You’ve heard how the story goes…In an enterprise company with many employees and making tons of money in a city or country far, far away, they opened their email and got HACKED!!!
Really?!! Perhaps, they are the only ones we see or read news reports about. What about the many small businesses that have the same experience?
It may go something like this:
An email is received first thing, by everyone, with some exciting news! You know that everyone has been working hard at meeting and exceeding their goals and there is a possibility of expansion, promotions and pay increase. It comes from the owner, the CEO, El Presidente and it has the attachment that you have hoped for.
You have confirmed that the spelling is correct for the email, along with the signature. You are surprised that an email of such importance went to junk. No problem, just select that it is not junk and help others to do the same. What you did not realize is that it was sent to junk because the headers showed that this email was not sent from the owner but from an email server with an IP address in Asia that was spoofing your company email domain – a spoofing technique straight out of the cyber-crime textbook.
By mid-morning the owner is hearing about all of the frustration because the so-called PDF attachment was actually a HTML attachment. The users unzipped the file and clicked on the Windows shortcut, .LNK, which then mounted as an ISO or CD and started the execution and persistence after clicking on the next shortcut link. Everyone thought they were about to watch a video announcement. They were sorely disappointed! The document was laden with malware and Qakbot was about to have a party! It had already provided backdoor access via all of the users that clicked on the email and was recording keystrokes, stealing passwords saved in the browsers, browser sessions for any sites already logged into, and this was just the beginning.
The staff was disappointed though, and some thought it was strange but continued business as usual because they did not see any alerts from the antivirus. Qakbot is known to evade it, because at first it is user-driven and doesn’t do anything malicious and later attempts to hide within something that is running by leveraging process injection; this behavior will evade many antivirus and next-gen AV if not tuned properly. Now the fun begins for Qakbot as the threat actor uses it to browse the company network, upload a file or more, and set persistence for later remote access if somehow disconnected. Will they be discovered before the end result, ransomware, happens?
Will it be advantageous to keep the stealth mode and use the computers as part of their botnet or take what is possible now and begin the ransomware attack? Time to hang out for a bit longer because a week has passed, and they do not seem to be wary about what has happened. It becomes evident the next week that something has changed and the information from the keystrokes shows that after communication with some business associates, they are a bit on edge and there is talk about having someone diagnose the computers. Now is the time to shake things up and kick off the ransomware! The threat actor has made their way through all of the computers and in a matter of moments people start losing access to their files. They’ve been encrypted. Customer data, employee information and other vital files were skimmed, now ready to be sold on the dark web. The threat actor now demands $75,000 to release the data back to the company.
The company tries for more than a week to remove the ransomware, but eventually they give in and pay the money. It takes another two days to get the decryption key, and when they open their files, half of the data is corrupt.
Unfortunately, this happens often.
Owners of small and medium-sized businesses make the mistake of thinking that they are too small to be on the criminals’ radar. In reality, more than 40% of cyber-attacks are aimed at small businesses – precisely because they often don’t take the same security precautions that larger companies do, and they’re more likely to pay a ransom.
What’s the takeaway? It’s vital that smaller businesses take email security seriously – because the cost of a cyber-attack can’t just be measured in financial terms. It comes with a loss of productivity and loss of customer trust.
Employees are now panicked because they realize that there will not be a bonus, promotion nor raise. Not only was money lost for paying the ransom, but the additional money used for the unsuccessful recovery and now a rebuild along with the costs of notices. Will there still be a work left after the embarrassing phone calls to customers and vendors?
Studies show that 60% of small businesses that suffer a data breach close their doors within six months of the attack.
Research by Deloitte found that 91% of all cyber-attacks begin with a phishing email (an email that looks like it’s from someone you know, but is actually from criminals).
That’s how web giant Yahoo was targeted a few years ago, exposing the contents of half a billion user accounts to criminals. And though we often only hear about these high-profile cases, small and medium-sized businesses are prime targets for these attacks.
Your business email needs to be as secure as it can possibly be.
Here’s what you need to know
First things first. If you use free email for yourself and all employees, stop! You don’t and cannot control a personal free email account. Implement business email. It looks more professional to have your business name after the @, and you get additional benefits too. Things like an integrated calendar, notes app, document cloud, and chat and video call facilities that you manage. You’ll benefit from a higher level of security and customization than you’ll get with your personal email account.
Using business email also gives you the ability to control employee accounts. So, when someone leaves you can block their access immediately. No sense in employees keeping company information in their free email account when no longer employed by you.
There are several aspects to email security: secure gateways or API driven security, encryption, multi-factor authentication, malware protection, and further authentication protocols. If this sounds like so much jargon, don’t worry. We’re experts at this stuff and we’re here to help all the way.
What kind of email attacks?
Phishing emails try to trick you into clicking a link, opening a file, or taking any action that causes harm. Attacks take several forms, each with a different way of trying to achieve a similar result.
Most phishing emails are sent to thousands of people at random. It might look like it’s from Amazon asking you to update your details, but the criminals have just thrown a lot of mud, hoping that some of it will stick. There’s no personal greeting, and it’ll often look ‘wrong’ compared to a genuine email from the company.
Look carefully and you’ll see that the address it’s sent from isn’t Amazon’s standard email address. The link will take you to a look-a-like, spoofed, page that will steal your credentials as soon as you enter them. No!
Spear phishing is more targeted. It might include your name in the greeting, or it may be a more sophisticated Business Email Compromise attack. BEC attacks are usually targeted at a senior employee, or even the business owner, and try to trick them into transferring money or handing over sensitive information. This happens all too often…
CEO fraud happens where a company executive or the business owner is impersonated in emails to colleagues. We just read an example of this. This can involve email address impersonation – or spoofing – and they often request funds to be transferred. Attackers take time to study emails to get the right language and tone to convince the recipient that it’s a genuine email.
What’s the damage?
The impact of phishing attacks can vary, but the criminals have three main objectives:
Data theft – scammers will use ‘credential phishing’ to steal your customers’ personal information.
Malware – some attacks will install malicious software onto your device, which can potentially spread through your network. This could include spyware, which can log your keystrokes and track you online; or ransomware, which encrypts your data and demands a ransom to get it back.
Wire transfer fraud – CEO fraud and BEC attacks in particular attempt to persuade a target to transfer money to an account controlled by the attacker.
It’s social engineering
In the end, there is no technology that will absolutely defeat social engineering! All email attacks rely on someone in your business falling for the con. What does this reveal? Training all of your employees by providing security awareness training, phishing simulation, report email buttons, etc. This allows for a culture of security within your business to reduce the chances that a ‘social engineering attack’ – a scam that convinces someone to take action – will succeed.
Everyone should know what to look out for, and what to do if they think an incident has occurred, including who to report it to and what immediate action to take.
Have an email use policy that sets out how your people should use their business email account, and the importance of following the rules.
Failure to make your whole team aware of the importance of good cyber security can be a costly mistake.
How we can help
Staff training will be one of the strongest tools in your arsenal, but we can also help by putting a raft of technical measures in place to lessen the chances of an attack, and to reduce the impact if it does happen.
We can layer email security to block or quarantine suspicious emails, scanning both incoming and outgoing email for malicious content.
We can configure SPF, DKIM, DMARC to help protect you from email spoofing. This layered approach will minimize the risk of your email from being used successfully in BEC attacks, phishing scams, and spam email.
And we can deploy end-to-end encryption, which stops anyone from reading the content of your email unless they have the correct encryption key. That means your email is only ever received by the intended person and data can’t be tampered with.
Better password management
You already know the drill here. Unique passphrases are best but long, strong randomly generated passwords from a password manager will do the job.
Not only will it create impossible-to-guess passwords, but you won’t have to remember them (or write them down on a Post-it note). Your password manager will keep your passwords secure and autofill them for you when required. This also stops the problem of passwords being reused for other online accounts, which is a huge security risk.
You need to implement 2FA/MFA (multi-factor authentication), where able. As a second line of security, this sends you a single-use password or PIN via your mobile device or a USB Fido key each time you log in. Biometrics are another form of MFA, where you provide a fingerprint or retinal scan in addition to your password.
All this may make logging in a little more time consuming, but it can go a long way towards keeping your accounts secure.
And we always advise that updates and patches should be installed immediately to keep you protected against new threats.
It’s a lot to think about, but email attacks are one of the biggest security threats to small businesses. They need to be taken seriously.
So, if you think you need expert support, or you’re worried that making these changes might cause disruption, just get in touch. We do this every day. Give us a call or text us at 956-750-7310.
