I wish I knew all of this a few months ago. I’m writing to tell everyone who will read this that the email you think is from a trusted source may really be from a hacker.
Last fall, a new, sophisticated spear-phishing campaign was sent to employees that handle company finances. One of those companies was mine. (I’m writing this anonymously because I don’t want my clients to find out what happened.)
Hackers are now masquerading as trusted business contacts. They’re pretending to be employees from vendors’ accounts payable departments, or other financial entities in an attempt to steal money.
If you don’t know, the term for this is spear phishing. Spear-phishing emails look like they’re from a trusted source but in reality, they’re sent from hackers to obtain classified financial or other private information. One of my employees got fooled.
Today’s hackers can easily find out who your trusted contacts are and will impersonate them in order to trick your employees into either sending them money or providing them the means to gain access to your accounts.
How did the hackers succeed in robbing my business, you ask? Well, they simply spoofed the name in the “From” field in an email. It appeared to be one of our vendor’s emails, but in reality, the email came from a thief. I’ve learned that core SMTP doesn’t provide authentication, so it’s easy to forge and impersonate emails. I didn’t know that then, but I do now.
Since then I’ve done some research. What I’ve learned is that there were two different spear-phishing emails that went out. One message said that an invoice was due and read, “I tried to reach you by phone today, but I couldn’t get through. Please get back to me promptly with the payment status of this invoice below”. In the context of the message was a fake link for the employee to click to view and pay the invoice. This is the one that fooled my worker.
The other message read, “I’m providing you with my new address and invoice details below”. This one had a link for the recipient to view the new address to send payments to. Be sure to watch out for these emails; I’m sure they’re still circulating.
The majority of account takeovers today come from spear-phishing attacks like this where someone gets tricked into releasing private credentials and information. Plus, spoofed emails can also contain additional cyber threats like Trojans or other viruses. These can cause significant damage to your computers and even delete your files. Luckily, this didn’t happen to us.
I’ve also learned that cybercriminals are increasingly using spear-phishing attacks because they succeed. Ten targeted messages have a better than 90% chance of getting a click. Even CEOs get spoofed and share usernames and passwords.
The problem is that these attacks are becoming more sophisticated all the time. While we’re busy working trying to grow our businesses, the cybercriminals are working to find ways to trick us out of our money. These are no longer lone attackers, but professional, global organizations working to find better ways to hack into our bank accounts.
Now I know better. I know how to protect my business from these spear-phishing attacks and other types of cybercrime. Here’s what we’ve done, and you should do as well:
By far, the number-one thing that you can do to is to be as aware as you can about the types of threats you’re facing. Contact your IT provider and ask them to conduct Security Awareness Training for you and your employees on a regular basis. They are apprised of the latest cyber threats and how to protect you from them.
Plus, always view email messages with a high degree of skepticism. Hackers are clever — you and your employees must be even more so. Hover over the email address in any message that asks you to do something. Never click on a link in an email. Always go to the website you know is correct. Remember, secure websites always start with “https” and not “http”.
Your employees are your first line of defense to keep your information and computers safe. By properly teaching them how to deal with cybersecurity attacks, you can lower the chance that your business will be affected by a security breach.
Unfortunately, many organizations train employees on security awareness only once or twice. Cybercriminals are constantly developing new techniques to trick people into giving away confidential information or downloading malware. It’s critical to conduct recurring security training to ensure your employees stay up to date on the latest security threats and how to avoid them. Regular reminders, such as changing network passwords or recognizing the latest spear-phishing scheme will save you a lot of trouble in the long run.
Make Cybersecurity a Priority
Always back up your files to an external hard drive or secure cloud storage. My Managed Services Provider says that it’s best to use a comprehensive solution with remote, offsite backup and data recovery services to ensure our business information is safeguarded and files are recoverable. Your Managed Services Provider should do this for you as well. They can also keep your security solutions up to date.
In ours and other cases, the spear-phishing attacks could have been blocked with the latest Email and Spam Protection solutions. These provide:
Remember this: Although you probably use firewalls, unless you take precautions to protect your emails, your overall security could be compromised.
Change Your Thinking
Acknowledging that this can happen to your business is important. Don’t think that because you run a small business that you won’t be attacked – this is what I thought, but it’s just the opposite. Small and midsize businesses are a prime target for today’s cybercriminals because they typically don’t have the protections in place that larger enterprises do.
Get ready for a cyberattack. Hire expert cybersecurity consultants to go over your digital assets and identify any potential vulnerabilities they find. Educate yourself on the latest cyber threats and let the experts help you protect against them.
Unfortunately, there’s no way to avoid being the target of spear phishing or other forms of cyberattacks – if you think otherwise, you need to change your thinking right this second. If you don’t, you’re setting your business up for theft. If you haven’t done so already, you must lay out an actionable plan of defense to prevent your employees and business from becoming victimized.
My company does all of this now – I don’t want to be robbed again. Furthermore, I’ve contracted a really great Managed Services Provider to ensure I’m not at risk.
Author: Joe Martin, Date: 2018-03-05