Watch Out for These Clever Email Scams
Cybercrime will cost businesses an estimated $6 trillion per year by 2021, according to the Annual Cybercrime Report. While Equifax and Marriott have survived massive data breaches, 43 percent of major data loss victims immediately go out of business and only six percent survive two years. Many cyber attacks originate from email messages or attachments, where employees are tricked into sharing information, sending payments or downloading malware.
Let’s take a look at some clever email scams and steps that you can take to avoid them.
Most cyber attacks originate from email messages and attachments — is your business secure?
Business Email Compromise
Phishing is a cybercrime where targets are contacted by someone posing as trusted colleague, partner or customer. The attacker’s goal is to lure the target into providing sensitive data, such as passwords, bank details or credit card numbers. While phishing attacks have historically focused on sending a high number of emails with a low response rate (e.g. the familiar Nigerian prince scams), new attacks take a more targeted approach.
One of the most popular phishing scams is the business email compromise scam, or BEC, where the attacker pretends to be an employee’s boss, company attorney or a vendor that they’ve done business with in the past. The sender’s email account may be compromised without their knowledge or the attacker may simply spoof the emails. From this position of authority, the attacker requests wire transfers or other payments in believable dollar amounts.
Criminals use recent company news, social media messages and email history to make the request sound as convincing as possible and bypass spam filters. Between October 2013 and February 2016, the FBI indicated that more than 17,600 victims succumbed to the crime with more than $2.3 billion in combined losses. The average loss per scam was estimated at between $25,000 and $75,000, which can be a meaningful sum for small businesses.
Download our free employee handbook for spotting and avoiding phishing scams.
There are a few steps that you can take to avoid these phishing attacks:
Pick up the phone. Make it a company policy that payment requests or requests to send confidential information cannot be sent via email. By forcing employees to call or make a request in person, you can avoid these potentially costly mistakes.
Require two-factor authentication. Two-factor authentication and password managers make it much more difficult for criminals to gain access to executive or employee inboxes and launch these kinds of attacks.
Spoof-proof your email. Prevent spoofing of email addresses by setting up SPF records and DKIM checks at the domain level to whitelist IP addresses that can send emails from a domain, as well as verify email messages using private and public keys.
Fake Sign-in Screens
Malware, or malicious software, are programs designed to infect computers for various reasons. For example, botnet malware covertly sends spam emails while ransomware holds data on the hard drive ransom. Most malware spreads through email attachments or infected downloads, but some malware (e.g. WannaCry ransomware) spreads through unsecured ports on computers or networks that haven’t been properly secured.
Most people know that they shouldn’t open unfamiliar attachments, but nearly 40 percent of all malware still comes from infected Microsoft Office attachments, according to Cisco’s 2018 Annual Cybersecurity Report. With the rise of Google G Suite and automated virus scans, email attachments have become a less and less effective way to infect computers. Attackers have been forced to come up with other approaches to deceive their targets.
This is the closest I've ever come to falling for a Gmail phishing attack. If it hadn't been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh— Tom Scott (@tomscott) December 23, 2016
One of the most innovative new attacks involve sending an email with an attachment, but rather than actually attaching the file, the attacker embeds an image that looks like a file preview from Google. After clicking on the image to preview the file, the user is taken to a fake Google sign-in page. The target’s information is stolen as soon as they try to login to the fake website and the entire company’s data is instantly at risk.
Don’t forget to download our free handbook to help employees identify and avoid phishing emails.
There are a few ways to protect yourself from these kinds of attacks:
Protect your network. Many antivirus programs integrate with Outlook or other email applications, while Google’s G Suite offers built-in virus scanning. Active network protection can also help prevent these attacks at the source.
Use secure file sharing. Make it company policy to use encrypted cloud storage rather than sending attachments via email. By taking this approach, employees never have to question whether an attachment is infected, and all the data is secure.
Never click links. Make it company policy to never click links in an email. Instead, copy and paste them into a web browser to verify they are reliable, or better yet, type in the URL yourself and login.
Tips to Protect Your Business
The best defense against cybercrime is a combination of strong internal security policies and robust technology solutions to protect your infrastructure. Technology can help prevent many cyber attacks from ever reaching employees, while the right internal security policies can help employees spot phishing attempts and avoid downloading malware. If a security breach does occur, it’s also important to have a detailed plan in place to guide your response.
A cybersecurity audit can help you is a great starting point for identifying vulnerabilities in your infrastructure before they become a problem. For example, our free network scan tests for six different cybersecurity vulnerabilities that can put your business at risk, including open ports, server-side attacks, distributed denial of service (DDoS) attacks, credit card theft, malware and viruses, and client-side attacks.
The Bottom Line
Cybersecurity is an extremely important and often neglected part of running any small business. Despite nearly half of businesses becoming a victim, very few companies appoint dedicated technology personnel or invest in cybersecurity solutions. We provide a complete suite of cybersecurity solutions designed for small businesses with two to 250 employees at a price point that doesn’t require a major investment.
For more information, browse our full set of solutions or request a free demo.