Think everyone in your company is smarter than the bad actors who’d like to get their hands on and monetize your information? Better think again — it only takes a second for someone to drop their guard and fall for the latest scam. And cannabis companies are in the crosshairs of these cybercriminals.

Take phishing emails — the kinds of phony emails intended to make the recipient reveal an account number, password or other personal information. As the technology behind compiling email becomes more powerful, these fakes are becoming harder to spot. Cannabis company employees can be on the receiving end of:

• An email from the CEO or founder that isn’t. A criminal can enter the account of the CEO and use it to send a message to other employees asking them to make an urgent transfer of funds.
• A personal impersonation. A criminal uses publicly-available information on who’s who at a cannabis company to again send a funds transfer request from a high-level executive — but this time it’s a supposed “personal” email because the transaction is supposed to be kept secret.
• An information request. It could look like it’s coming from a co-worker, company supplier, a known client or a regulatory organization, and it’s asking the recipient for a certain piece of data — a birthdate, a home address, etc. Reply, and the criminal will use that identity information to access the recipient’s personal funds.
• A dangerous attachment. Similar to the above scenario, this email looks credible, comes from someone believed to be a trusted source, and contains a link, PDF attachment or DOC purchase order that the recipient is asked to click on. This will actually download malware such as a ransomware program or a keystroke logger.

The best way to counterattack these hackers is to educate employees — often — on the current styles of attacks that they may find. And this education should include senior executives as well, as they are the ones most often targeted.

Many cannabis companies take the step of restricting employee access to only necessary websites, realizing that visits to unguarded sites — especially social media — can put everyone at risk for malware attacks. Simply visiting the wrong site can automatically infect both the employees’ computer and the company’s connected network.

Another policy that often works alongside this option is putting limits on personal device usage; employees who use their own smartphones or PCs to connect to the company network can unknowingly infect it with any malware already present on their device. Requiring use of a VPN or other electronic barrier is usually the best answer.