Don't look now, but your company could be under attack. Con artists are using the oldest tricks in the book, along with some new ones, to steal your money and maybe even your good name. Actually, do look now. Install a firewall, patch up your browser, clean out your e-mail filter, sweep for viruses and spyware, create new passwords, and monitor your bank account...

Theft Via E-mail

These are clogging everyone's inbox these days. Official-looking messages seem like they are from reputable companies and institutions. "If your staff is unaware of how to identify those, those can put you at risk," says Leslie Kish, director of operations for the Better Business Bureau.

Risky e-mails can take many forms, from an unlikely invite for free money from a Nigerian dignitary to a message forged to look like it's from a bank or sites such as PayPal. Whatever the facade, such messages can trick employees into to unwittingly downloading Trojan horses, viruses and other malware into your business system. Many of these e-mails mention a security breach in your account, and say you must double-check your info via a web site or e-mail. "It will look very official. If you click on the link it will look like the [company's] Web site," warns Kish. These sites "phish" for your company's info. (FYI: the switched "f" and "ph" come from computer hackers' tendency to switch the two sounds. It harkens back to phone "phreakers" of the late '60s and '70s who used hacking devices to make long distance calls for free.)

Forward suspicious e-mails to managers or other parties responsible for your company's finances and security. Don't click links in the e-mail. If you're using a web site that requires you to enter sensitive information, type the known web address into the browser yourself, making sure that there's a padlock icon somewhere on your browser (The location varies. It's in the lower right corner of Internet Explorer, and the upper right corner of Safari).

Sounds easy to avoid? In September 2006, the Northern Kentucky Chamber of Commerce was scammed out of $163,000 through a phishing e-mail.

The phony message, asking the Chamber to update its Fifth Third Bank account information to provide faster service, "Looked very authentic," says Chamber President Steve Stevens. It's by abusing the trust customers have put in their banks that scammers are able to collection information, he says. "It's the brands that are being stolen."

The Northern Kentucky Chamber received the e-mail on the Friday before Labor Day, meaning the thieves were able to siphon money over an extended weekend. The Chamber soon noticed strange withdrawals made from its payroll account. Fifth Third looked into the matter and, once they realized the crime, froze the account. The Chamber recovered some of the funds, but will still lose about $50,000.

"We are the lucky ones," Stevens notes, urging people to keep tabs on their accounts to stop these scams before large sums of cash are stolen. Instead of hiding the mistake, the Chamber went public to educate its members. "I continue to run into people who have said to me that once we went public and talked about it, they went to their internal operations to see if they needed to watch for it," Stevens says. He notes that the move to go public "had the desired effect, which was 'Don't be like us'."

While most spam messages are easy to spot, they're still a headache for everyone"”especially for network managers who fight daily to keep the problem at bay. Unfortunately, it looks like the unwelcome inundation is getting worse. In December, The New York Times reported that while the spam nuisance had died down significantly at the start of 2006, the second half of the year saw a rapid rise in not just the volume of spam, but also in the type of spam being mailed.

Many junk e-mails now use words embedded in images instead of text that can be easily scanned. Every time anti-spam companies come up with fixes (programs that can scan for words in the images), spammers devise ways to bypass them, such as by adding colored backgrounds or polka dots to render messages unreadable to scanners.

Over the Phone

Now that the public is wising up to phishing e-mails and web sites, scammers have begun including phone numbers in their phony e-mails (called "vishing" for voice-phishing). These phone lines can be manned either by an actual person or an automated message, and ask you to either speak your info into the phone, or type it in with the number pad. The BBB's Kish says that technology has made it easier for con artists to put up these fronts. "If it's really your bank, call the phone number on the back of your card," she advises. "Since many of those institutions use a lot of numbers, it's easy for someone to mistake them (phone numbers in the e-mail) for something real."

Office Supply Scams

Someone contacts your office, posing either as your current office supply vendor or a new vendor, offering printer toner or other supplies. Instead, they send a shipment of supplies you didn't order, but bill you regardless. Or someone can  call and pose as the company that services your printers. They ask for your printer's model number and use that information to send you unordered toner cartridges, along with a bill. Many businesses pay the bill because they think they are obligated.

Kish offers some key advice: "If you didn't order it, you do not have to pay for it." That applies even if an invoice is sent. In fact, you can even consider such deliveries gifts and keep them.

It's illegal, Kish says, for companies to demand that you pay for unordered merchandise, or to demand you return it. She suggests you send the company a letter explaining that you received unordered merchandise, and why you won't be paying for it.

Make sure employees don't give away information over the phone, even if it's something as harmless as a printer's model number. Most of the time, Kish notes, scammers are getting this info from an employee "whose is just trying to be helpful."

It's best to go with your regular office supplier. Always asks for informational materials so you can read up on offers without making a hasty decision.

Phony Yellow Pages

Suspicious companies will sometimes contact businesses with an offer to list them in a directory. These offers come regularly from far-away countries. (Kish cites one example where a local business was solicited from someone in Czechoslovakia.) They then send forms that look like invoices. These fake bills, which ask for amounts of around $600 or more, can be so cleverly presented that they dupe people into thinking they must pay.

Hijacking Your Computer

Keystroke loggers, which record and report the strokes on your keyboard to unknown entities, are one form of "spyware" that exploit those who type sensitive information everyday. What's creepy is that these sneaky devices can be downloaded onto your computer innocuously enough.

One of the easiest ways for scammers to get these programs on your computer is to get you to visit web sites they've created. By clicking on a link in e-mail"”or just opening an e-mail, for that matter"”the programs can be downloaded without your knowing. Debbie Wheeler, chief information security officer for Fifth Third Bank, advises against opening e-mails or clicking on links you're unfamiliar with.

Your computer can also be used to quietly generate more of those annoying spam and phishing e-mails. Wheeler points out that people often leave their computer logged onto the internet for days or weeks at a time, or indefinitely, allowing these programs to churn out hundreds or thousands of spam messages.

There is technology to combat it. Problem is, Wheeler says, is that many people don't update their virus protection software often enough. "A lot of people do not update their computer," she says, and they run the very real risk of "downloading code to their systems to generate millions of e-mails."

Sometimes thieves don't need keystroke loggers to hack into your computer. Companies often use passwords that are too simple to break, or use the same password on tens or hundreds of computers. Solution: Combine numbers and letters. And remember, "Password" is not a viable password!

Inside Jobs

Security threats are not just coming from outside sources. While most employees are not angling to steal company secrets, bosses have to be on guard against insiders who could walk off with sensitive information. Businesses that use temps or consultants, or outsource work, or that have some disgruntled or greedy employees have to worry about their information coming and going. Constructing a digital fortress around your servers won't do any good if potential thieves have physical access to documents. Experts say it's one thing to ward off phishing attacks. It's another to keep someone from walking out the door with a few files. Some banks are now syncing up their security departments to cover both physical and computer-based theft.

Those familiar with your company's electronic ins and outs can exploit them with key-loggers, viruses and "malware" of their own. Business are often so focused on external keystroke loggers, worms or Trojan horses from strangers that they don't think much about those who have such easy access to either sensitive info or coding that could post info all over the internet.

Before You Panic

Keeping your software updated and not opening suspect or unfamiliar e-mails are the best ways to avoid these troubles. And don't over-estimate the power of your bank. Just because they catch suspicious activity and freeze your account doesn't mean they'll be able to track where all your funds go, or that the criminals will be forced to pay you back. (Case in point: the $50,000 the Northern Kentucky Chamber of Commerce ultimately lost.)

It helps for customers to alert banks to suspicious e-mails and web sites. Banks can move to shut down phony web sites, but this doesn't always mean that any money stolen from you can be returned; dirty money quickly moves overseas to untraceable accounts.

Wheeler urges people to stay informed, as it's really the only way to keep your computers updated and your information secure. Visit the Anti-Phishing Working Group ( for dozens of phishing examples, as well as news and other resources. The BBB's Kish adds that the Federal Trade Commission keeps a clearinghouse of this information. You can forward spam to

Forge good relationships with your bank. If you don't already belong to a chamber of commerce, join one. Connections such as these can be an invaluable resource. Wheeler mentions the four security fairs Fifth Third held at various branches last year. At these free programs, Wheeler says she was struck by how many people are unaware of how vulnerable they can be, or how they were worrying more about security threats they could already control.

"Awareness"”that is one of the things we're working hard at doing," she says. "The scary thing, what a lot of customers don't realize is that you're completely in control of phishing." However, spyware, keystroke loggers and the stealthier computer threats are largely under customers' radars. "There's much more required of them to protect themselves than initially thought," she observes.

Even with all these threats, consumers and companies aren't keeping software and plug-ins up to date. Wheeler points out that keeping browsers updated and patched, and regularly running software security updates, can go a long way to combating common computer hang-ups.

Also, she adds, the FDIC is demanding banks strengthen authentication measures in an effort to cut down on the success rate of phishing attacks. Proposed measures include one-time use passwords and token authentication for web sites, meaning they require authentication before they can be viewed. But with how adaptive scammers are, it could just be a matter of time before they find ways around these new safeguards.

"If something seems like it's not right, trust your instincts and check it out," Kish says.

When it comes to anything that sounds too fishy or good to be true, "It doesn't hurt to ask questions. They're preying on people who aren't taking the time to investigate."