Cybersecurity: Phight the Phish
Cybersecurity is all over the news, and with good reason. This year alone global cybercrime damages are projected to reach six trillion. Cybercrime is so popular because it’s an extremely lucrative business. The United States is the most popular target for cybercrime because more than any other country, U.S. victims are most likely to pay. The FBI receives thousands upon thousands of cybercrime complaints every day, making it impossible for the bureau to investigate each one. Therefore, a mis-directed wire transfer resulting in a loss of less than ten million dollars will not receive much attention. With so much at stake, there is no wonder why state governments are passing legislation mandating small businesses enact safeguards to protect against cybercrime. The number one type of cybercrime by victim count is Phishing, with the biggest victim loss resulting from Business Email Compromise (BEC). Phishing is a type of social engineering that can range from the simple to the complex, but they all have elements in common. A cybercriminal uses a fraudulent message designed to trick a human victim into revealing sensitive information or to deploy malicious software on the victim's technology infrastructure, such as ransomware.
Phishing is so simple to setup and is truly effective, which is the reason behind the relentless attacks. There are concrete, specific actions a small business can take now to reduce the chances they (the business and the employees) will fall victim to a Phishing attack. Take these actions now to protect your business from the attempted cybercrime that is certainly coming.
1.Cybercriminals Don’t “Hack In” They “Login”
The most important thing to remember about cybercrime is cybercriminals don’t hack in, they login! Their frauds are designed to trick a person into revealing their credentials. They do this with phony password expiration notices or fake webpages that appear linked to something important, such as banking, healthcare, school or business. They may even us SMS texts or phone calls to commit their crimes. Most cybercriminals don’t target specific people. Instead, they target easy victims with weak security. If one person proves difficult to crack, they move on to someone easier. Right now, the most popular phishing scams are focused on:
Hispanic Heritage Month: Click here to see the planned activities near your home
Fraudulent Credit Card Charge: Login and see the recently posted charges
Urgent Voicemail Waiting: You have a voicemail marked “Urgent”, click here to listen to the message
Overall, the most tried and trusted means to steal money through e-mail and Phishing are one of these campaigns that have a good track record luring people into revealing their credentials.
Fake Tax Notices
Update Your Account
You’re a Winner
Check This Out
2.Know the Signs of a Phishing or Spoofing Scams
Spoofing an email address is as easy as changing the “From” name in an iPhone’s settings or a Gmail account.
Cybercriminals can spoof a webpage address as well. They create a website domain or email template that mimics a legitimate site. The designs are professionally created and use legitimate logos, making it almost impossible to distinguish it from the real thing.
There are several signs of illegitimacy in this example.
The e-mail appears to come from Apple, but the sender has a “live.com” email address, which is Microsoft.
The subject line is extremely long. Legitimate messages from legitimate companies will not have a long subject line.
October is spelled “oktober”.
The language, grammar, punctuation or wording is not quite right.
The message is marked “Urgent”. Cybercriminals hope to reduce inspection by tricking people into believing they must act urgently or something bad will happen.
3. Password Best Practices Cybercriminals are very sophisticated and understand the difficulty most people have coming up with new passwords, especially in a business when they must change every 90 days. Therefore, passwords like “Yankees2020” is changed to “Yankees2021” or “Y@nkee$2021”. This isn’t fooling anyone. Cybercriminals use algorithms to try every variation of a password and figure out the slight modifications that will get them in. Consider these points when managing passwords.
Instead of a password, use a pass phrase. Something easy to remember and personal, but more difficult to guess and unrecognizable to a stranger. For example, “Snow White & The 7 Dwarfs 2021” or “B@ke Cookies with Peas 2025”. Use spaces in your pass phrases to increase the difficulty of guessing them.
Do not allow employees to reuse of an old password. Without this enforcement in place, many companies fall victim to scams because it appears employees change their password every 90 days, but, in fact, they only modify an old one. “Summer2021!” becomes “Winter2021!” and so on.
Do Not Share Passwords. If someone else knows your passwords, the chances of a cybercriminal compromising the credentials go up astronomically. It has nothing to do with the amount of trust placed in the person who knows the password. Do not share passwords with anyone.
Keep Work and Personal Passwords Separate: Cybercriminals are counting on victims to use the same password repeatedly, which means once they have one set of credentials, they can try them on other accounts, such as Amazon, Apple, Venmo and more. A small business should mandate a policy that company passwords are complex (requiring at least 10 characters with a combination of letters, numbers and special characters), change every 90 days and are unique to the company.
Use a Password Manager: Password Managers not only remove the need to remember complex passwords but generate complex passwords to use. They warn you if the same password is used for multiple accounts and constantly scan for breached information. The most popular password managers are LastPass, Dashlane and 1Password.
Use Two Factor Authentication on All Possible Accounts Two-factor authentication (or two-step authentication or “2FA”) is an important security measure that adds a second layer of protection beyond a password. Adding this other security layer makes it much more difficult for cybercriminals to break into accounts, even if a password is compromised.
It’s important for all employees to develop a skill that allows the ability to differentiate fake emails from real ones. Take Google’s phishing quiz to see if you’re up to the task.
Roark Tech Services is a cybersecurity expert focusing exclusively on protecting small businesses. We offer free cybersecurity assessments to highlight weaknesses in the necessary safeguards the government is enforcing. We are well positioned to make the best suggestions and recommendations for our clients when it comes to how to best protect themselves. Always consult with us first.
If you don’t have an IT Partner that you can trust to give you the right support and advice, we'd love to help. Contact us.