Malware-packed phishing emails to small businesses are increasing — because they flat-out work. And the fallout for you and your customers can be catastrophic. Learn to spot typical phishing ploys, and follow four best practices to protect your business from phishing.
Phishing’s strongest weapon is fear. And I hate to emulate that tactic, but I want you to understand what’s at stake when your company isn’t protected against phishing and other social engineering attacks:
- 92.4% of malware is delivered via email. (Verizon: 2018 Data Breach Investigations Report)
- Small to medium-sized businesses were the most impacted by phishing attacks with 1 in 95 emails containing malware. (Symantec: 2017 Internet Security Threat Report)
- The percentage of small businesses that had experienced a cyber attack in the past 12 months increased from 55% in 2016 to 61% in 2017. (Ponemon Institute: 2017 State of Cybersecurity in Small & Medium-Sized Businesses)
- In 2017, average malware-related costs for small and medium-sized businesses included $1,027,053 due to damage or theft of IT assets, and $1,207,965 due to disruption to normal business operations. (Ponemon Institute)
I could go on, but instead, let’s fight fear with some facts and best practices.
I recently saw an excellent presentation on cyber security from Kyle Loven, a former FBI agent now with Computer Forensic Services. We followed up with him to learn more about how to protect businesses that don’t have huge IT budgets and security experts on staff.
I’ve put together advice from Kyle and other sources, plus my own experience with TechGen working with small businesses.
First, let’s detail the types of phishing we’re seeing:
Types of Phishing Attacks
1.Basic Phishing: Mass Email Campaigns
A basic phishing attack sprays an identical email or text to thousands, even millions, of users. The message has one goal: To get you to click on a link or attachment.
Kyle warns that even these basic attacks have come a long way from the laughable emails from the “Nigerian prince” begging for your help to transfer his hidden millions into your bank account.
WHAT TO LOOK FOR:
- A seemingly credible source. An email or text message that appears to be from Microsoft, Amazon, Google, UPS, the IRS, the state lottery, etc., designed to get your attention.
- Urgency. There’s either some problem you must address RIGHT AWAY — like a hacked email or banking account that requires you to reset your password or “validate” your credentials — or an offer of something really juicy, like a cash rebate.
- The “call to action” link. The text that opens the link often ratchets up the urgency by saying something like, “Act now to protect your account.”
- A fake login page. If you take the bait and click on a phishing link, you may be taken to a realistic-looking page with fields in which to enter an account ID and password. Or it may appear to be a PDF you can only partially see, with a login box in which you’re required to enter your email account ID and password to “unlock.”
2. Spear Phishing: Targeting You Specifically
While basic phishing’s main goal is usually planting malware that steals credentials, spear phishing usually targets specific employees, trying to get them to give the fraudsters information directly.
Kyle says this can involve fake phone calls in addition to emails. The goal is to trick you into thinking you’re dealing with a familiar, trusted source. And to get that done, social media is the perfect place to harvest business relationship details.
“We divulge a lot about ourselves and our businesses on Facebook, LinkedIn, etc.,” Kyle says. “That helps criminals put together very sophisticated scams.”
The quality of identity “spoofing” is generally better in spear phishing attacks. In the IT security world, “spoofing” can have several meanings. In this case, we’re referring to the ability to mimic a legitimate company’s web address (URL), email addresses, website, graphics, and personnel.
Hackers can spoof your company’s identity to make you believe you’re getting a message from a co-worker or boss (as in the “whaling” description below), or an outside entity. The authentic look is designed to make you overlook certain warning signs.
WHAT TO LOOK FOR:
- New electronic payment instructions from an existing contractor. Say your business has been wiring money to a builder for an ongoing project. An email from the builder saying, “Payment instructions have changed,” and providing new account information could be bogus.
- An ecommerce site you already use asks for identification and/or financial information via email. If you buy things on Amazon.com, for example, you enter your ID/password and payment information on a secure site — you shouldn’t be asked for that information via email.
- An alarming “legal” notice that requires a quick response. The IRS and law enforcement agencies don’t use email to notify you of an impending legal situation you need to take care of. For example, an email urging you to click on an attached copy of a court document involving a complaint that’s been filed against you.
- Familiar senders asking for account information. Similar to the basic phishing request for you to reset a password or verify account information, but with more convincing touches, such as accurate logos and your name in the body of the email.
3. Whaling: Targeting and/or Impersonating Top Executives
Kyle recalls that in his FBI days, the most significant phishing losses came from this technique. It’s a higher level of spear phishing in two ways:
- The target victims are usually your company’s CEO, CFO, HR exec, or someone else with access to your most critical accounts and data.
- The fraudster’s goal is a much higher payoff than a standard phishing scam.
Because the thieves are going for a big score, they’ll often put far more time and effort into customizing their messages with accurate information about your company and/or executives. They’ll create more believable fake login or wire transfer sites.
WHAT TO LOOK FOR:
- A slightly different domain name in an executive’s email address. Scammers will buy a domain name very similar to your company’s, and create an email that may have one character different than your executive’s real email. For example, your CEO’s real email is email@example.com — would you notice if an email came from firstname.lastname@example.org?
- Emails from an executive who’s out of town. Scammers can time whaling emails by gleaning from social media when an executive is at a conference or on vacation. They’ll then spoof that executive’s email account and request wire transfers or sensitive information from subordinates.
- Urgent requests for electronic funds transfers. This seems obvious, but if your company frequently sends payments electronically, thieves (literally) capitalize on that routine.
- Request for W-2 or other employee tax information. Tax forms are perfect trophies for criminals because, in addition to employee names, they often include the addresses, Social Security numbers (including spouse and children), bank account information, etc.
- Offers for luxury goods or entertainment you wouldn’t normally get on your work email. Fraudsters use information about your hobbies, favorite drinks, cigars — whatever they find on social media — and try to get you to click on links for “special offers.” Sounds silly, but it works.
What to Do if You’re Suspicious About an Email
Look for the S
Look at the address line and see if the site URL starts with HTTPS. The S means “secure,” which all pages that require your login information should be. Hackers can sometimes create false HTTPS addresses — but most fake login pages probably don’t have the S.
Double-check the domain
Hover your cursor over the sender’s email address. Look at the domain name, that is, the part that follows the sender’s ID and a dot, and usually ends in .com, .org, etc. Sometimes hackers spoof a legitimate domain name to make it difficult to spot, but sometimes it’s clearly a fake.
Identify the file type of attachments
If an email contains an attachment, before you click on anything or follow any instructions, look at the attachment’s file type at the end of the file name.
Virtually any file type can contain malware, but in particular, watch for files ending .zip, .exe, .bat, and .scr. Here’s a good list of the Windows files types most often used for delivering malware.
If an email is actually a phishing attack — especially if it’s a basic, mass-email campaign — chances are good that if you do an online search of the email’s subject line, you’ll see articles and notifications that confirm your suspicions.
What to Do if You Think You’ve Fallen for a Phishing Attack
Get offline PRONTO
If you think you’ve clicked on a phishing link or attachment, immediately take the device you used to do that offline. It may take installed malware some time to do its dirty work, such as sending out spam emails from your account, or infiltrate your company’s servers. If the infected device is offline, you have a chance to get it cleaned before any of that happens.
Notify your email provider and your IT staff or outside IT services provider
Unless you’re experienced in handling malicious programs, don’t try to go it alone. You may need to have your business’s network inspected, all connected devices scrubbed, and your operating system and files re-installed from backups.
Of course, it’s critical to most businesses to get all of that done very quickly. But again, unless you really know what you’re doing, don’t rely on quick fixes you find online. Call an expert.
Report potentially fraudulent electronic money transfers to law enforcement immediately
Kyle says fraudulent money transfers can sometimes be frozen if the victims get the information to authorities quickly.
He recalls the FBI working with overseas financial institutions to get transfers frozen — but the chances of that happening decrease with every passing minute.
Don’t pay a ransom
Some phishing attacks infect your company’s devices and/or network servers with “ransomware.” It can freeze individual computers that hold critical information, and encrypt all the files in your servers. Pay up to unlock your data, or we’ll wipe it out, you’re told.
Don’t pay the ransom, Kyle recommends. Even if you do get your data back, you’ll just open yourself up to further attacks. And if you have a proper backup system in place, your data can be recovered after the malware is removed.
4 Ways to Protect Your Business Against Phishing Attacks
1. Don’t give any one person unilateral authority to approve and send electronic payments
Kyle admits this can be difficult in a small company. But he urges business owners to have at least two pairs of eyes on all funds transfer requests — it’s an effective safeguard against internal fraud as well as phishing attacks.
2. Use two-factor authentication
For your critical accounts, enable a second layer of security in addition to just entering a password. This adds a critical hoop for attackers to jump through.
Hackers who phish you and get your password still can’t log into your account, because in addition to your password, you need to enter a code that’s texted to your cell phone. As with many security measures, you’re sacrificing a bit of convenience for a lot of protection.
3. Get a professional assessment of your vulnerabilities
Even if you’ve installed a firewall, malware detectors, automatic backup and other security software, you need trained eyes on your entire system.
He recommends working with a provider who can assess your IT infrastructure’s vulnerabilities, and monitor the system continuously.
“There’s no such thing as a magic potion when it comes to cyber security, but these basic countermeasures can make your business a hard-to-reach organization — and that makes a big difference,” Kyle says.
4. Go beyond annual training — create a “culture of awareness”
Annual cyber security training can be a decent start, but Kyle believes it’s often ineffective by itself. It becomes just a thing employees need to sit through while they’re worrying about getting back to work.
He recommends smaller, more frequent reminders about the continuing threat of phishing. Bring in an expert to explain a recent cyber crime trend, for example, and share videos, articles, or white papers on current cyber-crime topics. He calls it establishing a “culture of awareness.”
With some clients, TechGen works with KnowBe4, a firm that provides online training modules, reinforced by fake phishing campaigns to see how many employees learned the lesson.
Kyle points out that this type of training gives you baseline data of your employees’ awareness, and you can then measure their progress.
The Worst Damage From Phishing is to Your Reputation
Just about every article and blog post I read about cyber crime against small businesses uses a variation on the scary statistics I listed at the top of this post. And for good reason. As a small business owner myself, however, it isn’t statistics like these that frighten me most. My greatest concern is my clients’ data.
After all, thieves aren’t after just your business’s data, they’re after the data you store for all of your customers and transactions. So, ultimately, the greatest cost of a cyber attack on a small business might not be stolen funds — it will be the damage to your reputation.
Phishing exploits the weakest link in IT security for most businesses: human nature. Cyber thieves have an endless bag of tricks, but we’ll look at how to spot some of the most common red flags of the three main types of phishing emails.
(For more information from Kyle Loven about cyber security for small businesses, read his Upsize Minnesota magazine article at Upsizemag.com.)