October is National Cyber Security Awareness Month, so we thought this would be a good time to pause and take a closer look at just a few of the scams making the rounds right now. Threats are on the rise, and they're becoming more sophisticated. Understanding how they work, and what you can do to protect yourself, can help.
Spam vs Scam
Spam is so last-decade. Why expend a lot of time and energy to try and convince people to buy a product on which you make a small margin when you can scam people instead and put 100% of the proceeds in your pocket?
Today's email filters have to do more than detect spam. They have to analyze content, intent and links to determine if the message is a security or financial threat as well. Spam is still out there, but the real money now gets made through scams instead. And things have come a long way since we first heard from our friend the Nigerian Prince...
I need you to run a quick errand. Do you have a moment?
The boss emails someone in the company, asking them to pop out and buy some gift cards for a client promotion or customer giveaway. It's okay to put them on your personal credit card. The company will reimburse you. You'll need to buy 20 cards, each worth $100. You may have to visit several stores to buy that many. Oh, and once you get them, please scratch the back and reply with the codes?
Yes, people fall for this. Even though the email address used to send the message often isn't internal.
Pro Tip: Threats don't just arrive by email. They can come through the regular mail, a phone call, even a text message. For this reason, we can't rely on email security filters alone to protect us. We have to use common sense and treat all communication with a healthy dose of suspicion.
Someone you know sent you a document. Click here to retrieve it.
It looked legit, right? There was a Microsoft or Google logo on the message, the link pointed to OneDrive or Google Docs, and the sender email seemed to match someone you know or have done business with. So you fetch the file, open it, and the payload encrypts every file on your computer, and network.
Don't worry. For the bargain price of $20,000 the attacker will send you the keys to get all your data back.
I have your email password, and/or webcam footage of you.
But if you would only send me some bitcoin, I promise I'll delete the video.
How to Protect Against Scams
There are things you can do to keep yourself, and your money, safe from attacks like these.
- Deploy and configure security filters to identify threats arriving by email. Filters aren't foolproof, but if configured correctly, they'll block 98% of phishing and virus/ransomware attacks arriving by email.
- Develop mail server processing rules to identify Display Name spoofing so messages appearing to come from a company official but not originating from inside the network are flagged as suspicious.
- Use Multi-Factor Authentication (MFA) wherever possible.
- Enroll in Security Awareness training so you can learn how to identify red flags in all forms of communication.
- Roll out a strict DMARC policy restricting which systems are permitted to send email from your domain.
- Implement strong internal policies, processes and procedures that are required to be followed in the event that a request is received by email, phone or text message, involving the disclosure of data or a financial transaction of any kind. (For example, you could require a call-back to a known-good number for the person appearing to make the request, or require a second company official to sign off before action is taken).
Scammers are Relentless
This isn't going to stop. It's only going to get worse. Small businesses are just as likely to be targeted as large organizations, and since they have less resources to devote to security, attacks are more likely to be successful.
If you need a little help with your Cyber Security strategy, feel free to reach out. We're here to help.