Scammers will use "credential phishing" to steal your customers information.
Everyone in the company gets an email at 6am. It comes from the head of IT and instructs everyone to follow a link to install an update.
Some people don’t spot that the head of IT’s name is spelt slightly wrong – a simple spoofing technique straight out of the cyber crime textbook.
The link installed ransomware that’s making its way through the network. Customer data, employee information and other vital files are skimmed, ready to be sold on the dark web. The criminals demand $75,000 to release the data back to the company.
The company tries for more than a week to remove the ransomware, but eventually they give in and pay the money. It takes another two days to get the decryption key, and when they open their files, half of the data is corrupt. This happens a lot.
Owners of small and medium-sized businesses often make the mistake of thinking that they aren’t on the criminals’ radar. In reality, more than 40% of cyber attacks are aimed at small businesses – precisely because they often don’t take the same security precautions that larger companies do, and they’re more likely to pay a ransom.
So it’s vital that smaller businesses take email security seriously – because the cost of a cyber attack can’t just be measured in financial terms. It comes with a loss of productivity and loss of customer trust.
Research by Deloitte found that 91% of all cyber attacks begin with a phishing email (an email that looks like it’s from someone you know, but is actually from criminals).
Your business email needs to be as secure as it can possibly be.
Phishing emails try to trick you into clicking a link, opening a file, or taking any action that causes harm. Attacks take several forms, each with a different way of trying to achieve a similar result.
Most phishing emails are sent to thousands of people at random. It might look like it’s from Amazon asking you to update your details,
but the criminals have just thrown a lot of mud, hoping that some of it will stick. There’s no personal greeting, and it’ll often look ‘wrong’ compared to a genuine email from the company.
Look carefully and you’ll see that the address it’s sent from isn’t Amazon’s standard email address. The link will take you to a spoof page that will steal your credentials as soon as you enter them.
Spear phishing is more targeted. It might include your name in the greeting, or it may be a more sophisticated Business Email Compromise attack. BEC attacks are usually targeted at a senior employee, or even the business owner, and try to trick them into transferring money or handing over sensitive information.
CEO fraud happens where a company executive or the business owner is impersonated in emails to colleagues. This can involve email address impersonation – or spoofing – and they often request funds to be transferred. Attackers take time to study emails to get the right language and tone to convince the recipient that it’s a genuine email.
All email attacks rely on someone in your business falling for the con. So it’s important to create a culture of security within your business to reduce the chances that a ‘social engineering attack’ – a scam that convinces someone to take action – will succeed.
Everyone should know what to look out for, and what to do if they think an incident has occurred, including who to report it to and what immediate action to take. Have an email use policy that sets out how your people should use their business email account, and the importance of following the rules.
And consider putting your team to the test from time to time... maybe by simulating a phishing attack, or holding refresher sessions where you quiz them on their knowledge.
Failure to make your whole team aware of the importance of good cyber security can be a costly mistake.
Staff training will be one of the strongest tools in your arsenal, but we can also help by putting a raft of technical measures in place to lessen the chances of an attack, and to reduce the impact if it does happen.
And we can deploy end-to-end encryption, which stops anyone from reading the content of your email unless they have the correct encryption key. That means your email is only ever received by the intended person and data can’t be tampered with.
Probably the easiest way to do this is by using a password manager. Not only will it create impossible-to-guess passwords, but you won’t have to remember them (or write them down on a Post-it note). Your password manager will.
You should enable multi-factor authentication (MFA), too. As a second line of security, this sends you a single-use password or PIN via your mobile device or a USB key each time you log in. Biometrics are another form of MFA, where you provide a fingerprint or retinal scan in addition to your password.
All this may make logging in a little more time consuming, but it can go a long way towards keeping your accounts secure. And we always advise that updates and patches should be installed immediately to keep you protected against new threats.
keep your passwords secure and autofill them for you when required. This also stops the problem of passwords being reused for other online accounts, which is a huge security risk.
It’s a lot to think about, but email attacks are one of the biggest security threats to small businesses. They need to be taken seriously.
Have Questions? Let's Chat!