By Stergios Saltas, MD at Striata South Africa
Phishing attacks continue to exploit the most vulnerable part of a system: people.
Every day, all around the world, hackers attempt to use deception to trick legitimate, authorised users to part with their credentials and put their own personal information and potentially that of others at risk. These fraudsters succeed more times than one would like to imagine.
Businesses have financial, legal and ethical responsibility to empower and educate their customers, or face the costly consequences of a data breach that they could and should have prevented.
This responsibility is becoming increasingly important as more and more companies move to cloud-based ebilling systems. These systems make it easy and convenient to store, access and share billing documents such as invoices and statements.
But their online nature puts the highly sensitive information the documents often contain – physical addresses, bank details and even biometric information – at risk of unauthorised access, more often than not with nefarious goals.
If a business, for instance, makes billing documents available to customers through an online portal, the portal itself become a target. A hacker with customer portal log-ins and passwords has enough to do irreparable damage to a company’s reputation.
One way to avert this is to avoid online access all together. The documents could be sent from the ebilling system to the customer’s email address in an encrypted format. Not only will a would-be hacker in this scenario need the customer’s email log-in, they’d also need the means to decrypt the document. Risk of a material data breach is also more diffuse here, as all the proverbial eggs would not be stored in one basket.
Another possibility is to combine the best of both worlds – encrypted email document delivery with a secure, trusted link to the cloud in the attachment, where a customer can view their billing history and transactions, and make a payment.
A secure site accessible only through a URL unique to each customer and that expires after a certain period adds much-needed layers of security to a cloud-based ebilling system.
Whatever the choice of access architecture, businesses need to be diligent in reminding customers of what their standard communications look like, and should alert them immediately of the latest phishing schemes targeting the business’s digital channels.
A single line in an online FAQ, or email marketing content, stating what email domain customers should expect communications from – or what information they will or will never request from customers – could make all the difference. As would well-publicised fraud-reporting hotline numbers.
Despite the risks, the move to ebilling is a good thing. It offers greater choice and flexibility to both businesses and customers, and potentially lowers costs. But these potential benefits only outweigh the risks if businesses take the steps to help their customers protect themselves from being unwitting accomplices to the schemes of hackers.