I want to lead with we never want to be the organization scaring someone into paying for a service. In all honesty, we hate being in the position where we have to say if you don’t buy something, something bad could happen. It makes us feel like we are selling insurance, which is not the business we are in. However, you entrust us with all of your IT needs and your business’ network security; Thus, it is our responsibility to make you aware of the climate we see in our sector and the topics that come up over and over again at various industry conferences. On the flip side of the coin, we also have witnessed, firsthand, the devastation these types of attacks can cause and have seen the look on a business owner’s faces as their life’s work is put into jeopardy. At the end of the day it is up to you, the client, to decide if not spending or not implementing a solution is worth the risk.
Scary Stats – Is it worth the risk?
- 91% of cyber-attacks start with an email.
- Over $12 Billion has been lost due to Phishing and account takeover.
- 88% of organizations around the world experienced Phishing attempts in 2019.
The Scenario: (This is a generic example of how it happens)
Step 1: Finding their victim / How they are targeting.(Cybercriminals use all the information they can obtain from the publicly available sites below to target their victims)
- Google company name/industry
- Social Media – Find out who works where and who likes them
- LinkedIn – Figure out who holds what positions at an organization
- News/publications – Find out the happenings of the company
Step 2: Phishing – How they fool the end-user
A user inside of an organization, let’s say the CEO (Shelly), gets some spam emails every day along with legitimate emails. Her inbox is pretty full so she is trying to dig through emails. She happens to see an email that looks like it came from Microsoft. The email is very well crafted, with great graphics and verbiage to make it look more legitimate than Microsoft’s actual authentication emails or pop-ups. The email states she must enter her username and password or her email will stop working. Shelly wants to keep moving through her emails, so she pops in her credentials and continues to plow through her inbox to handle all of her emails for the day. Unknowingly, Shelly just submitted her username and password, not to Microsoft but to a cyber-criminal. The cyber-criminal then goes to Microsoft or Google’s website and just pops in her credentials. He now has full access to her email account, and she is none the wiser.
Step 3: They are in! Their different paths of DESTRUCTION, EXTORTION, AND FRAUD
From here the cyber-criminal now has full control of the CEO’s email box. There are many different items they have access to at this point.
- Confidential emails – They could publish these on the Internet and tarnish Shelly and her business’s reputation. Or worse break industry-specific rules that apply to her business’ confidentiality.
- Access to Vendors – They now have contact information for all Shelly and her organization’s vendors and could email as Shelly.
- Create Rules in your mailbox– Rules can be created so if they send an email as Shelly, the person they are emailing (such as a vendor) emails back, thinking they are talking to the CEO. That email gets moved to a separate mail-box and the CEO is kept in the dark.
- Crypto – Viruses such as various forms of Cypto Encrypt all of the company’s files rendering them unusable unless payment is made to the cybercriminal, usually in the form of untraceable bitcoin. (Think about it, what if the main systems you use every day: from your main application, files, all the way to your accounting system, was locked and you had no access. What would that do to your business? ) We have personally seen organizations pay thousands for the passwords to these viruses and there is no guarantee you will get the code to unlock the systems. Many times they take it a step further and even encrypt the backups preventing you or your managed service provider from doing a restoration to bypass their monetary demands.
- Banking info: Shelly sends info to her CFO often to wire money to specific vendors. The cyber-criminal emails the CFO and requests a wire to what appears to be a legitimate vendor, the CFO proceeds with the wire because, after all, it was the CEO who requested it.
- The cyber-criminal sees that the CEO banks with Chase, so the criminal attempts to log in to the Chase site. They click the “forgot password” button and guess where that new password gets sent to? You guessed it, to the CEO’s email account. Boom! They now have full access to the company’s bank account.
Upload viruses – Viruses can be sent to internal users with the intention of infecting the network or servers. Users will be more likely to open the email because it’s coming from their boss, the CEO, and it’s a valid legitimate email account.
The Olden Days: How attacks used to happen.
The old standard cyber-criminals used to “spoof” an email address to achieve the same thing. Spoofing is when a cyber-criminal fraudulently uses a fake email server to pose with someone’s name and email address. On the surface, it may appear to be legitimate but the technical items behind the scenes are not and are easily blocked by anti-spam security services. The reason email security services can block this type of email is that the service checks the server it’s coming from and inspects to see if it’s actually who it says it is and, if it is not, the email is blocked. These types of attacks still occur today, however most are blocked.
The above scenario flies through any anti-spam/security services because it’s coming from the actual email account, from the actual servers so the spam/security service does not block it.
Long story short.
The cybercriminal wants and gets the CEO’s username and password. He wants to use those credentials to gain access to the email account in an effort to wreak havoc and commit fraud. This is where having hefty email security is absolutely paramount.
What can you do?
- Dual Factor Authentication– This is the second form of authentication, either a code that is texted to you or generated by an application. Let us rewind back to the beginning of Shelly’s day. If you recall, she has entered her credentials into a fake Microsoft email. Once again, the cyber-criminal is on cloud 9, he has the CEO’s username and password! He moseys on over to the Microsoft site and punches in the username and password. He is salivating as he hits the last few keystrokes of the CEO’s password. As he is overcome with joy and arrogance of what a good job he has done, dreaming of the money he will make or damage he will inflict he slams down on the enter key, only to find the site is asking for a special code that is either texted to the CEO or generated by an app on the CEO’s phone. The cybercriminal is furious and moves on to his next target. (See our blog article on dual factor auth)
- Email Security/Anti-Spam – Make sure to have a quality anti-spam/email security service. This will filter out spoofing, ordinary spam as well as viruses that are emailed to your organization.
- Email Stamp – This can be implemented very easily. It’s a stamp that states when an email originated outside your organization. Even if a spoofed message comes through, the email will be stamped letting the end user know that it originated outside of the organization.
- Employee/User Awareness – Most organizations scoff at this one. I hate to be so straight forward but normally they are overconfident in the fact that their staff could be fooled by an email. We hear often “Oh, so and so would never fall for something like that” or they think it will be impossible to educate their staff. It is usually one extreme or the other. There is a solution. Fuse provides a service called Managed Phishline. The service sends fake emails to all your staff at random. Each month management is provided with a scorecard on who fell for what attack tests. We also provide training material so when you bring it to the staff members’ attention they can be properly trained on how to handle the specific scenario. This also increases their awareness and keeps it heightened even when they are not being tested.
- Anti-Virus – Make sure all workstations and servers are running a current up-to-date anti-virus solution.
- Firewall – Your office should be protected by a firewall that runs anti-virus on a network level, as well as anti-threat detection. (Fuse Managed Firewall)
- Backups – You should have both a local and remote backup that is constantly managed. (Fuse Managed Backup)
- Cyber Insurance – We always recommend that clients get with their business insurance provider and make certain they have a cyber insurance policy and that they have the correct amount of coverage.
- Sentinel – This is a new service Fuse is offering where an AI (artificial intelligence) is used to analyze how you speak in emails and how people speak that reply to you. It then uses that information to block emails that don’t fall under those guidelines.