Small business is a big target for cybercriminals. In fact, some say that small business is the number one target of cybercriminals. Why? Because small businesses tend to be low hanging fruit for attacks that do not need to be very sophisticated. At the top of the list: phishing and ransomware. We saw ransomware take the world by storm last year with major epidemics like WanaCry infecting everyone from mom and pop to major hospitals, banks, and universities. Phishing is a tried and true method of stealing sensitive information that is later sold on the black market. The moral of the story is that these significant threats are not going anywhere and will only increase with their overwhelming success.

Like we mentioned, small and medium business is also targeted due to the perception of them being a soft target. After all, you don’t have a multi-million dollar security budget and dedicated information security department. So how do you, the small or medium business owner, protect your business from these threats? It boils down to three key aspects: education, controls, and backups.

 

 

Spotting Phishing Attacks

A Rudimentary Example of a Phishing Email

A Rudimentary Example of a Phishing Email

The above screenshot is an example of a phishing email. There are certain things to look for that should trigger red flags.

  • The Sender

It is not very hard to fake the sender of an email, called spoofing. With the right technology, you can make it much harder for these attacks to get through. As more businesses adopt this technology, cybercriminals are getting smarter too. Always double check the sender of your emails. As a recent example, someone attempting to steal money from one of our clients opened a GMail account in the name of the CEO and used it to email the CFO. The request was simple:

Please send over the 1stBank account credentials so that I can check on something.

Depending on your organization, this might not be out of the normal course of things to expect. But this raised red flags for the well-trained CFO:

  • The CEO has her own access to the bank
  • The CEO knows that passwords should not be emailed
  • The CFO checked the sender and noticed it was from [email protected]

Armed with the insight she gained by investigating the email, she knew not to respond and deleted it.

  • The Links

More sophisticated phishing attacks will use “spoofed” links to give the impression that you’re going to a legitimate site. Take the example screenshot above. The button and email format imply that the link should go to the “PayFriend” (example) service. However, upon clicking the link, the person was taken to a very different place. A good way to verify that a link is legitimate is by hovering over the link but not clicking on it. The actual destination of the link will display, and you can verify it there.

It’s important to note here that some email security services, like the Advanced Threat Protection used by Stellar IT, will “rewrite” links to route users through a security service. Check with your IT provider to see if this is expected behavior.

Large organizations like banks, social media sites, and the like will never ask you to enter account information of passwords on websites they do not own. If you’re ever unsure, check the URL bar of your browser:

If you bank with Chase, the domain name you’re logging into should always be chase.com. Some phishing sites are more sophisticated and will try to trick you with links like:

  • https://phonysite.com/chase.com/login
  • https://chase.login-to-bank.com

Both of those links would represent improper login pages because the domain is not proper:

  • A sense of Urgency or Consequence for Not Acting

Be wary of an email that needs you to verify your account to avoid deletion, or alerts you to some potential spam or crime. Organizations do not typically use harsh language when trying to get your attention urgently.

Battling Ransomware

Ransomware is most often spread through malicious links in emails, hacked websites, or malicious email attachments. There are two major elements to defeating ransomware:

A Tested and Effective Backup Plan

Backup your data often and carefully, and then test your backups regularly. In the event of a ransomware infection, the quickest recovery comes from a solid business continuity/backup recovery plan. If your files can be quickly restored to their original state, there is no need to worry about needing to pay the ransom.

Screening Email and Attachments

`Just like phishing, paying attention to your email can save you from a ransomware attack. Here is an example of an email that contains a ransomware infection:

This email has a dangerous attachment!

This email has a dangerous attachment!

The above email might look harmless – you might think you have a bill to pay. Further, it’s just a word doc right? Wrong? It is possible for someone to alter a Word doc, or almost any other sort of file, to contain a malicious payload. Ransomware attacks are getting smarter and smarter, but here are some tips to help you spot a phony email:

  • Invoices or urgent messages from companies you do not do business with
  • Receiving an invoice when you aren’t someone who receives invoices for your company
  • Emails with very broad messaging about their attachment such as “Hi John, Please review this updated draft.”
  • Emails with old office format attachments (.doc as opposed to .docx)
  • Improper language (poorly translated English)

Technology Interventions

Nowadays there are a lot of technologies that do a great job filtering out malicious emails! Our Stellar IT clients benefit from Microsoft’s Advanced Threat Protection Suite, which runs suspicious attachments through a special sandbox which actually “opens” the attachment and investigates how it behaves. It’s important to know that these are never going to be perfect, so always be hyper-vigilant of all of your emails.

When In Doubt, Pick Up The Phone

For either phishing or malicious emails, there is one simple solution that is rock solid, pick up the phone. If you receive an email appearing to come from someone you know, but something is off, give them a call. In the case of a bank or other organization, call the number on their website (not from a link, manually navigate to their website). There’s nothing wrong with calling someone to verify that they’re asking you for sensitive information.

Other Tips For Success:

  • Banks and other financial institutions will NEVER ask you for passwords, account numbers, or other sensitive data via email. The same goes for most Government agencies.
  • Your company should have an established policy for approving any sort of financial transactions that require an in-person or phone approval, or a standard company form that requires a signature.

 

Together, we can tackle cybercriminals.