In our first pillar of digital security, we tackled the framework of your security system – hardware. Now it’s time to address the other side – software.
In our first pillar of digital security, we tackled the framework of your security system – hardware. Now it’s time to address the other side – software.
Tom Cronkright
2 mins
Fraud Prevention
Jul 19, 2021
In this four-part series, we’re mastering all the strategies to stay ten steps ahead of cybercriminals by investing the Four Pillars of Fraud Prevention: Hardware, Software, Procedure, People.
If you started with part one of the guide, you’ll know that hardware and software work hand in hand to protect businesses of all sizes from increasingly costly wire fraud, customer data compromise, and more. According to the FBI’s 2023 Internet Crimes Report, fraud that exploits business software and hardware resulted in potential losses exceeding $12.5 billion, and those were only the incidents reported to federal law enforcement that year. Software can be one of a business’s greatest liabilities, or its greatest lever for fraud detection and prevention. In this section, you’ll take practical steps to develop your software fraud prevention strategy.
Even if business leaders outsource IT to a third party company, they must be literate in fraud prevention so they can hold their provider accountable and effectively protect business operations. A business leader’s first oversight may be to take an overly narrow view of software, focusing only on the primary enterprise-level workspace or transaction application, like QuickBooks, Google Suite, or Microsoft Office 365. The Center for Internet Security cites a common conclusion from a range of cyber crime studies: many attacks succeeded because network owners did not know their full enterprise assets, and couldn’t protect what they didn’t know they had. Software includes any instructions or programs that tell your computers what to do.
Evidence shows that cybercriminals will target vulnerabilities and sensitive information in your full range of business software, from operating systems to virtual meeting tools and from internet browsers to customer databases. Their goal is most often to capture sensitive customer information hosted or communicated through software so they can impersonate your business and defraud your users. Learn how to secure these programs for your business so that scammers can’t hijack your software to work for them instead of for you.
Table of Contents
When it comes to digital security, anti-virus scanners are standard across industries, from real estate to law and banking, but businesses are too often underutilizing their software for effective fraud risk mitigation. Anti-Virus software should be fully integrated into a culture of digital security at your company. Learn more about developing your team’s aptitude for software security with our training guidance.
Your firewall, covered in the Hardware section of The Guide to Fraud Prevention, should detect the majority of viruses, ransomware, or malware that try to infiltrate your system, but your anti-virus scans offer a critical layer of additional protection. Viruses can come from physical breaches, like a USB drive inserted into one of your system computers. Firewalls won’t stop those physical infringements, but anti-virus software can.
Similarly, most software providers issue their own regular anti-virus updates, but it’s up to you and your team to accept the prompts to install the new patches and consistently restart programs and devices. The Center for Internet Security publishes a reliable log of advisories when new business software updates are available. Always verify that update instructions are coming from the official software, not an impersonator, before installing anything. For example, you might receive an email telling you to install an update to your Zoom meeting software, but the sender doesn’t have a Zoom company email address.
Software updates close the gaps that cybercriminals have learned to exploit. This applies to all software, not just security programs. For example, you might not think of your efax service as a software security risk, but what if a fraudster hacked it and began impersonating your business to fax costly wire instructions to your clients? Security updates to all business programs safeguard against business email compromise (BEC) and similar impersonation fraud.
According to the 2022 Data Breach Investigations Report, 70% of breaches involved a phishing email. That’s why it’s important to use industry-leading filters, like Mimecast, to protect against email spam, viruses, phishing, and malicious attachments.
In addition, if systems support it, enable email transport encryption. Although it’s likely that your email passwords are transmitted securely, even when signing in on a public wifi network, when your messages are sent, they can be intercepted. Using transport encryption ensures that, even if thieves try to intercept a message, they won’t be able to read it.
Your domain name–essentially your website address–is a critical component of software security. If a scammer can access your domain administration software, they can potentially post embarrassing or obscene content on your website, or worse, they can redirect your website to a sham site they’ve created and use it to collect sensitive customer information, redirect emails intended for your business to their own server, or send emails impersonating your business, also known as business email compromise (BEC).
Domain and website security has three main components:
Start by controlling access to your domain management portals. Set up two-factor authentication (a two-step procedure for access, like a password plus an email or a text message) for your domain registrar, DNS and other hosted services, like hosted email, conference calls, and phones.
Next, implement Domain Name Security Extensions (DNSSEC) to make sure your DNS records cannot be overtaken. Domain Name Servers (DNS) are like the internet’s version of the phone book. They connect domain names (yourbusiness.com) to IP addresses (the unique ID numbers that tell your computer the exact destination of your webpage), the same way your home address tells the mailman exactly where you live. Enabling DNSSEC is almost like notarizing your DNS records. The security extensions are digital signatures on DNS records that can be matched with your domain name ownership record, verifying that a third party hasn’t tried to connect fraudulent records to your URL.
In addition to DNSSEC, configure a Sender Policy Framework (SPF) record to protect against malicious domain spoofing. An SPF appends your DNS entry with additional details that specify which servers are authorized to send emails on your behalf. If an email comes from a server that doesn’t match your SPF, it will be considered fraudulent and prevented from delivery. SPF ensures that emails sent by impersonators end up in the receiver’s spam folder, and makes it more likely that the legitimate emails your business sends end up in someone’s inbox.
If your business includes wire transfer transactions, adopt an identity verification software like CertifID to take the risk out of high stakes transactions for clients, banks, businesses, and other stakeholders. These transactions represent increased fraud risk, in part because there are so many parties involved. For example, the 2024 State of Wire Fraud Report confirms that up to 10 different parties are typically involved in the average real estate transaction. It only takes one weak link in the chain for fraud to succeed, and businesses that rely on wire transfer transactions are too often caught on the back foot. The FBI reports that fraudulent emails impersonating legitimate businesses with wire transfer instructions continued to be one of the top cyber threats in 2023, racking up $2.7B in losses.
That’s where CertifID software comes in. It works to verify sender and recipient identities and protect sensitive information like bank account numbers, routing numbers, social security numbers, and other personal identification information. It also offers the optimal customer experience and comes with benefits that many software don’t, like fraud insurance and 24/7 recovery support. Security-conscious clients are increasingly demanding this kind of protection from companies.
Just one software security breach–even one that doesn’t directly trigger identity theft or wire fraud–can erode customer trust and retention. Using this guidance as a checklist, you can create an airtight software strategy and proactively prevent costly disruptions to business operations.
Yet software and hardware are only as good as the people who use them and the procedures that guide them. Build a fully secure business ecosystem with parts two and three of the Guide to Fraud Prevention: People and Procedures. These serve as pillars of a complete fraud prevention strategy, including:
Co-founder & Executive Chairman
Tom Cronkright is the Executive Chairman of CertifID, a technology platform designed to safeguard electronic payments from fraud. He co-founded the company in response to a wire fraud he experienced and the rising instances of real estate wire fraud. He also serves as the CEO of Sun Title, a leading title agency in Michigan. Tom is a licensed attorney, real estate broker, title insurance producer and nationally recognized expert on cybersecurity and wire fraud.
In this four-part series, we’re mastering all the strategies to stay ten steps ahead of cybercriminals by investing the Four Pillars of Fraud Prevention: Hardware, Software, Procedure, People.
If you started with part one of the guide, you’ll know that hardware and software work hand in hand to protect businesses of all sizes from increasingly costly wire fraud, customer data compromise, and more. According to the FBI’s 2023 Internet Crimes Report, fraud that exploits business software and hardware resulted in potential losses exceeding $12.5 billion, and those were only the incidents reported to federal law enforcement that year. Software can be one of a business’s greatest liabilities, or its greatest lever for fraud detection and prevention. In this section, you’ll take practical steps to develop your software fraud prevention strategy.
Even if business leaders outsource IT to a third party company, they must be literate in fraud prevention so they can hold their provider accountable and effectively protect business operations. A business leader’s first oversight may be to take an overly narrow view of software, focusing only on the primary enterprise-level workspace or transaction application, like QuickBooks, Google Suite, or Microsoft Office 365. The Center for Internet Security cites a common conclusion from a range of cyber crime studies: many attacks succeeded because network owners did not know their full enterprise assets, and couldn’t protect what they didn’t know they had. Software includes any instructions or programs that tell your computers what to do.
Evidence shows that cybercriminals will target vulnerabilities and sensitive information in your full range of business software, from operating systems to virtual meeting tools and from internet browsers to customer databases. Their goal is most often to capture sensitive customer information hosted or communicated through software so they can impersonate your business and defraud your users. Learn how to secure these programs for your business so that scammers can’t hijack your software to work for them instead of for you.
Table of Contents
When it comes to digital security, anti-virus scanners are standard across industries, from real estate to law and banking, but businesses are too often underutilizing their software for effective fraud risk mitigation. Anti-Virus software should be fully integrated into a culture of digital security at your company. Learn more about developing your team’s aptitude for software security with our training guidance.
Your firewall, covered in the Hardware section of The Guide to Fraud Prevention, should detect the majority of viruses, ransomware, or malware that try to infiltrate your system, but your anti-virus scans offer a critical layer of additional protection. Viruses can come from physical breaches, like a USB drive inserted into one of your system computers. Firewalls won’t stop those physical infringements, but anti-virus software can.
Similarly, most software providers issue their own regular anti-virus updates, but it’s up to you and your team to accept the prompts to install the new patches and consistently restart programs and devices. The Center for Internet Security publishes a reliable log of advisories when new business software updates are available. Always verify that update instructions are coming from the official software, not an impersonator, before installing anything. For example, you might receive an email telling you to install an update to your Zoom meeting software, but the sender doesn’t have a Zoom company email address.
Software updates close the gaps that cybercriminals have learned to exploit. This applies to all software, not just security programs. For example, you might not think of your efax service as a software security risk, but what if a fraudster hacked it and began impersonating your business to fax costly wire instructions to your clients? Security updates to all business programs safeguard against business email compromise (BEC) and similar impersonation fraud.
According to the 2022 Data Breach Investigations Report, 70% of breaches involved a phishing email. That’s why it’s important to use industry-leading filters, like Mimecast, to protect against email spam, viruses, phishing, and malicious attachments.
In addition, if systems support it, enable email transport encryption. Although it’s likely that your email passwords are transmitted securely, even when signing in on a public wifi network, when your messages are sent, they can be intercepted. Using transport encryption ensures that, even if thieves try to intercept a message, they won’t be able to read it.
Your domain name–essentially your website address–is a critical component of software security. If a scammer can access your domain administration software, they can potentially post embarrassing or obscene content on your website, or worse, they can redirect your website to a sham site they’ve created and use it to collect sensitive customer information, redirect emails intended for your business to their own server, or send emails impersonating your business, also known as business email compromise (BEC).
Domain and website security has three main components:
Start by controlling access to your domain management portals. Set up two-factor authentication (a two-step procedure for access, like a password plus an email or a text message) for your domain registrar, DNS and other hosted services, like hosted email, conference calls, and phones.
Next, implement Domain Name Security Extensions (DNSSEC) to make sure your DNS records cannot be overtaken. Domain Name Servers (DNS) are like the internet’s version of the phone book. They connect domain names (yourbusiness.com) to IP addresses (the unique ID numbers that tell your computer the exact destination of your webpage), the same way your home address tells the mailman exactly where you live. Enabling DNSSEC is almost like notarizing your DNS records. The security extensions are digital signatures on DNS records that can be matched with your domain name ownership record, verifying that a third party hasn’t tried to connect fraudulent records to your URL.
In addition to DNSSEC, configure a Sender Policy Framework (SPF) record to protect against malicious domain spoofing. An SPF appends your DNS entry with additional details that specify which servers are authorized to send emails on your behalf. If an email comes from a server that doesn’t match your SPF, it will be considered fraudulent and prevented from delivery. SPF ensures that emails sent by impersonators end up in the receiver’s spam folder, and makes it more likely that the legitimate emails your business sends end up in someone’s inbox.
If your business includes wire transfer transactions, adopt an identity verification software like CertifID to take the risk out of high stakes transactions for clients, banks, businesses, and other stakeholders. These transactions represent increased fraud risk, in part because there are so many parties involved. For example, the 2024 State of Wire Fraud Report confirms that up to 10 different parties are typically involved in the average real estate transaction. It only takes one weak link in the chain for fraud to succeed, and businesses that rely on wire transfer transactions are too often caught on the back foot. The FBI reports that fraudulent emails impersonating legitimate businesses with wire transfer instructions continued to be one of the top cyber threats in 2023, racking up $2.7B in losses.
That’s where CertifID software comes in. It works to verify sender and recipient identities and protect sensitive information like bank account numbers, routing numbers, social security numbers, and other personal identification information. It also offers the optimal customer experience and comes with benefits that many software don’t, like fraud insurance and 24/7 recovery support. Security-conscious clients are increasingly demanding this kind of protection from companies.
Just one software security breach–even one that doesn’t directly trigger identity theft or wire fraud–can erode customer trust and retention. Using this guidance as a checklist, you can create an airtight software strategy and proactively prevent costly disruptions to business operations.
Yet software and hardware are only as good as the people who use them and the procedures that guide them. Build a fully secure business ecosystem with parts two and three of the Guide to Fraud Prevention: People and Procedures. These serve as pillars of a complete fraud prevention strategy, including:
Co-founder & Executive Chairman
Tom Cronkright is the Executive Chairman of CertifID, a technology platform designed to safeguard electronic payments from fraud. He co-founded the company in response to a wire fraud he experienced and the rising instances of real estate wire fraud. He also serves as the CEO of Sun Title, a leading title agency in Michigan. Tom is a licensed attorney, real estate broker, title insurance producer and nationally recognized expert on cybersecurity and wire fraud.