Karen Shinn – Director of IT Compliance, Cyber Security, and Risk Assessment
As social distancing policies and economic restrictions continue in response to the coronavirus pandemic, more individuals and businesses are relying on digital channels to stay connected.
With this surge in online sales, work-from-home requirements, and federal financial relief efforts, comes the increased risk of fraud and cyber threats.
In this episode, we’re joined by Karen Shinn, Director of IT Compliance, Cyber Security, and Risk Assessment for Penn Community Bank, to discuss this critical issue. In our conversation, we cover some of the most common types of fraud during this pandemic, how employees can keep their personal and professional data safe while working from home, and tips for small businesses moving sales and service online.
Host: Can you tell us about your role at Penn Community Bank and give us a little bit of your background?
Karen: I manage the Information Technology Compliance department at Penn Community Bank. Our division is responsible for cybersecurity, gathering daily cyber threat intelligence, performing security training and monitoring our vendors.
I have been in banking for over 40 years and worked in almost every sector of banking. Managing in-house operation centers for several large banks along with emphasis on updating IT technology platforms and deposit operations. Over my career, I have also performed a variety conversions, from software and hardware to Bank mergers and acquisitions. Maintaining regulatory compliance and security have always been at the forefront during my career.
Security is crucial for any bank. Can you provide some details about Penn Community Bank’s focus on security and how that has positioned the institution to respond to this situation?
Penn Community Bank takes cybersecurity very seriously. Our department was created to stay abreast of the top threats that can face our banking industry along with our customers. Our team monitors through specific security channels, daily threat intelligence, and informs our staff members of the information they need to know to keep our customers and systems safe. We also work very closely with our vendors, we have regular security check ins and work hand and hand with them to keep our data and systems safe.
We also spend quite a bit of time training our staff on how to detect phishing emails and other cyber threats. Individual department training, publishing cyber newsletters and ongoing cyber tips.
We will bring in cyber related guest speakers from time to time to keep everyone up to date with the latest security concerns. We have partnered with our local FBI agency and other government resources along with hosting cyber related events for these agencies and our business customers.
More people than ever are working from home. Can you walk us through some of the security concerns in this situation and highlight some steps listeners can take to address them?
The same threats we faced before the COVID-19 outbreak are the same threats we face in our new work from home environments. The difference is that we are working under new conditions, stressful news, rushing, not thinking as clearly as we did in our office locations. Fraudsters are preying on our instability.
They are taking advantage of the current event to fuel their malicious activities. Phishing emails and fake websites are still popular choices. Don’t forget, malicious activity can come through social media, text messages, phone messages and malicious websites.
Tips that we all can remind ourselves of are the basic “red-flags”:
- Slow Down – when we feel rushed this is when we can forget the basic red flag warning signs.
- Look over your emails – do you recognize the sender? Were you expecting the email? What time of the day was the email sent? Why and I receiving this email? Is there a sense of urgency?
- Do not click on any links or attachments! That is where the malicious threats are lurking.
What are some of the most common coronavirus-related cyber fraud cases you’re seeing and how can people avoid falling prey?
- Stimulus Scams – Spoofing government email addresses to provide your personal identification, receiving text messages with instructions to review your identification and clicking on links on fake website.
- COVID-19 Fear Scams –
- Robocalls – hang up on them
- Buying online – know who you are buying from. Cleaning, household and medical supplies – fraudulent sites.
- Text and Emails – Do not respond to them.
- Center of Disease Control and Prevention Experts – fake emails that contain malicious malware.
- Donations – do your homework before your donate, don’t let anyone rush you, donations by way of cash, gift cards and wiring money – Don’t do it!
- Fake test and cures – individuals and business selling fake cures or test kits.
- Illegitimate health organizations. Posing as the world Health Organization (WHO) or the Centers of Disease Control and Prevention (CDC), doctor’s offices – getting you to click on a link or open an attachment.
The CARES Act provided for economic impact payments to individuals and families. Can you highlight some of the security concerns surrounding these payments?
The IRS has come out with two new websites to assist our customers with how to safely apply for the Economic Impact Payments (EIP). The IRS will not allow users of these sites to change their current ACH direct deposit information by fear of fraudsters gaining access. https://www.irs.gov/coronavirus/economic-impact-payments
Only go online to the IRS website to find out information concerning your Economic Impact Payment.
What security advice do you have for small businesses that are maybe doing more business online than ever before?
Business Email Compromise is big business. Once the fraudster gains access to your computer, they usually will watch how you conduct your business online. Most times, sending emails using your account and log to your unsuspecting vendors or your financial institution looking to wire funds to their accounts. Always use multifactor authentication when available. By setting up a “second” confirmation step this makes it much more difficult for the fraudster to hack your account.
Additionally, utilize resources available to you, including the SBA’s Coronavirus Small Business Guidance & Loan Resources page. This site offers the latest information about the Paycheck Protection Program, Economic Injury Disaster Loans and Loan Advances, SBA Debt Relief, and SBA Express Bridge Loans. Yes, there are legitimate business groups and financial institutions sharing information, too. But given the number of fraudsters out to make a quick buck with bogus websites and phony email, your safest bet it to go straight to the SBA by carefully typing the URL sba.gov/coronavirus into the address bar at the top of your browser.
Here are some types of fraud to watch out for:
- Scammers often mimic the look and feel of legitimate email. You’ve heard warnings for years about email phishing attempts. Fraudsters have upped their game in response. They’ve been known to copy logos of financial institutions and government agencies, including the SBA, and use wording that sounds familiar. They also manipulate email addresses so that a message looks to be from a legitimate source – but isn’t. That’s why it’s dangerous to respond to those emails. Instead go directly to the SBA site.
- Don’t click on links. Say you get an email that says it’s from your bank or a government agency. Don’t click on any links. It could load malware onto your computer. If you think you may need to respond, pick up the phone and call the office directly, but don’t use a number listed in the email. That could be fake, too. Instead, search online for a genuine telephone number or call your banker using the number you’ve always used. Yes, now is a good time to keep in close contact with your financial institution, but employ the same established lines of communication you used before COVID-19 became a concern.
- Be suspicious of unsolicited phone calls. Some scammers may try the personal approach by calling you and impersonating someone from a financial institution or government agency. Don’t engage in conversation. If you think you may need to respond, call using a number you know is legit.
- Watch out for application scams. Some small businesses report they’ve received unsolicited calls or email from people claiming to have an inside track to expedite financial relief. The people contacting them may charge upfront fees or ask for sensitive financial information – account numbers, tax IDs, Social Security numbers, and the like. Don’t take the bait. It’s a scam. Applying for a loan was a step-by-step process before the Coronavirus crisis and it’s a step-by-step process now. That’s why the SBA’s gov/coronavirus site is the safest place for you to start.
- Alert others to Coronavirus relief check scams. Most people have read the news about Coronavirus relief checks that many Americans may receive. The FTC Consumer Blog has advice about spotting relief check scams. Share the tips with your co-workers, family, and social networks.
What do you see coming down the road in terms of cyber threats or security trends once we’re on the other side of this pandemic?
Once we are on the other side, the cyber threats will still be there but we may be realizing that we had let in some threats during the pandemic that we did not know about. Usually, cyber threats do not take hold right away. They setup in your laptops and computers for a bit of time and then they strike.
It will be a good time to stop, take a break, and perform a look back on your IT systems. Make sure you are still updating your anti-virus and performing your critical patches. Have an IT professional assist you in keeping your hardware and software safe!
Cyber Security Resources
- Internal Revenue Service (IRS) – Assistance with Stimulus Funds
- Small Business Administration (SBA) – Business Resources
- US Food & Drug Administration (USDA) – Info on fraudulent actors
- Department of Justice (DOJ) – Listing of COVID-19 cyber threats
- Federal Emergency Management Agency (FEMA) – Review trusted sources
- Federal Trade Commission (FTC) – Verify a charity’s authenticity
- Federal Bureau of Investigations (FBI) – Listing of known COVID-19 schemes, complete with pictures of actual cyber threat schemes