Phishing up a storm
Phishing is something we all experience. It’s that email from a bank that says, ‘your account has been compromised, please check your details by clicking on our link below’. It has a logo from your bank (or someone else’s) and high hopes that you will click on that link.
Of course, it’s not from your bank, it’s from a hacker who wants you to put in your details so they can access your accounts.
Fully urgent - act immediately
Whaling takes phishing to the next level. Whaling is all about fooling a user into thinking their boss (or the CFO or someone equally important) has emailed an urgent request through. For example, ‘Please pay this person $25,000 into this account before the end of the day. It’s VITAL this happens’. It relies on the recipient being so unwilling to upset the boss that they’ll act on the email’s instructions without checking or verifying.
Give me your money or your files get it
Ransomware is also sadly on the rise, with notorious examples like Cryptolocker. Victims have clicked on a link or opened an attachment in an email and discovered their computer (and potentially their entire company’s data network) is locked down and inaccessible. The only way to retrieve your data is to pay a ransom - hence the name.
It’s not always the technology that’s the weakest link
Social engineering is a series of tricks designed to get people to hand over access or information to a third party - there’s a striking example in season 1, episode 5 of Mr. Robot when Elliot uses ‘human exploits’ to get into Steel Mountain. Instead of tackling the security system head on, hackers rely on fooling well-meaning users into revealing passwords or simply handing over the information they’re after.
So what is a business owner to do? Generally speaking, most small and medium businesses don’t have an IT manager and probably don’t have the expertise to spot problems before they arise, let alone fix them.
Mark Churches is the manager of fraud detection and response services for Spark and he says the very basic, first step everyone should take is to make sure their technology is up to date. Security patches, virus signatures and software updates are very important, but shouldn’t be relied upon totally.
“They tend to generate a false sense of security because the technology isn’t usually the weakest link. It’s people,” says Mark.
Fraud techniques, like phishing and whaling are constantly evolving and for the small business, that means you have to stay on your toes.
Imagine you’ve just received an email from the boss asking you to urgently set up a payment to an account you’ve never heard of before. Do you jump to it, or should you check?
Mark suggests ringing the boss to double check. No senior manager would object to someone double checking before authorising a large payment, and better safe than sorry.
“Big business tends to have these procedures in place and they stick to them. Smaller businesses tend not to and that makes them vulnerable to attack.”
Mark says there are four things a user should do when looking at an email or communication that may be suspect.
1. Always double-check if you’re suspicious about a request or a large payment.
2. Look at the spelling and at the phrasing of the email - does it sound like the CFO or not?
3. Does the email ask you to break normal procedures? If so, this is a red flag.
4. Check the sender’s email address - is it from within the business or from somewhere else?
Mark has one final piece of advice: don’t reuse passwords. “Sharing passwords between multiple services means if you’re compromised in one area you have potentially given away access in another. By collecting bits of information from various sources a hacker can put together a complete picture of you and your online world. That’s a big problem.”
What’s next for you?
If you’ve received any suspect email or want to better protect your company’s security systems, get in touch. We can have a look and suggest services for your company’s size and requirements. Keen to see Mr. Robot? You can find out more about it and watch seasons one and two on Lightbox.