Small and medium sized businesses are not actively being targeted by cyberattackers, so I‘ve got time to get my security measures in place, right?
You are not alone in thinking this however. According to a recent study conducted by Edelman Intelligence for the major US insurance provider Nationwide, 41% of business owners believe cyberattacks happen more frequently in large businesses than in small businesses. In actuality, small businesses are often more vulnerable to cyberattacks than large businesses because they lack the financial and technical resources to implement robust security infrastructures. And don’t think it’s any different in Canada.
According to the Canadian Chamber of Commerce, Canadian businesses are losing over $3 billion a year to cybercrime and with SMEs comprising 98% of the Canadian economy, small businesses are getting hit hard. In Scalar 2017 Cyber Security Readiness Study of Canadian Organizations, 36% of respondents indicated a loss of of intellectual property over the previous 12 months due to cyberattack, and 35% reported that their employees were targeted by ransomware. Not to be a total downer, but that data reflects only known threats or incidents.
While cyber threats come in diverse and evolving forms - DDoS attacks, hacking, malware, spyware, social engineering, spoofing, etc. - the most pervasive is still phishing. The Canadian Securities Administrators (CSA) found that phishing, and impersonation via fraudulent emails were the first and third most common cyber incidents experienced by Canadian businesses in a survey of over 1000 firms. Even Jeh Johnson, the US Homeland Security Chief, called out phishing as the agency’s “top hacking threat” back in November 2016. That’s right, your old friend email is cyber enemy number one when it comes to your business. What’s makes this especially lousy is that email is the great common tech denominator - almost every business and most employees use it at least occasionally.
Phishing emails can be used as an entry point to steal proprietary information, deliver malware, or to defraud a company of money. They are also evolving and getting more sophisticated each year, leveraging business-specific and targeted information such as contact details, billing information, logistics and more.
Just last week a member of Webnames' finance team was the target of pretty sophisticated phishing variant known as business email compromise (BEC). This individual received two email requests over a period of a couple hours which impersonated a senior member of our team, spoofing that individual’s exact email address, to request a wire transfer of funds. Luckily, our team is both small and cyber threat savvy, so the recipient was able to inquire about the legitimacy of the email right away. Despite this, it was super disconcerting to know that the identify of someone in our company was leveraged to try to defraud us. While our story ended well, many others don’t. Take for example McEwan University in Edmonton, Alberta. Earlier this summer they were defrauded of almost $12 million dollars when staff sent direct payments to cyber criminals who impersonated one of their major vendors.
With the threat level higher than ever and a new year on the horizon, it makes sense to review the various types of phishing emails you or your staff might encounter in 2018, as well as some steps you can take to limit their potential damage.
Phishing, Spear Phishing and Business Email Compromise
With a standard phishing attack, a generic message is typically sent to large groups of people, sometimes in the same organization. Fraudsters may impersonate a legitimate company (UPS, PayPal, Netflix or a major banking institution are common examples) by creating official looking correspondence in an attempt to install malware via a clicked link or steal personal information by asking you to update payment methods or complete a form.
Spear phishing attacks usually tend to be better crafted, targeted and personalized. Cyber criminals will research their targets, creating highly customized emails that can include multiple sources of information such as the recipient’s name, job title, location, and even reference friends or business contacts. Emails can appear to come from a trusted source such as a vendor, organization or social media website that the victim has a relationship and utilize their logo, address, or other legitimate details.
Executive whaling (aka CEO Fraud) is a spear phishing attempt that targets corporate executives or administrators. Again, substantial research can go into these attacks, with the aim of gaining access to an executive's email to steal information or target other employees in financial positions who have the authority to move money.
Then there is what happened to us last week: business email compromise. This spear phishing variant is highly focused and zeroes in on individuals with the authority to transfer and/or wire money, targeting small businesses, large companies and organizations alike. BEC is often perpetrated by transnational criminal organizations, and may impersonate a c-suite executive, vendor, attorney or take the form of a faked invoice. In our case, it took on the guise of CEO Fraud.
Recognizing and Preventing Phishing Attacks on your Business
Phishing is not just here to stay, it’s also going to continue to refine and evolve in sophistication, so we can’t be slouches when it comes to preventative measures. The good news is, unlike some other more cyber threats, there are a lot of effective low-tech measures businesses can implement to protect themselves and reduce the likelihood of being scammed. Lets run through a few now:
• Make sure you dial your spam filters waaayy up - and upgrade if you need to. Spam filtering is inexpensive, easy to implement and worth every penny.
• Train your employees to recognize phishing and spoofing. This starts with raising awareness of the frequency of phishing attempts and common red flags. Teach staff to critically look at sender names, email addresses and domain names that don’t match, as well as irregularities or quirks in email content and formatting. Show employees to hover over embedded links and buttons and how to verify if an embedded url is legitimate. Make sure that all suspicious or unusual emails are reported to your IT team or person.
• Establish strong procedures such as a shortlist of authorized employees with permission to approve and process payments, double checking in-person or by phone and obtaining approvals before sending money and establishing daily withdrawal limits as a safeguard. If you want to take things a step further, you can require that requests to move money above a certain amount and the sharing of confidential information be done in person or by phone.
• Limit and manage the information that your business publishes on the Internet. Detailed corporate contact information and the contact details of c-suite executives is prized by bad actors who in turn may use it for impersonation, spoofing or in the registration details of look-alike domain names. This type of information is present and actively mined from the public WHOIS database, an online of information that is collected when domain names are registered. Utilizing a WHOIS service like Webnames Privacy that substitutes non-personally identifiable information in place of corporate information (e.g., contact names, email addresses, phone numbers, etc.) to effectively anonymize a domain’s WHOIS record eliminates the risk that your information will be scraped from the WHOIS and used for nefarious purposes. Moreover, designating “safe” public facing contact information, using it consistently and closing the loop on vulnerabilities such as WHOIS information can help to limit an organization's susceptibility to identity theft, phishing and business email compromise. To confirm what info is listed in your business' domain WHOIS record, simply run it through our WHOIS search tool.
• Defend your business by investing in preventative technologies and cyber security software that can limit the impact caused by breaches. Authentication, surveillance, data encryption and firewall services are aplenty and increasingly affordable, with costs going down each year. Each business has different needs and vulnerabilities, so do your research, get recommendations, hire a consultant if need be and invest in the protective technologies your business needs starting with your biggest security gaps.
We chosen to highlight measures that are both straightforward and achievable for most businesses, with only the last requiring professional expertise - but they are far from exhaustive. If you want to delve deeper, there are a great many excellent articles and resource guides available online that go into greater detail about how to protect your business and employees from phishing, such as Barkly’s Phishing Emails - A Field Guide. If you need external help, your local Chamber of Commerce is likely a good starting place to look for referrals or recommendations regarding reputable local cyber security or IT consultants.
Make a business resolution today take additional, concrete steps towards protecting your employees and organization from phishing in 2018, because just around the corner a new year and a new cyber threat awaits.