Office managers are a critical part of any business—their work literally keeps most offices running. What most people don’t realize (including many office managers themselves) is how vital they are to the cybersecurity efforts of their company.
Here are five things every office manager needs to know about cybersecurity:
1. You are going to be a target.
When you think of high-value targets for cybercriminals, most people typically think of C-Level employees. And while they indeed are high-value, they aren’t the only ones. Your level of access as an office manager makes you a target: office managers typically have access to a lot of sensitive data—things like invoice and billing information and personnel information. These things are a goldmine for cybercriminals.
Regular parts of your job duties make you a target, too—especially if you handle things like shipping and receiving and billing. Fake shipping notifications and invoice notifications are two of the most popular forms of phishing. These types of phishing emails are typically used to spread ransomware or steal your login credentials.
If you get a notification email like this and need to check it, don’t click on any link or open any attachments. Instead, open your browser and go to the website to log in from there. You can also try calling—but make sure you are calling a number you know is correct. Phone numbers can be faked in emails.
2. Your “send as” privileges make you a target, too.
Many office managers act on behalf of executives in their company with “send as” email privileges—that’s another way you can be a high-value target to cybercriminals. If a cybercriminal gets access to your account, they can use those send as privileges in your account to send emails that look like they’re from an executive in your company. We’ve seen this happen before!
When cybercriminals do this, they typically create email rules to delete or hide replies and cover their tracks. If you notice something weird going on with your account, or if someone mentions an email you didn't receive, check in with your IT team.
3. Scams can come via phone, too.
Email isn’t the only way you’ll encounter scams—a lot come via phone, too. These can sound like anything, but they almost always involve someone trying to get money or sensitive information from you.
Most of the scams involving money are people imitating a company or an authority figure telling you something is wrong, and they need money to make it right. A lot of times, these people will ask you to pay over the phone. Sometimes they will request payment in gift cards. Popular variations include:
- Someone pretending to be Google, saying there is something wrong with your Google maps listing (Google won’t call you for this)
- Someone pretending to Microsoft and saying you are being audited (Microsoft does audit companies, but they typically don’t call—check in with your IT team for this one)
- Someone pretending to be the IRS or a law enforcement agency, saying your company (or you personally) owe a fine and if you don’t pay, you’ll be arrested
Sometimes, rather than trying to trick you out of money, they’re trying to trick you out of information. These can be harder to spot. One scenario is the scammer pretending to be a mortgage company and asking you to “confirm” an employee’s social security number and employment status.
4. You need to double check before you pay anything—even regular vendor bills.
If you handle wire transfers for your company, you need to have a strict policy for how they will be requested and paid. A common way for cybercriminals to steal money is to pose as an upper-level executive and request an urgent wire transfer from a lower-level employee via email. They’re trying to use the sense of urgency against you.
Even paying your vendors has an element of risk. Cybercriminals are now targeting regular invoice payments. There’s a full explanation here, but basically cybercriminals are pretending to be vendors and telling real customers that their payment method has changed. They will send a new link (like a new credit card or ACH payment link) and tell the customer they need to pay their invoice.
If someone is requesting a wire transfer or telling you to use a new link to make a payment, always get a voice confirmation first—no exceptions, no matter how urgent. Do not fill any request for money that comes via email without outside confirmation.
5. Cybersecurity tools and an abundance of caution are non-negotiable.
A big chunk of the responsibility of the office manager is to act as a gatekeeper. You hold the keys to sensitive data and access to upper-level management in your organization. In cybersecurity, the gatekeeper role also means playing a big part in keeping your company safe.
You will need to exercise caution and, quite frankly, be suspicious. At times, this will feel ridiculous and even unhelpful. But cybercriminals know that most people just want to do their job efficiently, and help others when asked. And that will be used against you. The extra few minutes it takes to verify a request can be what saves you.
You don’t have to do it on your own, though. Talk to your IT team and your leadership team about putting tools in place to help with cybersecurity. Multi-factor authentication can protect your account, even if a cybercriminal gets the password. If your company uses Office 365, a service like Office 365 Advanced Threat Protection can help cut down on the number of malicious emails that get to you. (If you're a PTG customer, we have a package called Advanced Cloud Defense that includes both of these tools!)