SMB’s are a primary target for cyber criminals
Today, Cybersecurity is the top operational challenge. Essentially, it’s an attempt to obtain sensitive information and SMB’s are the primary target.
A chapter in one of our eBooks (Cybersecurity Tips for Employees) discussed Email Threats and explained about social engineering.
Social engineering is a non-technical, malicious activity that exploits human interactions to obtain information about internal processes, configuration and technical security policies. They do this in order to gain access to secure devices and networks. Such attacks are typically carried out when cyber-criminals pose as credible, trusted authorities. This then convinces their targets to grant access to sensitive data and high-security locations or networks. An example of social engineering is a phone call or email where an employee receives a message that their computer is sending bad traffic to the Internet. To fix this issue, end users are asked to call or email a tech support hotline and prompted to give information. This information could very likely give the cyber-criminal access to the company’s network.
Phishing Email Compromises
One of the most common forms of social engineering is email phishing. This is an attempt to acquire sensitive information such as usernames, passwords and credit card data by masquerading as a trustworthy entity. Phishing is likely the #1 primary email threat employees need to focus on. Such emails often spoof the company Director, a customer or a business partner and do so in a sophisticated, subtle way so that the victim thinks they are responding to a legitimate request. Among the reasons these scams succeed are the appearance of authority. For example, employees are used to carrying out Director instructions quickly. That’s why phishing can be so easy to fall victim to.
Four Common Phishing Techniques
The scope of phishing attacks is constantly expanding, but frequent attackers tend to utilise one of these four tactics:
- Embedding links into emails that redirect users to an unsecured website requesting sensitive information
- Installing Trojans via a malicious email attachment or posing ads on a website. Allowing intruders to exploit loopholes and obtain sensitive information.
- Spoofing the sender address in an email to appear as a reputable source and requesting sensitive information.
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.
Email Security Best Practices – Five Ways to Block Phishing Attacks
Employees should always be suspicious of potential phishing attacks, especially if they don’t know the sender. Here are five best practices to follow to help make sure employees don’t become helpless victims:
- Don’t reveal personal or financial information in an email – Make sure employees also know not to respond to email solicitations for this information. This includes clicking on links sent in such emails.
- Check the security of websites – This is a key precaution to take before sending sensitive information over the Internet. <http> indicates the site has not applied any security measures while <https> means it has. Also consider if employees are practising safe browsing habits. Sites that do not serve a legitimate business purpose are also more likely to contain harmful links.
- Pay attention to website URLs – Not all emails or email links seem like phishing attacks, so employees may be lured into a false sense of security. Teach them that many malicious websites fool end users by mimicking legitimate websites. One way to sniff this out is to look at the URL (if it’s not hidden behind non-descript text) to see if it looks legit. Employees may also be able to detect and evade the scheme by finding variations in spellings or a different domain (e.g.,.com versus .net).
- Verify suspicious email requests – Contact the company they’re believed to be from directly.If an employee receives an email that looks odd from a well-known company, such as a bank, instruct them to reach out to the bank using means other than responding to the suspicious email address. It’s best to contact the company using information provided on an account statement – NOT the information provided in the email.
- Keep a clean machine – Utilising the latest operating system, software and Web browser as well as antivirus and malware protection are the best defenses against viruses, malware and other online threats. It may be difficult for employees to do this, so the business may want to invest in a managed IT services provider who can also be a trusted advisor for all IT needs.
Please pass these tips onto friends and colleagues, and if you would like to know more about the managed services we can offer and how this will help your business fight cyber-crime please click here.