A First Foundation Blog

Keeping Your Business Safe from Cyber Attacks

Attention small- and medium-sized business owners! You are now officially target numero uno of cyber thieves. They view you as the perfect prey. After all, there is nothing valuable on most people’s home computers (as compared to the treasure trove on business servers), and businesses larger than yours likely have the necessary protections in place.

Think of it this way: the would-be cyber thieves are going down the virtual hallways of your office complex and are jiggling the door handles of every tenant. Those with locked doors and proper security in place get passed by, but those who don’t are a perfect target.

One virtual corridor that these criminals enter is through your corporate email. And they get in by exploiting common mistakes committed when your employees are sending and receiving emails. Just like you wouldn’t want them holding the door for criminals to walk in to your office, you wouldn’t want them giving the cyber thieves easy entry to every electronic file, client record, or digital trade secrets.

Are you confident that your employees know what a fraudulent email looks like? Are they aware enough to identify those emails? If this answer is yes, then most likely you are training your employees and reminding them about the risks of email scams. You also understand the most vulnerable part of your network is the end user – your employees.

Protecting your business and customers from cybersecurity threats doesn’t need to be complex and expensive. Training and awareness can go a long way to prevent a catastrophic loss. Knowing what the cyber bad guys are after could be your first line of defense. They are trying to get information about your business by:

  • Circumventing technical defenses to find the easiest point of entry (e.g.a Starbucks gift card offer)
  • Penetrating the network with a targeted email (e.g. “Dear Tom: Please log in to ADP”)
  • Emailing someone within the company under a false, but known, identity (e.g. an email from the CEO)

All it takes is one of these methods succeeding to allow the criminal into your network. ONE successful attack can cripple your business.

Keeping a keen eye out for fraudulent emails is also an important step. The majority contain the words URGENT, IMPORTANT, RUSH, and look like they were sent by the business owner, a key employee, or even family. If you are suspicious of an email, stop and think about the sender and the request. If it REALLY were that important, would they email me at work? Or would they instead try to call or text? Ask yourself, “Why is my boss asking for W2 information?” The following are five useful tips on avoiding email fraud:

  1. Beware of requests for payment, transfer, or updating bank information (alarms should sound in your head if you see any of these).
  2. Check the sending email address – is it really from the owner or your Aunt Sally?
  3. Call the sender, but not by using telephone numbers in the email.
  4. Do not click links – hover over any link to view the destination.
  5. Scan attachments with antivirus software.

One other thing to keep in mind is that the frantic pace of your business could very well lead to an environment where employees ignore some of the obvious signs of fraudulent email. This could lead to employees carelessly sending the employee data, company bank account, or sensitive client information. The simple task of reviewing an email a second and third time could save your business thousands of dollars in loss.

So, we will end this with where we began: A few simple steps of training are the start to defrauding the fraudster. We offered some ideas herein but there are many more resources available online. A search of keywords such as “email scams” and “social engineering” return many quality articles and videos.

In the meantime, please stay safe out there!


Please remember that past performance may not be indicative of future results. Different types of investments involve varying degrees of risk, and there can be no assurance that the future performance of any specific investment, investment strategy, or product (including the investments and/or investment strategies recommended or undertaken by First Foundation Advisors), or any non-investment related content, made reference to directly or indirectly in this blog will be profitable, equal any corresponding indicated historical performance level(s), be suitable for your portfolio or individual situation, or prove successful. Due to various factors, including changing market conditions and/or applicable laws, the content may no longer be reflective of current opinions or positions. Moreover, you should not assume that any discussion or information contained in this blog serves as the receipt of, or as a substitute for, personalized investment advice from First Foundation Advisors. To the extent that a reader has any questions regarding the applicability of any specific issue discussed above to his/her individual situation, he/she is encouraged to consult with the professional advisor of his/her choosing. First Foundation Advisors is neither a law firm nor a certified public accounting firm and no portion of the blog content should be construed as legal or accounting advice. A copy of the First Foundation Advisors’ current written disclosure statement discussing our advisory services and fees is available for review upon request. Please Note: First Foundation Advisors does not make any representations or warranties as to the accuracy, timeliness, suitability, completeness, or relevance of any information prepared by any unaffiliated third party, whether linked to First Foundation Advisors’ web site or incorporated herein, and takes no responsibility therefore. All such information is provided solely for convenience purposes only and all users thereof should be guided accordingly.

Adrian S. Darmawan, Executive Vice President, Chief Technology Officer
About the Author
Adrian S. Darmawan, Executive Vice President, Chief Technology Officer