Large companies are at risk to cyberattacks and ransomware problems just like everyone else. However, most of the bigger corporations have structures in place, as well as greater financial power, to survive such an attack relatively unharmed. Yes, a major company may incur public embarrassment or minor data losses, but legal teams and 24-hour cyber-security departments are always present to repair from within. For a small to medium sized business (SMB) however, a data breach or hacking of your online finances could result in disaster.
Even though cyber-criminals will stand to gain more financially from larger companies, the reality is that they are aware of the vulnerability of small businesses. SMBs are typically lacking in IT security resources and budgets for fraud education and awareness. If employees are unaware of the ease in which a cyber-criminal can access their data through a single email, this leaves SMBs open to increased risk. This is especially the case when staff and management simply don’t expect such an attack to occur in their small company, due to far bigger corporations typically making headlines.
Often referred to as ‘phishing’, email fraud is very serious and it’s worth knowing what to look out for and how to prevent it. The security blog on Microsoft’s website states that while many other forms of cyber-crime are down in recent years, “phishing continues to be a popular method of attack, and we expect that to continue for the foreseeable future”. The truth is that a single email can lead to a criminal accessing any and all data in your business. Last year in Ireland it was found that almost 200,000 Irish employees fell victim to email fraud.
In the past, fraudulent emails were typically quite easy to spot. However, these days, advanced technology and meticulous preparation will sometimes present a fraudulent email as virtually indistinguishable from the real thing. Now, cyber-criminals usually send emails that pose as coming from places you may already know, such as a bank or a reliable business. While banks may be the obvious contender for such an email, cloud and IT companies are also used to pose for appearing legitimate.
Typically, the email will prompt a reader to click a simple link and avail of a special offer or to log into their account in order to solve an imaginary issue or more often, open a file. Once an individual clicks the link, they are usually brought to a webpage that impersonates the company a cyber-criminal is claiming to represent. Modern criminals can create almost exact copies of real websites. A user is then encouraged to provide personal details to who they believe is a reliable source.
Another example is when a false invoice or notification is sent highlighting a fictitious purchase, informing the reader that they can cancel a payment by logging into their account. After clicking through, the victim is then asked to provide sensitive information to a seemingly reliable contact.
Urgent Personal Emails
Another form of email phishing is to send the potential victim a direct message from someone who is impersonating an individual they personally know or have regular contact with. Using clever tactics to source personal information from an individual’s social media presence, these kinds of emails can be equally effective to link phishing. This targeted approach will not rely on the victim clicking a link but will instead prompt an immediate reaction from someone who is often posing as an authoritative figure.
For instance, after gathering sufficient personal data, a cyber attacker may pose as someone’s employer and request immediate action from the employee. In these situations, a staff member may be more concerned with responding quickly to their manager, rather than checking to see if the listed email address is legitimate. In these cases, a specific request is usually given instead of linking to another website. If a person truly believes their boss is asking them to send particular bank account information because of a payment issue for example, the cyber-criminal could get all the information they need through a victim’s direct email reply depending on what is shared. This can be especially devastating if a staff member is in control of the employee payroll and therefore has access to a wealth of information.
This method of direct and personalised email fraud can also be carried out in the reverse. A cyber-attacker could pose as an employee who is asking a manager to alter said person’s bank account information. Similarly to the previous example, potentially devastating results could occur from the leaking of sensitive data.
So, How Can YOU Avoid Email Fraud?
- Do not provide personal information to any unsolicited requests for information.
- Only provide personal information on sites that have “https” in the web address or have a lock icon at bottom of the browser.
- If you suspect you’ve received phishing bait, contact the company that is the subject of the email by phone to check that the message is legitimate and not an online fraud scam.
- Type in a trusted URL for a company’s site into the address bar of your browser to bypass the link in a suspected phishing message.
- Use varied and complex passwords for all your accounts.
- Continually check the accuracy of personal accounts and deal with any discrepancies right away.
- Don’t open messages from unknown senders.
- Immediately delete messages you suspect to be spam.
- Update your operating system regularly.
- Use up to date antivirus protection and a firewall.
Email fraud is still a major issue, but actively taking these steps in your business today could help keep you and your staff safe from cyber-crime.
Visit our website at itmonkey.ie, email firstname.lastname@example.org or call us on 045 409984 if you require assistance. We provide mail security, security awareness training and testing, firewalls, ransomware protection and everything else required to keep your business secure.