Trends in Cyber Crime: Business Emails
Hacking and cybercrime are in the news daily, and everyone has likely been impacted by it in some way from the numerous high profile breaches of the companies that store our data. The increase of these threats has awakened us to the reality that we need a level of vigilance that offers better protection.
According to the Identity Theft Resource Center, data breaches increased 40 percent in 2016, with a total of 1,093 reported breaches. This trend continued in 2017, with over 1,120 cases reported by October. Ransomware was the most common threat. Global ransomware costs due to business productivity impact and mitigation are estimated to have exceeded $5 billion in 2017. An additional $2 billion was paid to hackers in ransom over that same time period.
The good news? Ransomware is down 70 percent over the past year due to new countermeasures in antivirus software, firewalls, and other mechanisms to thwart the attacks.
The bad news? These changes didn’t put the cybercriminals out of business. Instead, it caused them to adapt to other methods that eliminate the need for viruses and malware that can be detected by security software. Their newest method is known as Business Email Compromise (BEC), and it usually starts one of five ways:
- The takeover of an email account by stealing the password through social engineering (a phishing email and/or website tricking you to share login information),
- The takeover of an email account via a common password stolen from another compromised system where the same credentials are used,
- Spoofing of an email address (faking the from address as email systems don’t require verification of that information and assume it is accurate),
- Access to the email client from a virus on a workstation, or
- The sniffing (viewing) of unencrypted messages over the internet, particularly on Wi-Fi access points.
So far in 2018, phishing emails are the most prevalent. These emails appear to come from legitimate contacts with a request to login to a malicious website disguised as a trusted website. Because this method does not require a virus or malware that can be detected by antivirus software, it allows hackers to bypass many of the most common small business security measures.
With the stolen password, the criminals will login to the email account (as well as any others servers, websites, or services on the network that use the same credentials) and quickly set up rules to forward any new incoming messages to an external account and hide incoming messages of replies sent out of the account by the hacker. This ensures they still have access to the data even after a password reset. From there they will go through the email messages looking for sensitive information that can be sold in online black markets.
The criminals will also search for messages related to financial transactions conducted with banks, vendors, or clients to either inject themselves into the conversation to redirect payment locations or to mimic those messages to instigate new transactions to their own accounts. After they have obtained the information they’re looking for, they will send a copy of their phishing email to all of the contacts in your address book in the attempt to snare them in the same way you were compromised.
If and when you do learn of the problem, your system has already been breached and the damages are done. Changing your password and conducting a virus scan on your PC at this point, while advisable, doesn’t solve the problem of ensuring the hacker didn’t get deeper into your network. Further, it’s possible the hacker had been in the system for days, weeks, or even months. At this point, your IT team, along with external security specialist vendors and law enforcement, should be reviewing network and server logs to determine when the breach occurred, which systems were accessed, and what data was possibly compromised.
When you receive a phishing email from a business contact, you need to assume they have been breached and any of your sensitive data stored in their mailbox has been compromised. Request a post-breach analysis from them to ensure they are following breach investigation and reporting guidelines and requirements.
If the information you send and receive would cause you concern if breached in a phishing scam, it probably shouldn’t be in the email system. Most email messages you send and receive are not encrypted fully end to end (if at all) and can be intercepted in transit without ever needing to breach your account. Ensure that you are using trusted secure and encrypted web portals for any information that is sensitive. Additionally, be sure to use unique passwords on each system you use as hackers may attempt your same email address and password across many popular e-commerce and banking websites. If a system allows you to use two-factor authentication (enter a one-time code from a text message in addition to your password), you should use it.
With cyber-attacks posing such a prominent threat to businesses, it is essential to create a plan to deal with the problem. Implementing and adhering to basic preventive and safety procedures will help protect your company from cyber threats.
Following are suggestions from a Federal Communications Commission (FCC) roundtable and the DHS’s Stop.Think.Connect. program for easily implemented security procedures to help ward off cybercriminals.
Security Tips for Your Company
- Install, use and regularly update anti-virus and anti-spyware software on all computers.
- Download and install software updates for your operating systems and applications as they become available.
- Change the manufacturer’s default passwords on all software.
- Use a firewall for your internet connection.
- Regularly make backup copies of important business data.
- Control who can physically access your computers and other network components.
- Secure any Wi-Fi networks.
- Require individual user accounts for each employee.
- Limit employee access to data and information, and limit authority for software installation.
- Monitor, log and analyze all attempted and successful attacks on systems and networks.
- Establish a mobile device policy and keep them updated with the most current software and anti-virus programs.
Security Tips for Employees
- Use strong passwords, change them periodically and never share them with anyone. Never repeat a password across accounts.
- Protect private information by not disclosing it unless necessary, and always verify the source if asked to input sensitive data for a website or email.
- Don’t open suspicious links and emails; an indication that the site is safe is if the URL begins with https://.
- Scan all external devices, such as USB flash drives, for viruses and malicious software (malware) before using the device.
Don’t Let it Happen to Your Company
According to the DHS, 96 percent of cybersecurity breaches could have been avoided with simple or intermediate controls. Strengthening passwords, installing anti-virus software, and not opening suspicious emails and links are the first steps toward cybersecurity. The FCC provides a tool to help small businesses create a cybersecurity plan.
A data breach could cripple your small business, costing you thousands or millions of dollars in lost revenue, sales, damages and reputation. Contact your ABIS Account Executive today to ensure you have the proper coverage to protect your company against losses from cyber-attacks.