2020 began only a few weeks ago and we have already seen a vibrant news cycle. On top of thinking about what is going on in our world, most of us are getting ourselves back into efficient work rhythms and some of us are going as far as starting new schedules with new goals. While IT security may not be what is trending on everyone’s vision board, it is something to heavily consider when planning for the year.
In Michigan, the greatest risk to security that comes to small, to mid-size businesses (SMBs), is without a doubt email-based threats. Here at Worksighted, we see various cyber threats daily, however, every day we see two main types of threats: “I need a favor” emails and phishing emails.
“I Need a Favor” Emails
Relatively easy to detect, “I need a favor” emails, as we refer to them in the tech industry, typically appear to come from a high-level user at your own company. Upon closer examination, you will find that the sender’s email address is an external address and not one from within your company. With the sender name being modified by the sender, it impersonates someone from within your company and typically asks the recipient to perform a quick task, favor, etc. A more advanced version we have been seeing lately is called a return-to scam, read more about that here. Responding to this, the recipient usually gets a request to purchase a large number of gift cards from a store and occasionally the sender will ask that you text the gift cards to them.
These are pretty easy to detect. First off, your company should implement policies where a request to purchase gift cards will never be sent via email. It should be noted to never honor any request to purchase gift cards without face to face verification. Furthermore, your IT team can place a warning or notice on emails from outside senders, to make it clear that these are external senders. If your company implements this, and you see the warning on an email that appears to be from a company user, this is a sure sign of an attempted scam. Typically the initial request is between $500 and $1000, which makes the only loss in this scenario money. We have seen some cases where the sender sends a follow-up and asks for more, usually $2000 and up. Financial loss is serious, but compared to company data loss, the “I need a favor” scams are mild.
The second and more serious email-based threat is phishing. Phishing involves attempts to trick a recipient into giving their password to an unauthorized third party. To better understand phishing and how you could be tricked into a scam, check out this blog by one of our Client Success Managers, Sydney Morris.
Phishing typically takes the form of a legitimate-looking email sent from a recognized contact.
These phishing emails often will try and get the recipient to log in to receive a “secure document” or “view a proposal” or “update your account”. Any unexpected or unusual email received from an internal or external contact should always be validated via a phone call, using phone numbers on file (do not call any phone numbers in the suspicious email). Be advised to NOT reply to the suspicious email. There are also a number of things that your IT team can do to fight phishing.
Protect Your Company Against Phishing
First off, enabling MFA or 2FA (Multi-factor Authentication/2 Factor Authentication) can protect your account in the event that you fall victim to a phishing email and give away your password.
Properly implemented, MFA will make your account inaccessible to someone that has access to your password. At Worksighted, we strongly recommend the use of Duo Security for MFA. There are many other solutions out there as well, the use of MFA is very important for any important website or service.
While you may already be using MFA for some of your business accounts, you should look for and enable MFA for any personal account that allows it. Banking, email, and social media almost always make it available. Your IT team can also enable a number of email filtering and network protection practices to fight phishing. Worksighted recommends the use of Office 365 Advanced Threat Protection, and Cisco Umbrella Network Security to help stop phishing.
Even with all the tools at our disposal, the most powerful force to fight phishing is a trained user who is always on the lookout for an email-based scam.
As you organize your workflow goals for 2020, prioritize security. Set up MFA or 2FA if it isn’t in place and ask your company what security awareness training they can offer you, as well as what features they can enable to help you detect scams in your inbox.
If you are interested in a more comprehensive review of your risks, schedule a Risk Review today!