Categories
Technology

Phishing Attacks In The Real World

 

When was the last time you almost lost $23,000 to a phishing email? This nearly happened to one of our clients this week. Fortunately, this phishing attempt was spotted before the funds were transferred, however, there are a few good lessons to take away from this story and we want to educate you so you can protect your company from these sorts of attacks.

“Bob’s Company” received an email at Accounting@Bobscompany.com. The email was from Bob@Bobsscompany.com.

The email wrote:

“Good Morning,

Please pay the attached invoice in the amount of $23,000.

Thank you,

Bob”
For the accounting manager, this was business as usual. The boss regularly sends requests to the accounting department to have bills paid. At a glance, there is nothing wrong with the email but in this instance, the tone of the email was unusual which caused for further investigation.

This phishing attempt was sophisticated enough to the point where the scam artist even took the time to forge a signature on the attached invoice that matched Bob’s signature. Fortunately, the accounting manager double checked with the boss before processing the transaction. What’s scary is just how close the accounting manager came to processing the payment which is a mistake any one of us could make. If they weren’t paying attention or were just in a hurry, anything could have happened.

What’s important to take away is just how predictable we are. Most companies operate the same way with similar departmental and communication structures. If this wasn’t true then social engineering scams wouldn’t work. This was a close call for just one company and it isn’t hard to believe that whoever sent this email has sent thousands of them and likely got paid on a handful.

These types of attacks are becoming more prevalent than any other because they are cheap, easy and work on businesses of all sizes. “Bob’s Company” is a small business, not a behemoth company that you surmise a hacker would go after. Small businesses are easy targets from a hacker’s perspective because many of them do not invest in security and user training like large companies do.

Some actionable steps you can take to avoid falling prone to this type of attack are:

  1. Avoid using departmental emails like Accounting, Payroll or HR. This lets the hacker know that they are sending the phishing email to the right person making it more likely for the email to have the hackers desired effect.
  2. Use regularly changing keywords when sending requests for a transfer of funds. Change this keyword every month and instruct your staff never to transfer funds without the keyword in the email. This is a really low tech solution but it works. These attacks are intended to trip you up when you aren’t paying attention. The majority of attacks never involve someone spying on your network and learning your passwords and company secrets. Simple though it may be, this is an effective form of two-factor authentication.
  3. Use free spoof phishing tools like KnowBe4 to test your employees to see who is likely to click on phishing emails. Invest in those employees by training them on what to watch out for.

We are living in an ever-developing world where cybercrime is global, the barrier to entry is low and we humans are the weak link in the chain. Since cybercrime has such low risk and high reward these scams will become more frequent and sophisticated. Businesses will have to adapt to these changes and develop strategies to protect their resources. It is important to consult with your IT partner to learn how you can train your employees and set up security measures that will prevent this coming wave of cybercrime.

Categories
Technology Training

Learn how to use a VPN

You may have heard of, or even used, a virtual private network (VPN), but do you know what it is? A VPN is an encrypted tunnel through a wide area network (WAN), also known as the Internet. This means that the network does not have to be located in one physical location, unlike a local area network (LAN). By using encryption and other security measures, a VPN can scramble all the data sent through the WAN, so the network is “virtually” private. In other words, a VPN allows you to access the files on your local network over the internet from an airport, coffee shop or another country, and you will be as secure as if you were sitting in your office.

Businesses commonly use VPNs to communicate across multiple locations. A large company that has offices in several cities may need to send data between their locations via the Internet. To keep the information secure, the company will set up a VPN with an encrypted connection, effectively giving the company a secure intranet over the Internet.

In this video, we will show how you can download one of the many VPN services on your computer. Once downloaded, we will show you how to set up and use this tool. Although there are many VPN options to choose from, most of them work the same way. If you are going to be traveling for work, or need to work from home or a coffee shop, it is important to send and receive sensitive data over a VPN. Otherwise, you are opening a direct access to all of your company’s sensitive information, and risk a security breach. For more information, or if you would like to set up a VPN for your company, contact eTop today.

Categories
Technology

Phishing For Passwords

There has been a recent increase in phishing attempts across the US and it is concerning for many reasons. It is important to be aware of these issues and how these phishing attempts work so that you can protect yourself and your company. The unfortunate truth is that there is only so much you can do to block phishing emails from landing in your inbox in the first place. The only surefire way to prevent phishing attempts from becoming a problem is by training your users to keep a keen eye.

phishing

A phishing attack like the one shown above is an attempt to get you to give away some important information, usually credentials to an email account. In the past, phishing attempts have been highly generic like the “Nigerian Prince” scam that any most discerning individuals would understand to be malicious. Now that most people have become aware of the nature of phishing attempts, the scammers are having to become more sophisticated.

This means that phishing attempts will become increasingly difficult to distinguish from legitimate emails. As more and more emails are being hosted in the cloud through services like Gmail and Office 365, scammers have found a particularly effective way to trick people. These services will periodically ask you to verify your credentials or even change your password every 90 days. These routines can be hijacked to make you think that you are giving your information to your provider when really you are giving it to a scammer.

By looking at your publicly available DNS records, scammers can tell what email platform you are using. It is easy to set up a web page and design it to look exactly like the login page of any hosted email provider. Scammers will use this information to send you highly targeted emails asking you to verify your credentials for “security” reasons. Seeing that the email appears to be from a trusted source, and the link in the email supposedly leads to your hosted email provider, you are likely to enter your password giving the scammer access to all of your information.

In order to help you avoid these pitfalls, we have a few simple steps to follow that will help keep you safe.

  1. Are you expecting the email? Maybe you are logging in from a new computer and the email host doesn’t recognize or trust your device. This is a good reason to expect an email with a link. If there is no reason to expect an email, then receiving one should be a red flag.
  2. Inspect the email. Start by looking at the sender. Do you know them? Don’t just look at the display name; carefully inspect the email address that the email is coming from. Is the domain address spelled correctly? If not, this is likely a scam. Does the email use scary works like Urgent or Emergency? This should be a red flag as well. Also, be sure to check any external link addresses and if they lead to an obscure website, this is likely a scam.
  3. Don’t use links. If you have reason to think that this email is legitimate, take one last security precaution and don’t use the link provided. If you need to verify your credentials then you will be prompted to do so the next time you log into your email account. Do a web search for the login page of your hosted email provider and log into your account from there. If you are not prompted to verify your login then you will know that the email you received is a scam. If it is a link from a known sender, you could also give them a call to verify that the link is from them.

Following these steps will allow you to filter out most phishing attempts that make it to your inbox no matter how sophisticated they become. These attacks rely on you making decisions while not fully paying attention, but they will never be able to fully copy the email provider they are trying to spoof. This means that if the email is not legitimate, then you will likely be able to point that out with a few seconds of careful inspection.

As always, be sure to work closely with your IT professional to ensure that you have a security plan in place. Phishing attempts can lead to data loss, security breaches and even significant lost revenue. It is always better to be preventative about these issues than having to deal with the aftermath.

Categories
Technology

Use Technology To Avoid Pesky Salesmen

Technology has driven a wedge into the profession of sales in a way that industry wasn’t prepared to deal with. On the one hand, you rely on it to keep you connected, but on the other hand, you also want it to protect you and keep your life private as well. Salesmen look to utilize every bit of accessible information to help them drive revenue. In the meantime, they create a lot of noise in your inbox that for the most part, you couldn’t care less about.

We have a unique perspective on sales because we are the purveyors of technology for our clients, and like every other business, also need to sell in order to grow as a company. This allows us to see how businesses are set up and how the technology can be taken advantage of in order to drive more sales. What we have learned is that there are a few ways to hide in plain sight so that you can only be reached by people you care about while remaining invisible to the rest of the world.

Stressed businesswoman is frustrated and overworked at her desk and computer isolated on white background

Problem #1: Email

Let’s start with email, the most important means of communication for businesses today. Except for when everyone knows your email address; then it becomes a time sink to delete thousands of emails just to get to the handful that are important. How does this happen? It starts when you set up your email address for your company. You choose your domain along with a format so that everyone in the company has basically the same email. This looks professional but the downside is that it is very predictable. For example, john.doe@domain.com might be the owner while sally.jane@domain.com might be the receptionist. Meanwhile, you can find the names of all of the key decision makers in your company on sites like LinkedIn, Facebook or Google search. Companies will happily give away contact information to lower level employees while not realizing that they are actually giving away every contact in the company.

Answer

You are playing with smoke and mirrors. If a salesman doesn’t know your email address, he or she is going to guess and they will likely figure it out by sending an email to the most common variations of email addresses that businesses use until they don’t receive a kickback email. The best bet is to have more than one email address. Have one that you use to get your work done and another that serves as a filter to catch all of the unwanted emails. Make your filter email predictable and easy to guess and use an uncommon variation as your important email. Additionally, you can also purchase another domain and use that for your important email separate from your web address domain. If a salesman is relying on guess work to get your email, it will be very difficult to put this together.

Problem #2: Phone/Voicemail

The second biggest issue is the dial by name directory and your personal extension. You may have hired the toughest gate keeper in the world but if a sales person knows your name and can use a dial by name directory, they might as well have your direct line. Even if you forgo the dial by name directory altogether, it is important to remember not to start your voicemail with “Hi, this is John Doe at extension 222” which accomplishes the same thing as far as any sales person is concerned. More often than this small human error, is the error built into your auto attendant that says “Hello, you have reached John Doe at extension 222. Please leave a message at the tone”.

Answer

If you are going to opt into the dial by name directory, you should make an effort to hide your name on all of your social profiles, especially LinkedIn, by setting your profile to private. Be sure that you are not giving away information for free by putting your email address and extension in your voicemail. Lastly, think carefully the next time you purchase a phone system and look at each feature to see how it may be used by a salesman to contact you. Many of these features can be customized, however, most of them are set to default which gives away the most information.

Problem #3: Social Media

Social media is making it very difficult to hide from people who don’t know who you are. It makes you look good to have a striking LinkedIn profile with lots of connections, but while you are advertising yourself, remember that that information is accessible to everyone. If a salesman stops by a company to leave some information and the gate keeper won’t give them the contact information for the decision maker, there is no need to lose sleep over it. It is more than likely that all the information they need will be right at their finger tips as soon as they log into their computer.

Answer

If you are going to have a LinkedIn profile, be sure to keep your profile private. In most cases, all a salesman needs is a correct name to get your email and to start flooding your voicemail inbox. The goal is to be easily accessible by those who already know who you are and by the people who you want to contact you, not by those who are looking to sell you something. It is also important to remember that companies like LinkedIn are playing both sides. While you can set your profile information to private, you can also pay for a Sales Navigator account to remove those privacy settings. The ultimate truth is that if you are going to put your information on the internet, it will be used by people who want to get in contact with you, even if you don’t want to hear from them.

It has gotten to the point where it is almost astonishing to not be able to find contact information for prospective clients online. Combine this with the human tendency to be predictable, and there are no barriers keeping your inbox from getting flooded. This can be troubling and can cause many distractions in your work life if you do not develop a strategy to keep your privacy under control. One way you can benefit from working with an IT partner is by setting up the systems that connect you so that they also protect your privacy.

Categories
Technology

PCI Compliance Audits

Have you ever been audited for PCI compliance? If not, it is most likely that at some point you will be. In order to maintain the ability to process payments electronically, this will be a fact of life. The more transactions you process in a year, the more often you will be getting a visit from your friendly neighborhood qualified security assessor (QSA).


In short, a PCI compliance audit should not be something to fear as long as you are willing to rectify any issues that your QSA finds. This is a matter of determining liability on the part of your electronic payment processor. If you are not PCI compliant and you have a security breach, then your payment processor will not cover damages.

In most cases, you will receive a notice that you are being audited by your payment processor for PCI compliance. The audit will be performed and you will receive a report stating whether or not you are PCI compliant and if not, what you need to resolve in order to get there. At this point, it is up to you to work with a partner to help resolve any issues found by the QSA.

When you receive your PCI report, it can be confusing knowing how to implement the requirement without a partner that is experienced in compliance audits. Working with a company like eTop Technology can help you plan and implement solutions to ensure that you pass your PCI compliance audit both now and in the future. If you find your company in this position, please reach out to us and we will help you build a secure future.

Categories
Technology

How to prepare for ransomware

Lately, there has been a lot of talk about ransomware: a type of computer virus that encrypts your files and holds them for ransom. Worse yet, there is no guarantee that your data will be released if you pay the ransom fee. In light of the most recent ransomware attack called “WannaCry” that infected a substantial number of businesses in Europe, it is important that you are taking measures to ensure that your business is safe.

Antivirus and firewall concept with businessman protected with umbrella

If you are not familiar with the statistics, ransomware was a billion dollar industry in 2016, and every cyber criminal knows it. There is exceptional financial motivation for these scams to be produced indefinitely, and they become increasingly sophisticated every day. As a business owner, ransomware is a constant threat that cannot be ignored.

Playing defense in the ransomware game is a layered approach, with several security methods to prevent ransomware from getting to your network. The first line of defense includes anti-virus, a good firewall, and effective spam filtering. The next important step in any security plan is user training. Ransomware is generally not a problem until someone within your network clicks on the wrong email or web link. The final layer of defense are things like an insurance policy or data backups.

Preferably, investing in each one of these layers is best practice. However, if you have to choose one component over another, backups are the most important investment that you can make. With a good backup system, you may lose some time and a nominal amount of data after an attack, but you will be able to restore your data without the ransomware affecting your business.

In addition to having the data backups in place, it is also essential to ensure that your backups are up-to-date and running properly. Backups have a tendency to face errors that can disrupt a backup schedule. With proper backup monitoring, you may find that your backups were not operating as expected, thus leaving your data vulnerable.

Talk to your IT professional to ensure that you have both preventative security measures and contingencies in place to protect your data in the event of a ransomware attack.

Categories
Technology

Scam Email and Phishing Attempts

As an IT support company, we are always telling our friends and clients to be cautious with what they click on or whom they give personal information to. Most people know to avoid giving money to a Nigerian price, but scams and phishing attempts are becoming more advanced every day. Many scam emails disguise themselves as people or companies we already know and trust. You must always be diligent to avoid falling for the latest tricks. Today, we came across a good example within our own company that illustrates why being cautious is so important.

Even IT Companies Get “Phishy” Emails!

Capture

What is wrong with this picture? First of all, Sara was not expecting to make any immediate transfers. Secondly, there is no reference to what is being purchased or the reason for a transfer of funds.

Once your alarm bells begin to go off, you will start to notice additional red flags. For example, what is wrong with williampote@etoptechnollogy.com? Notice that the domain etoptechnology.com only has one “L”, as seen in Sara’s email address. However, if you examine at William’s email address, you can see that it contains the wrong domain. If you did not closely examine the sender’s email address, this detail could easily be missed.

In addition to the wrong domain name, there is another tip-off that this email is a scam. The sender signed the email with the nickname “Bill,” but William does not go by Bill.

Had Sara missed these red flags and fallen for the phishing email, she may have replied to confirm that she is ready to make a transfer. She would likely have received a reply email with a link to a wire transfer site that would take her money, never to be seen again. Although this seems like a crude method to steal money, it has led to businesses losing millions in a single transaction.

What Can I Do?

No matter how good your firewalls, antivirus, and other security measures are, there will always be threats like these that slip through. Though the potential for phishing may be intimidating, you can generally protect yourself by following these tips:

1. Keep your guard up and be cautious

2. If you receive an email or any correspondence that you were not expecting, especially relating to requests for money or personal information, verify with the sender through an alternate source like a phone call. Wherever possible, attempt to find the sender’s contact information through Google or some other means, rather than contacting them through the information they supplied.

3. Always closely examine the domain in your senders’ emails and any subsequent websites you get directed to.

4. If you think you have received a phishing attempt, or you already fell for one and think your email or network has been breached, contact your IT provider immediately. Better to be safe than sorry!

Categories
Technology

Business Information Technology Risk Assessment

In the spirit of St. Patricks Day, it is a good time to ask yourself how lucky you are. Since we are an IT consultant, we are going to focus on what that means when we look at an IT network. As an IT company, we get to see how a lot of businesses operate and manage their IT and it ranges from systems that completely rely on luck to operate from one day to the next to businesses that have more layers of redundancy than employees in the company.

Closeup of messed wires connecting computers and printers in office

It is truly amazing how lucky you can be when operating a business with a network that is patched together. Eventually, however, luck runs out and this can be costly. What we have put together is an easy way for you to self-asses how lucky you are. Using a scale of one to ten, run through the follow list of questions and use this metric to give yourself an accurate risk assessment.

The categories below are based on a company that has 10 to 50 employees and is hosting a network internally. Each category will give you 10 points for a total of 50 if you are doing your due diligence to protect your network and your company.

Backups
There are two types of backups. Local and off-site or hosted. A good way to look at an effective backup system is through a layered approach. Ideally, you should have a server that is backed up to a local storage. The local storage should then be backed up off site. This way you accomplish speed and redundancy. Give yourself three points if you have a local backup system, an additional three points if you have offsite backups and four points if you are using a backup monitoring system to ensure that your data is actually backed up.

Network Age
A network is not like a fine wine. It doesn’t get better with age. The older your hardware, the more likely you are to have to respond to downtime and data loss. We recommend that our clients replace their computers on or before the five-year mark and replace servers at three years. Other network hardware such as switches, battery backups, firewalls, routers and WIFI access points should be replaced at the same time you replace the server. To the best of your ability, try and assess the age of your network hardware. If 10% of your network falls within this specification, give yourself 1 point. If 70% then 7 points and so on.

Security
You can never be too secure so it is difficult to score a 10 on this scale. Just doing your due diligence will get you a long way and that is what we are going to focus on here. Give yourself two points if you have each of the following.

  • Anti-virus on each workstation and server.
  • Managed Firewall
  • If you scored over a 6 on your network age
  • If you have passwords on each workstation that expire every 90 days
  • If you are PCI compliant

Software Patch Level
Do you know the current patch level for all of your supported software? This could be the operating system on your server, the firmware on your firewall or the version of anti-virus you are running. Your hardware is only as smart as the software that is running on it. If you are running software that is out of date or is not supported you are at risk. Give yourself two points for each of the following.

  • Is your firewall running the latest firmware?
  • Is your server OS under support?
  • Is your anti-virus running the latest version?
  • Are your computers running the latest version OS?
  • Are you using a line of business application that is up to date?

Vendor Support 
Vendor support for applications plays a critical role in keeping networks running smoothly. If you are using a line a business application for the majority of your day to day operations but haven’t purchased a vendor support package with this product, you are exposing yourself to potential downtime. Partnering with an IT support company will not necessarily fix this issue due to the fact that no support partner will know that important application like the company that created it. In addition to purchasing vendor support for your most important application, you should also work with an IT partner that can provide preventative support for your network to ensure that you are as protected as possible. If you have purchased an application support package then give yourself five points. Also, if you are working with an IT support partner for all of you daily IT needs, give yourself five points.

If you tally up your point and find that you have between 40 and 50, Congratulations! You are doing your due diligence to ensure that your network is running smoothly and you are protected against downtime and data loss. If you are between 25 and 40 you should consider working with a consultant to make a road map for improving your network. If you scored less than 25 you are relying on luck to keep your network operational. In this case, you should reach out to an IT consultant and consider making serious improvements to your network infrastructure and support.

Categories
Technology

The Growing Importance of Business Internet

Sooner rather then later, business IT networks will consist of an internet connection and a light weight computer that acts as a terminal to the internet. There will be no more investing in servers, switches, battery backups, NAS devices etc. in the same way that has been done for the last 15 years. Companies will trade the responsibility of purchasing and maintaining a network for a “network as a service” in a hosted data center. Ultimately, this move will come with many benefits such as increased security, increased up-time, greater redundancy and decreased costs to your company.

landscape view of very large data centre data storage array ** Note: Slight graininess, best at smaller sizes

The catch to all of this wonderful techy business is your connection to the internet. Right now, if your internet connection goes down, it can hurt your company a lot. You will most likely lose access to email, payment processing, search, phones and any other hosted application that you rely on. The up side is that you can still work internally until your connection comes online. By hosting your entire network in a data center you would lose all functionality if your internet connection goes down. Despite all the benefits that hosted networks will bring, it will make your internet connection that much more important.

This will likely effect businesses in a few ways. Primarily businesses will want to invest in redundant internet connections that run on separate networks. A good way to look at this would be having a main fiber connection and a backup point to point wireless connection as a fail over. This will also effect they way businesses look at acquiring new locations. One of the most important questions you will ask when looking at a new building is “what internet options are available?” If fiber internet isn’t already connected to the building, this should be a serious problem to take into consideration.

Finally, with all of this in mind, you will want to watch out for the dirty tricks that the telecom industry likes to play. Namely their auto renew clause that is built into most contracts. A lot of businesses are in the process of making a change from copper internet to fiber internet. If you are at all interested in moving toward hosted options for your company network, you will want a solid fiber internet connection. It is important to know when your internet contract is coming to a close and make sure that you move to a month to month option or make sure that you are ready to cancel that contract and replace it with a fiber connection.

Business IT network options are in a constant state of change and now like never before, it is important to make sure that you have an IT partner that can help you navigate the options of the hosted world. If you are considering hosted solutions for your company, give eTop a call for a free consultation.

Categories
Technology

Popcorn Time Ransomware

While everyone is in the spirit of giving this holiday season, there is something to say about giving for the wrong reason. A new strand of ransomware is a good example of this. It’s called Popcorn Time. This new strand of ransomware will allow you two options if your computer is infected. You can choose to pay the ransom or you can choose to forward the ransomeware email on to other people in your contacts. If your efforts successfully infect two other computers, you will receive a decryption code for your computer.


Image result for popcorn time ransomware


Up to this point, this method had been unheard of and it pushes the boundary of social engineering scams to a new level. This method is likely to make the infection rate significantly higher as the ransomeware is coming from a trusted and legitimate source. Another nasty feature of Popcorn Time is that if you enter a false decryption code four times, it will start deleting files.
It can’t be stressed enough that unless you are expecting an email, you should not open any attachments unless you have confirmed the legitimacy of the email through another source of communication. Like with any other ransomeware, if your computer is infected, your best hope is to rely on your data backup system.
As an IT New Years resolutions it may be a worthy pursuit to be sure that your backups are running smoothly and if you haven’t made the investment into a backup solution yet, there has never been a better time. These social engineering scams are real and are becoming more and more clever by the day. Protect your investments and your company by putting up measures to insure against attacks like these. For more information, contact eTop for a free consultation.

CW Portal