Phishing scams are the number one cyber attack, directed at millions of small businesses every day. Scammers send forged email messages to employees trying to get them to click on attachments or links; these attachments or links then give the hacker full access to login information. Typically, the link will be to a website that looks like a shared document request, which requires the employee to input their login info. When the employee types in their username and password, it goes straight to the hackers instead of a legitimate site. This is why it is so important to use different passwords for all of your accounts. One password given away like this could mean hackers have access to a full range of accounts.
What Happens Next?
The hackers will then use this information to access the employee’s email account and set up a forwarding rule that automatically sends all of the employee’s email messages to them. They employ people to read the messages until they see something interesting, like a financial transaction. When the payment instructions (by wire transfer, ACH, or other vendor payment information) are about to occur, they will make a copy of the payment instructions, change the routing numbers to their own bank, and then send “updated payment instructions” either using the employee’s email account that they accessed or by using a fake similar sounding domain name.
What You Need to Watch For!
Phishing scams can be very hard to detect. Like all social engineering attacks, they are based on tricking users into doing things rather than directly exploiting vulnerabilities in a system.
There are four things you need to do to avoid becoming a victim of spear-phishing fraud:
1) Train employees to be on the lookout for spear-phishing attempts. Use a service like KnowB4 to find employees that are especially vulnerable and teach them how to detect these messages.
2) Implement multi-factor authentication on email accounts. Unknown parties who have an employee’s password cannot log in as them without a second factor, such as access to their phone.
3) Train accounts payable staff to require follow-up by phone or some other non-email method for any significant payment information changes.
4) Train employees to immediately report any suspicious email to IT for investigation and follow-up. IT can change passwords and remove the forwarding rules hackers put in place.
You’ll notice that three of those four actions are non-technical training that applies to everyone who uses email. Defeating spear-phishing is an all-hands effort, not just an IT exercise. Educating your employees is the key to protecting everyone and disabling any phishing scam.
Connetic’s IT consulting services team has the unique training, knowledge, and expertise necessary to ameliorate risks by implementing comprehensive security audit practices, security framework compliance, and the comprehensive implementation of cybersecurity solutions. Contact Connetic’s IT services team to set up a security audit today or to learn more about how you can benefit from Connetic’s extensive experience and exceptionally managed IT services.