the request is real and to verify the account numbers.

Never rely on the contact information or account numbers provided in the email!

3. Require a secondary authentication from a pre-designated member of your company who is included in your directory of pre-arranged telephone numbers, such as your CFO or Director of finance. Additionally, you can add another layer of security by using a pre-designated “code word” with the members of the pre-designated directory.

4. To protect your pre-arranged telephone directory, store it inside your password vault. (Most have the capability to store secure notes).

HBK Risk Advisory Services can help develop and implement a cybersecurity program that fits your organization’s risk appetite and budget. Our assessment will offer a road map for continual improvement through cost-effective solutions. Call me at 330.758.8613, or email me at wheaven@hbkcpa.com for more information or to schedule an assessment. As always, we’re happy to answer your questions and discuss your concerns.

Also, if you were unable to join us in February for our Risk Advisory Service Webinar on Banking Controls, you can access a recording of the session at: https://attendee.gotowebinar.com/recording/8846183878460240903

About the Author(s)
Bill is a Senior Manager in HBK’s IT Department and works out of the firm’s corporate office in Youngstown, Ohio. He specializes in cyber security, IT security, external IT audit, internal IT audit, IT consulting, software Development, IT governance, PCI-DSS, supply chain, system implementations and e-Commerce and has worked for a wide range of industries, including the Public Accounting field. Bill is a certified public accountant, a certified information system auditor, and a certified supply chain professional.
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES