Phishing experts don’t care how big or small your business is…
With the recent buzz around Google emails getting “hacked” by very clever phishing schemes, it serves as a great reminder to make certain you have precautions and general awareness in place this time of year. With tax season in the US warming up, this is the prime time of year for some very lucrative hacking to be done. How about we make the shady types of this world a little poorer this year? Read on for how we do that.
WHAT IS IT?
Misinformation leads to panic, so let’s first give some guidelines as to what this “Phishing” attack is. In simple terms, phishing is when someone fraudulently impersonates reputable companies to gain access typically to passwords, credit card information, and other sensitive personal information by sending an email with a call-to-action for the recipient of the email. There are a variety of labels that float around for this hack. While phishing is the most popular of the terms, some worthwhile variants to know and understand would be “spear phishing” and “whaling”. These two are where the largest money and greatest risks to any company are involved. Whereas phishing in general can be aimed at anyone, “spear phishing” is when a specific individual or department with critical access is the target, and “whaling” is when the target is an executive… a Big Fish. (Hey, if nothing else, we nerds are clever with our labels.)
WHAT ARE THE RISKS?
The risks can be mild annoyance on a personal level to catastrophic company-ending financial disasters. That leaves a lot of grey area in between those extremes, and that is also why everyone from the CEO to the stay-at-home mom or dad needs to know what is at stake.
Since October of 2013 the iC3 of the FBI has been tracking victims and financial loss from Business Email Compromise or BEC (note: FBI… not as clever with names). As of May 2016, they had recorded 15,668 domestic and international victims with a total of over $3 Billion in exposed dollar loss. Of those victims, 14,000+ of them were US based. Not only is phishing big business, it is a big US business with victims being reported all 50 states! Per their report, since January of 2015, the amount of exposed losses has increased by… you ready… 1,300%. This is a growing problem on a very impressive and unfortunate scale.
In addition to the obvious financial hit in pure dollars, our partners at Bitdefender remind us that the risk of exposing your company to viruses, adware, or ransomware creates additional hits on productivity and profits when you can no longer access critical files, client databases, or a device entirely.
HOW IT HAPPENS
In the early days of phishing, it was a simple (and often obvious) attempt by luring potential victims in with promises of free money from foreign countries or other similar tactics. Long gone are those days though. Using the recent Gmail attack as an example (if you missed it, a quick google search will find it in zero time), modern day phishers are much more sophisticated. Employing everything from fake URLs that copy the mimicked company’s web address to forged CEO signatures to even using invoices that match recently used dollar amounts to not raise suspicions… they have gotten very good at being villains.
Typically, the attacks happen in 1 of 5 different categories to watch out for:
- Invoice Modification Scheme = a fraudulent email is sent imitating that of a known supplier to the company being attacked. Often it is very much like the legitimate account’s regular emails, so only with scrutiny would you be able to tell.
- CEO Fraud = this is when the compromised email account of an executive is used to make a request of another individual or department within the same company…usually to transfer funds in some way.
- Business Contacts Vendor Compromise = in this instance, rather than impersonating the vendor, the subject impersonates a company employee whose email has been compromised. They then use the contact list of the compromised account to solicit payments from regular vendors to accounts that the hacker controls.
- Attorney Impersonations = like the CEO Fraud, this attack is when a law firm associated with a business transaction is impersonated and requests expedited funds, and they typically also request the transaction be handled privately. It is also usually timed with the close of business.
- Data Theft = this one is most timely to the tax season, because it typically involves a compromised email account making requests for Wage and Tax Statements (W-2s) or a list of PII (Personally Identifiable Information). This category of scam showed up just in time for the 2016 tax season. It is not coincidence that we are seeing similar phishing activity now.
HOW TO AVOID THE SCAM
Now that you know what it is, what the risks are, and how they come at you… what do you do about it? The great news about this type of attack is that your vulnerability is absolutely within your power to prevent and control. The following are a list of my favorite tips from the FBI on how to protect yourselves:
- Avoid free web-based email accounts.
- Be very cautious what is posted socially concerning job descriptions and hierarchy.
- Requests for secrecy and pressure to take quick action should be huge red flags.
- Implement IT security procedures such as 2-step verification, digital signatures, spam filtering, multiple channels of verification (email followed up with phone call before approvals), forward emails with manual address entry vs just hitting reply to a suspicious email, and TFA (Two Factor Authentication) for corporate email accounts.
- Watch out for sudden changes in behavior. For example, if you are asked by a business contact to correspond using a personal email address when all prior communication has been through a company email… red flag!
There are several other steps, but staying aware of the ones laid out above will keep you out of a lot of trouble.
WHAT IF YOU ARE ALREADY A VICTIM
Someone is bound to make a mistake sometime. I mean, $3 billion says it has happened a lot! While there is a full listing of steps the Justice Department (www.justice.gov) would like you to take, here are the “In Case of Emergency” quick steps.
- Contact your financial institution.
- Ask them to contact the financial institution that the funds were transferred to.
- Contact your local FBI office.
- File a complaint at IC3.gov
It is important to emphasize the subtitle of this post after all this information. These hackers do not care how big your business is. In fact, there is growing evidence that they may even prefer the small business. The idea being that there are less stringent IT policies in place, and a lot of small businesses think they can only have a high level of security with a “big business” budget. Both of those assumptions are wrong.
If you would like to find out how to correct those assumptions in your own business and take back the power to protect yourself, head over to CisCom Solutions. The friendly engineers and support staff there can help you make all the concerns of these attacks a virtual non-issue for your business.
As always, if you like what you read here and want more, be sure to like, follow, and share on your favorite social media to stay connected. The links are at the top of the page.