Categories
Technology

Phishing Attacks In The Real World

 

When was the last time you almost lost $23,000 to a phishing email? This nearly happened to one of our clients this week. Fortunately, this phishing attempt was spotted before the funds were transferred, however, there are a few good lessons to take away from this story and we want to educate you so you can protect your company from these sorts of attacks.

“Bob’s Company” received an email at Accounting@Bobscompany.com. The email was from Bob@Bobsscompany.com.

The email wrote:

“Good Morning,

Please pay the attached invoice in the amount of $23,000.

Thank you,

Bob”
For the accounting manager, this was business as usual. The boss regularly sends requests to the accounting department to have bills paid. At a glance, there is nothing wrong with the email but in this instance, the tone of the email was unusual which caused for further investigation.

This phishing attempt was sophisticated enough to the point where the scam artist even took the time to forge a signature on the attached invoice that matched Bob’s signature. Fortunately, the accounting manager double checked with the boss before processing the transaction. What’s scary is just how close the accounting manager came to processing the payment which is a mistake any one of us could make. If they weren’t paying attention or were just in a hurry, anything could have happened.

What’s important to take away is just how predictable we are. Most companies operate the same way with similar departmental and communication structures. If this wasn’t true then social engineering scams wouldn’t work. This was a close call for just one company and it isn’t hard to believe that whoever sent this email has sent thousands of them and likely got paid on a handful.

These types of attacks are becoming more prevalent than any other because they are cheap, easy and work on businesses of all sizes. “Bob’s Company” is a small business, not a behemoth company that you surmise a hacker would go after. Small businesses are easy targets from a hacker’s perspective because many of them do not invest in security and user training like large companies do.

Some actionable steps you can take to avoid falling prone to this type of attack are:

  1. Avoid using departmental emails like Accounting, Payroll or HR. This lets the hacker know that they are sending the phishing email to the right person making it more likely for the email to have the hackers desired effect.
  2. Use regularly changing keywords when sending requests for a transfer of funds. Change this keyword every month and instruct your staff never to transfer funds without the keyword in the email. This is a really low tech solution but it works. These attacks are intended to trip you up when you aren’t paying attention. The majority of attacks never involve someone spying on your network and learning your passwords and company secrets. Simple though it may be, this is an effective form of two-factor authentication.
  3. Use free spoof phishing tools like KnowBe4 to test your employees to see who is likely to click on phishing emails. Invest in those employees by training them on what to watch out for.

We are living in an ever-developing world where cybercrime is global, the barrier to entry is low and we humans are the weak link in the chain. Since cybercrime has such low risk and high reward these scams will become more frequent and sophisticated. Businesses will have to adapt to these changes and develop strategies to protect their resources. It is important to consult with your IT partner to learn how you can train your employees and set up security measures that will prevent this coming wave of cybercrime.

Categories
Technology

Train Employees What To Click On

October is cyber security month – a month dedicated to ensuring that you and your business are as safe from online threats as possible.
Cyber security threats are real, and they are more common than you may think. Whether it is a phishing scam coming through your e-mail or targeted malware, cyber criminals are constantly coming up with new ways to target your business.
Unfortunately, no matter how effective your network security is, there’s one factor that you can’t account for – and that’s the human users on your system. Unfortunately, many phishing scams are becoming so good that it’s easy for intelligent, aware people to be sucked into their trap.
Thankfully, with all of the constantly evolving threats out there, a new industry is emerging. Companies are now being created that focus solely on identifying and preventing threats to cyber security.
One example of these companies is knowbe4.com, a site that offers security awareness training to employees who may not be aware of the best strategies for avoiding phishing attacks. The site also offers simulated phishing attacks for practical testing, and statistics to demonstrate how effective the training efforts have been.  Other similar education programs include Secureworks and Rapid7.
When it comes to avoiding cyber security threats, the best offense is a good defense. Training your employees to recognize phishing scams and avoid falling prey to their schemes is one of the best investments you can make for your business’ network security system.
These companies are experts at targeting specific cyber threats and in-depth training. However, there are several general guidelines for cyber security that you and your employees can be begin implementing immediately.
Firstly, phishers can imitate internal e-mail addresses, so attachments in e-mails should never be opened unless they are expected. For the same reason, it’s best to avoid sending sensitive information over e-mail – confirm through another method of communication to make sure that it is necessary before doing so. Lastly, use extreme caution when clicking on links or images online or on e-mail – if something seems too good to be true, it probably is. Extreme caution should always be used online in order to ensure that your network remains as secure as possible.
Even though cyber security threats are highlighted in October, they are a constant threat to businesses of all kinds and sizes. If you have any concerns about your business’ current level of network security, want security education for your employees, or are interested in learning more about the education programs mentioned above, call eTop Technology. We will be able to help you tailor your approach to cyber security for your industry and business needs.