The Rising Threat of BEC Attacks: Don’t Let Your Business Fall Victim

November 30, 2022

Business email compromise (BEC) attacks are becoming widespread and present a significant risk to businesses of all sizes.

These attacks involve hackers posing as trusted individuals or organizations via email to request sensitive information or financial transfers.

BEC attacks often target high-level employees, such as executives or financial managers, and can be highly sophisticated.

Attackers may go to great lengths to make their emails appear authentic, including using genuine email addresses and logos. In some cases, they may even gain access to an employee’s email account to send BEC emails to other employees or partners.

In BEC attacks, a common technique is the “man-in-the-middle” approach, where the attacker poses as a trusted third party, such as a supplier or vendor, and requests payment or sensitive information.

These attacks can be challenging to detect because the attacker may use genuine email addresses and logos to seem legitimate.

The attacker manipulates the victim into thinking they are communicating with a trusted party, which can lead to them divulging sensitive information or making financial transfers to the attacker.

To safeguard your business from BEC attacks, it is essential to implement strong email security measures and educate your employees on the signs of such an attack.
Two-factor authentication and monitoring for unusual activity can help protect your business.

Employees should also be aware of red flags, such as requests for sensitive information or financial transfers from unknown individuals or organizations, or requests to transfer money to unfamiliar bank accounts.

If you receive a suspicious email, do not click on any links or download any attachments.

Instead, verify the request through a separate, secure channel, such as a phone call to the sender using a number you know to be valid.

Business email compromise attacks are a rapidly growing threat to businesses of all sizes.

By taking proactive steps to secure your email communications and staying vigilant, you can help protect your business from costly and damaging BEC attacks.

Filed Under: E-Mail, Malware, Phishing

Handle Your Email With Care (Even With A SPAM Filter)

March 31, 2021

Mark Funchion is a network technician at Tech Experts.

A lot of the communication we do today is by email. Naturally, that makes it a favorite avenue for malicious individuals to attack your system. A SPAM filter can help considerably, however nothing is 100% effective – and there is a fine line between “too aggressive” and “not aggressive enough.”

Turning up the aggressiveness of the filter may stop the bad mail while at the same time improperly labeling legitimate messages as SPAM. Even with a SPAM filter, you should handle your email with care.

Here are a few tips to potentially save you from opening a message or attachment that is nefarious in nature.

The first rule is “just don’t do it.” It is tempting to just click that link or open that attachment.

You may even do it without a second thought. Scam emails can be very sophisticated, and they will often look like they are real.

Before you do anything, take a moment and consider a few things. If you are sent an attachment from someone you don’t know, never open it. If the fishy attachment or email is from someone you do know but it was not expected, reach out the sender to make sure they actually sent it.

Next, don’t jump the gun on clicking links that are sent to you. Links are easy to manipulate; they can be made to look legitimate, but they’ll actually take you to a different site or start downloading a program or virus.

With links, there are two things you can do.

First, you can open a browser and go directly to the site to bypass all links. This is the safest option, especially when you get an “urgent alert” about your account that “requires immediate action.”

If you can’t go to the page directly through the website, you can hover your cursor over the link. A box will pop up previewing the destination you’re actually being sent to.

If a link looks strange and doesn’t match the company website, don’t click on it. Also, look closely at the link as it may look just like a real one at first glance. Unless you are 100% sure the link is legitimate, do not click on it.

Another giveaway is that the message is poorly written with a lot of grammatical errors. If the message sounds like whoever wrote it doesn’t use English as their first language (and it is not from a foreign company you do business with), delete the message. Do not open or click on anything in the message.

The last point is that it’s usually not a good idea to unsubscribe from scam emails.

This may seem counterintuitive, but when you unsubscribe, you usually put your email address in to confirm you no longer want these messages.

Unfortunately, that lets the scammer know your email address is active. They will continue to send emails to this account or may sell it off as an active email.

Rather than unsubscribe from the email, block the sender. They will not know your email is active, and if they do send another message to you, it will not be received.

SPAM filters are great and they are essential. Still, remember that they are not 100% effective. Even with protection in place, it is wise to proceed with caution.

Take a moment to look for signs that the message is not from who it seems. These few seconds can save you a lot of time and money by avoiding disaster.

Filed Under: E-Mail Tagged With: , ,

Go Phish: Keeping An Eye On Your Email

July 28, 2016

Brian Bronikowski is a field service technician for Tech Experts.

Email phishing scams are nothing new in the IT world. There are always new messages coming through that seem more and more realistic. When you add this to your messages from princes, lottery winners, and investment requests, your inbox can grow rapidly.

There are a few ideas that phishing scams use, but there are also ways to look out for them.

There are a few different types of phishing on the Internet. Some will focus specifically on an organization or group.

Others are more generic. Some will take an idea that could apply to those with a certain attribute of family or business life. There are even attempts that pinpoint the “higher ups” in certain organizations and businesses.

So what are ways to notice these scams? A largely common way to decipher what’s real and what is not is the sense of urgency that these messages will have.

They require important personal information as quick as possible. This urgency is used to put your caution aside so you don’t lose out on whatever they are threatening.

These will also be very broad so it seems you’re not the only one receiving this message – and of course, you aren’t.

Either way if someone states they are deleting your emails, suing for some unknown offense, or offering part in a larger grouping of people, it’s likely that you need to take a minute and think about what’s really going on.

Another easy method that cannot be stated enough is the amount of spelling and grammatical errors.

Professional emails are generally well-groomed and checked over by the sender. Phishing scams, however, seem to have a commonality in that they never seem to read properly. These will have easily noticeable spelling errors.

You can also notice that sentence structure is off and it is very broken in general. While people can make spelling mistakes and others may not be the best proofreaders, there is always a need to be on the lookout for errors. In the scenarios where a business or group is targeted, there may be a few other steps to take.

Emails may be sent that were not expected by the receiver. Perhaps it is an event you did not hear about beforehand. Other times, and commonly as of late, there will be a document that the receiver was allegedly “expecting.”

Other times, they will use the tactics mentioned previously such as the urgency or broadness. While none of these are good to open, it is especially dangerous to open any attachments that are in the spam messages.

These can lead to ransomware and cryptoware infections that cost a lot more than the annoyance of seeing the messages.

Luckily, for all of these issues, there are ways to prevent the messages as a whole. Most large email providers will have some level of protection.

The messages will instead be directed towards your junk folder in hopes you won’t accidentally click on them.

For those that use hosted services, providers are likely taking further steps to prevent these messages. Tech Experts is one of these providers; we are able to host email and protect against a large majority of these threats.

Regardless of what you use for email services, it is always important to keep in mind what’s real and what’s too good to be true.

Keeping that in mind can be the deciding factor between infections, data loss, or identity theft.

Filed Under: E-Mail, Online Security Tagged With: ,

The Three Scariest Threats To Small Business Networks

October 27, 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While spam, pop-ups, and hackers are a real threat to any small business network, there are three security measures that you should be focusing on first before you do anything else.

Worry About E-mail Attachments, Not Spam
Sure, spam is annoying and wastes your time, but the real danger with spam is in the attachments.

Viruses and worms are malicious programs that are spread primarily through cleverly disguised attachments to messages that trick you (or your employees) into opening them.

Another huge threat is phishing e-mails that trick the user by appearing to be legitimate e-mails from your bank, eBay, or other financial accounts.

Here are three things you must have in place to avoid this nightmare: [Read more…]

Filed Under: Backups, Data Management, E-Mail, Monitoring, Online Security, Security, Viruses Tagged With: , , , , , ,

Avoid These Five Email Annoyances

September 23, 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Email is a primary form of communication in the business world because it allows people to work within their own schedules and time-management styles.

With its ease of use, however, we may be sending more messages than necessary, contributing to a general email overload that can mask which items are most important.

Here are some common pet peeves in regards to this lightning-fast communication that may help you refine your email practices:

Sending/Responding to All
Before you send a mass email to all of your contacts or reply to all on an email, ask yourself if each of those people really have a need to know the information within your message.

While this may cover all bases, it is disrespectful to the recipients of your message that aren’t an essential part of the conversation by wasting their time and clogging their inbox. [Read more…]

Filed Under: Communication, E-Mail, Tips Tagged With: , ,

Wire Fraud: How An Email Password Can Cost You $100,000

August 31, 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Wire fraud is one of the most financially damaging threats to people and businesses today. Victims can lose hundreds of thousands of dollars in the blink of an eye.

What is wire fraud? Let’s start with the basics:

A wire transfer is an electronic transfer of funds between entities, usually a bank and someone else.Wire fraud utilizes this system to steal money. Typically, this is done by fooling a financial institution into wiring money to a fraudulent account.

The process often begins with the theft of personal data or email credentials, which means data security is paramount to preventing this threat.

Here’s an overview of wire fraud so you can better protect your business and clients. [Read more…]

Filed Under: E-Mail, Online Security, Password Security Tagged With: , , ,

How Can Small Businesses Amplify Employee Communication?

August 31, 2015

Michael Menor is Vice President of Support Services for Tech Experts.

Using email to conduct important business always starts with the best intentions, like saving everyone time. Just think back to the last time you used email to solve a significant business issue or answer detailed questions from an important customer.

But, sometimes, email creates a disaster of miscommunication. Tone, intonation, and emotion get lost in translation. Messages and ideas are misunderstood. Nothing really gets accomplished.

So, what’s your next step when email isn’t working?

Usually, it’s a meeting in person or a quick conference call. Un-fortunately, those communication methods can create a whole new problem. In an increasingly mobile business world where teams, employees, and customers are spread out over multiple remote offices, work-from-home setups, or field operations, it can be nearly impossible to get everyone into the same place at the same time.

Tethering to the mothership: The lasting value of a virtual phone system
Web conferencing has helped mitigate the above problem. However, the fact that many businesses lack the communication and collaborative tools their team’s need — regardless of where they work — is the bigger issue. For example, even with web conferencing, many remote or work-from-home employees still rely on personal cell phones that aren’t connected to the company’s main phone system.

That’s problematic for a couple of key reasons:

• With personal landlines and cell phones, it’s significantly more difficult for remote employees to access antiquated company systems for voicemail, call forwarding, and conferencing.

• Without a true company-owned connection between the corporate office and the employee, the relationship between the two feels more like a contract gig than a full-time job — hurting employee engagement and retention.

Thankfully, there’s a relatively simple way to solve that problem: implementing a new, company-owned communication system that’s flexible, mobile, and collaborative.

One common solution is a VOIP (Voice Over IP) service, which can be based in the cloud or on-site.

The reality is that voice communication is still a far superior — and much more immediate — way for team members to connect with each other. It typically leads to richer, more sincere, and more empathetic communication, which in turn amplifies productivity.

These tools are like a tether to the corporate mothership. They’re a lifeline that allows everyone to feel connected to their colleagues and customers, but in a way that aligns with the mobility and functionality that today’s remote workers need.

Why many businesses are moving to the cloud
Of course, the image of a desktop phone doesn’t exactly convey a sense of mobility. And it certainly doesn’t solve the problem of being able to connect from any location.

That’s where cloud-based phone systems come in.

Cloud-based phone systems allow team members to receive company calls, access corporate voicemail, and set up virtual conferences from a basic Internet connection.

When employees step out of the office, calls can be forwarded and certain features can be accessed from their cell phone.

Traditional phone systems, on the other hand, often hinder remote workers’ communication effectiveness because of their limited mobile capabilities. This often results in lost money, lost productivity, and big headaches. Even worse, businesses often pay more for traditional phone systems in the form of equipment maintenance and outages.

Virtual communication systems create an overall experience that makes people feel like an effective part of the team, wherever they are. No more emotionless email exchanges and no more awkward, disjointed conference calls. At the end of the day, that’s good for your team, your company, and, most importantly, your customers.

Filed Under: Communication, E-Mail, Remote Work, VOIP Tagged With: , , ,

HIPAA Email Encryption Requirements

April 30, 2015

Michael Menor is Vice President of Support Services for Tech Experts.

Question: does the Security Rule allow for sending electronic patient health information (e-PHI) in an email or over the Internet?

Answer: the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. The HIPAA Security Rule does not expressly prohibit the use of email for sending e-PHI.

However, the standards for access control, integrity, and transmission security require covered entities, such as insurance providers or healthcare providers, to implement policies and procedures.

These policies and procedures restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security also includes addressable specifications for integrity controls and encryption.

By default, whenever you send or receive email, you must connect through the Internet to an email service provider or email server.

The reality is that most email service providers do not use any security at all. This means everything you send to or receive from your email service provider is unsecure, including your user name, password, email message, attachments, who you are sending to, and who you are receiving from.

It gets worse! Most email service providers connect to other email service providers without any encryption.
If the other party is not using a secure email service, their emails can also be compromised. So the email you send and receive through the Internet is wide open, unsecure, and can be intercepted and stolen by thieves.

This is one of the main causes for identity theft, spam, and PHI breaches.

According to the U.S. Department of Health & Human Services (HHS), “…a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

This basically states that encryption is required. If you choose not to encrypt your data, you must document, in writing, a reasonable explanation why you chose not to do so.

In the event of an audit, the Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you. You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so.

I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re beached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct.

I have convinced myself and others that encryption is required by HIPAA.

Better safe than sorry, after all.

Filed Under: E-Mail, HIPAA, Security Tagged With: , , ,

Most Employees Use Work Computers For Outside Activities

December 12, 2014

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

GFI Software, a leading software tool provider for companies like Tech Experts, recently released a report that found the personal use of company computers and other devices is leading to major downtime and loss of confidential data in many businesses.

The study of about 1,000 small business employees who used a company-provided desktop or laptop computer found that 39 percent of them said their businesses have suffered a major IT disruption caused by staff members visiting non-work related websites with work-issued hardware, resulting in malware infections and other related issues.

Even more alarming, the study showed nearly 36 percent of staff members said they would not hesitate to take company property, including email archives, confidential documents and other valuable intellectual materials, from their work-owned computer before they returned the device if they were to leave their company.

[Read more…]

Filed Under: Antivirus, E-Mail, Internet, Monitoring, Productivity, Security, Viruses, Work From Home Tagged With: , , ,

Tips To Protect Your Business PC From Malware

October 31, 2014

Michael Menor is Vice President of Support Services for Tech Experts.

In today’s online world, technology users are essentially in a state of near-constant attack. Almost every day, there’s a new data breach in the news involving a well-known company and, quite often, fresh rules for protecting personal information are circulated.

Because of malware in email, phishing messages, and malicious websites with URLs that are one letter different from popular sites, employees need to maintain a high level of awareness and diligence to protect themselves and their organizations.

Phishing activities are especially pervasive, including attempts to steal users’ credentials or get them to install malicious software on their system. The astonishing success rate of phishing attacks makes them a favorite.

Why? More than 70% of people will follow the link to a phony website and, of those that followed the link, 30%-50% will routinely give up their usernames and passwords.

Many like to think of the network perimeter with all its firewalls and other fancy technologies as the front line in the cyber war, but the truth is there’s a whole other front.

Every single member of a company’s staff who uses email or the Internet is also on the front line and these people are generally considered a softer target than hardware or software. It’s simple: if the bad guys can get an employee to give up his or her user credentials or download some malware, they can likely waltz right past the technological controls, basically appearing as if they belong there.

When using a computer for personal functions, a user generally has to have the ability to install software and modify the system configurations. Typically, such administrative functions are not available to all users in a corporate environment.

c471994_mAs a result, even if an organization has made an effort to improve a system’s security, a user doing work on a personal computer has the ability to disable and circumvent protections and has the privileges to allow for the installation of malware.

As companies migrate toward a world of bring-your-own-device policies, some companies are developing strategies to help address these risks. But, as a rule, using a work computer for personal reasons or doing work on a personal computer (or tablet or smartphone) can significantly increase the threat level that an employer has to protect itself against.

To help their organization protect systems and data, employees need to implement some smart web browsing habits. Smart web browsing means engaging in the following activities:

Beware of downloads
Malware can be hidden, not just in applications or installation programs, but in what appear to be image and video files also. To limit the likelihood of downloading content that contains malware, only download from reputable sites. With sites that are not a household name, take the time to do a little research and see if other people have had issues.

Additionally, be sure that antivirus software is set up to automatically scan downloads. Or scan downloads manually, even when receiving them from name-brand sites, as it is not unheard of for infected files to make their way onto otherwise legitimate web sites.

This is especially true for file-sharing sites where the site owner cannot control every piece of content a user may place there.

Be wary of deceitful sites
Those running sites already breaking the law by illegally distributing copyrighted materials — like pirated music, movies or software — probably have no qualms about including malicious content in their downloads or stealing information.

Many popular web browsers today have built-in functionality that provides an alert when visiting a website that is known to be dangerous.

And if the browser doesn’t give a notice, the antivirus software may provide that function. Heed the alerts!

Employees need to protect their devices from online and in-person threats. Start by keeping the company’s system patched. Configure it to automatically apply updates or issue notifications when there are updates and then apply them as soon as possible. This doesn’t just apply to the operating system.

Keep all installed applications updated; sometimes this takes a little extra work.

Remember, the challenge of security is that the bad guy needs to find only one hole in a security system to get past it, so fix them all. Think of it as putting dead bolts on doors, but leaving the basement window wide open.

To that end, security professionals like to debate the usefulness of today’s antivirus software. And it’s true that malware continues to become more sophisticated and harder to detect. But it always amazes me how old some of the malware running around is. As a result, use antivirus software and keep it up-to-date.

Also, use a software firewall, either the Windows firewall or one provided in an antivirus package. This is especially true for laptops connected to public wireless access points at hotels or coffee shops, but it also applies to home systems. It just provides that extra layer of defense.

And finally, please, don’t ever give passwords to anyone. Be vigilant and question anything new, especially emails and forms in the web browser that request work credentials, no matter how nicely the request is made.

(Image Source: iCLIPART)

Filed Under: Antivirus, Data Management, E-Mail, Internet, Microsoft Outlook, Network, Online Security, Password Security, Phishing, Security, Tips, Trojans, Viruses Tagged With: , ,
Next Page »