Business Email Compromise (BEC) And Phishing Are Dangerous For Small Businesses

Business email compromise (BEC) and phishing are two of the most common and damaging cyber threats facing businesses today. BEC involves the fraudulent use of email to impersonate a legitimate business or individual in order to gain access to sensitive information or financial resources.

Phishing, on the other hand, is a type of cybercrime that involves the use of fraudulent emails or websites to trick individuals into revealing sensitive information, such as login credentials or financial information.

BEC attacks often target employees with access to sensitive financial information or those who have the authority to make wire transfers or other financial transactions.

The attackers use sophisticated social engineering tactics to trick the employee into revealing login credentials or other sensitive information, or to convince them to make a financial transaction on behalf of the company. In some cases, the attackers may even impersonate a high-level executive or vendor in order to gain the trust and cooperation of the employee.

One of the most common tactics used in BEC attacks is the “man-in-the-middle” attack, where the attacker intercepts legitimate emails and alters them to redirect payments or other financial transactions to their own account.

Other tactics include the use of fake invoices, purchase orders, or other financial documents to trick employees into making payments to the attacker.

Phishing attacks, on the other hand, generally aim to trick individuals into revealing sensitive information or clicking on malicious links. These attacks often take the form of fake emails purporting to be from legitimate organizations, such as banks or government agencies, and may contain links to fake login pages or download malicious software onto the victim’s computer.

To protect against BEC and phishing attacks, it’s important for businesses to implement strong security measures and to educate their employees on how to spot and avoid these threats. Some best practices for protecting against BEC and phishing attacks include:

  • Implementing strong email security measures, such as spam filters and email authentication protocols, to help identify and block fraudulent emails.
  • Training employees on how to spot and avoid phishing and BEC attacks, including teaching them to be wary of unsolicited emails and to verify the authenticity of any emails requesting sensitive information or financial transactions.
  • Establishing strong passwords and using two-factor authentication to protect login credentials and other sensitive information.
  • Setting up monitoring systems to detect and alert on unusual or suspicious activity, such as unexpected wire transfers or login attempts.
  • Regularly updating software and security protocols to ensure that the latest security measures are in place.

In addition to these measures, it’s important for businesses to have a plan in place for responding to a BEC or phishing attack. This should include:

  • Establishing a clear chain of command for reporting and responding to suspicious activity.
  • Designating a team to investigate and respond to potential attacks.
  • Having a process in place for assessing and mitigating the damage caused by an attack.
  • Reviewing and updating security protocols on an ongoing basis to ensure that they are effective in protecting against these threats.

Overall, BEC and phishing attacks are a serious threat to businesses of all sizes. By implementing strong security measures and educating employees on how to identify and avoid these threats, businesses can protect themselves and their customers from these damaging cyber attacks.

2022: The Year Of Malware, Hacks And Phishing

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Much of our time this year has been spent working with our clients, making sure they’re ready to fend off newly emerging cyber threats or malware strains.

So to look back at the year, we thought we’d round up what many experts agree has been the nastiest malware of 2022.

At the top of the list is Emotet. Chances are you haven’t heard of it by that name, but it’s a trojan that’s spread by spam email. It usually looks like a genuine email with familiar branding, but it tries to persuade the recipient to click a malicious link (using language like ‘your invoice’ or ‘payment details.’

It may also look like it’s from a parcel company. This malware goes through your contact list and sends itself to family, friends, colleagues, and clients. Then it looks less like spam, because it’s come from your email account.

In second position is LockBit. This is ransomware that’s designed to block access to your files and systems when cyber criminals encrypt them.

They ask you to pay a ransom for the decryption key (which they often still don’t hand over, even when you’ve paid). If you don’t have a solid backup strategy, it is highly likely you’ll experience data loss.

This is a targeted attack that spreads itself once it’s infiltrated one device on a network. In fact, it can ‘live’ for weeks inside a network before the attack is launched.

In third place is Conti, another form of ransomware, and in fourth position is Qbot, a trojan designed to steal banking information and passwords.

It may all sound scary, but there’s plenty you can do to give your business greater protection from these threats:

  • Keep your entire network and all devices updated
  • Don’t download suspicious attachments or click links unless you’re certain they’re genuine
  • Practice strong password hygiene, including multi-factor authentication, password managers, biometrics, and passkeys where available
  • Give your people access to only the systems and files they need. Remove ex-employees from your network immediately
  • Create and regularly check back-ups
  • Educate your people regularly

We can help with all of this – just get in touch!

The Rising Threat of BEC Attacks: Don’t Let Your Business Fall Victim

Business email compromise (BEC) attacks are becoming widespread and present a significant risk to businesses of all sizes.

These attacks involve hackers posing as trusted individuals or organizations via email to request sensitive information or financial transfers.

BEC attacks often target high-level employees, such as executives or financial managers, and can be highly sophisticated.

Attackers may go to great lengths to make their emails appear authentic, including using genuine email addresses and logos. In some cases, they may even gain access to an employee’s email account to send BEC emails to other employees or partners.

In BEC attacks, a common technique is the “man-in-the-middle” approach, where the attacker poses as a trusted third party, such as a supplier or vendor, and requests payment or sensitive information.

These attacks can be challenging to detect because the attacker may use genuine email addresses and logos to seem legitimate.

The attacker manipulates the victim into thinking they are communicating with a trusted party, which can lead to them divulging sensitive information or making financial transfers to the attacker.

To safeguard your business from BEC attacks, it is essential to implement strong email security measures and educate your employees on the signs of such an attack.
Two-factor authentication and monitoring for unusual activity can help protect your business.

Employees should also be aware of red flags, such as requests for sensitive information or financial transfers from unknown individuals or organizations, or requests to transfer money to unfamiliar bank accounts.

If you receive a suspicious email, do not click on any links or download any attachments.

Instead, verify the request through a separate, secure channel, such as a phone call to the sender using a number you know to be valid.

Business email compromise attacks are a rapidly growing threat to businesses of all sizes.

By taking proactive steps to secure your email communications and staying vigilant, you can help protect your business from costly and damaging BEC attacks.

The SLAM Method Can Improve Phishing Detection

Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses, employing AI-based tactics to make targeted phishing more efficient.

If phishing didn’t continue returning benefits, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked.

In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher.

Studies show that as soon as 6 months after a person has been trained on phishing identification, their detection skills can begin waning as they forget things.

Give employees a “hook” they can use for memory retention by introducing the SLAM method of phishing identification.

What is the SLAM Method for Phishing Identification?

One of the mnemonic devices known to help people remember information they are taught is the use of an acronym. SLAM is an acronym for four key areas of an email message that should be checked before trusting it. These are:

S = Sender
L = Links
A = Attachments
M = Message text

By giving people the term “SLAM” to remember, it’s quicker for them to do a check on any suspicious or unexpected email without missing something important.

All they need to do is run down the cues in the acronym.

S = Check the Sender

It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike address that people easily mistake for the real thing.

You can double-click on the sender’s name to ensure the email address is legitimate.

L = Hover Over Links Without Clicking

Hyperlinks are popular to use in emails because they can often get past antivirus/anti-malware filters.

You should always hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam due to them pointing to a strangely named or misspelled website.

A = Never Open Unexpected or Strange File Attachments

Never open strange or unexpected file attachments, and make sure all attachments are scanned by an antivirus/anti-malware application before opening.

M = Read the Message Carefully

If you rush through a phishing email, you can easily miss some telltale signs that it’s a fake, such as spelling or grammatical errors.

Look for words or phrases not normally used by the person who’s emailing you. Words like “kindly” and “revert” are tell-tale clues the email come from someone who’s not your normal sender.

Also, be on the lookout for pressure to act quickly or unexpected banking change requests. While it happens, it is rare for a company to change banks without months of advance notice.

Get Help Combatting Phishing Attacks

Both awareness training and security software can improve your defenses against phishing attacks. Contact us today to discuss your email security needs.

Watch Out For Reply-chain Phishing Attacks

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the move to remote teams.

Many employees are now working from home. They don’t have the same network protections they had when working at the office.

One of the newest tactics is particularly hard to detect. It is the reply-chain phishing attack.

What is a Reply-Chain Phishing Attack?

You don’t expect a phishing email tucked inside an ongoing email conversation between colleagues.

Most people are expecting phishing to come in as a new message, not a message included in an existing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain. Often, the target isn’t even aware.

The hacker can email from an email address that the other recipients recognize and trust. The attacker also gains the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

They may see that everyone has been weighing in on a new idea for a product called Superbug. So, they send a reply that says, “I’ve drafted up some thoughts on the new Superbug product, here’s a link to see them.”

The reply won’t seem like a phishing email at all. It will be convincing because:

  1. It comes from an email address of a colleague. This address has already been participating in the email conversation.
  2. It may sound natural and reference items in the discussion.
  3. It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

• Use a business password manager
• Put multi-factor controls on email accounts
• Teach employees to be aware

Phishers Lure Targets In With COVID-19 Schemes

Mark Funchion is a network technician at Tech Experts.

You may have noticed that we talk about phishing a lot. Unfortunately, phishing is an issue that will never go away and the tactics change constantly. That constant change makes it difficult, if not impossible, to eliminate as a threat.

Fortunately, there are red flags that end users can keep an eye out for.

If you get an email that answers a common demand, treat it with a high level of skepticism.

For example, a few years ago when the Nintendo Wii was hard to find and a lot of people wanted them, a lot of “Click here to buy a Wii now!” emails went out. I think you can guess how many people actually got a Wii through those schemes.

Well, it’s not Christmas, but the ongoing hot topic in the world is COVID-19 and its vaccine.

As we strive to return to normalcy, there are people who want the vaccine who do not qualify yet, are on a waiting list, or want to get it in a quick and easy way.

Attackers know this. In fact, they count on it. Phishers rely on human nature, and that is what makes it hard for the end user: you have to go against your basic human emotions.

All emails should be evaluated as if they are a phishing email. Look for the standard warning signs such as an offer that’s too good to be true, misspelled words, or if the wording of the message is a little off. Some are very obvious. Some are more subtle.

The attackers may also appear as though they are from a reputable company like a national pharmacy chain, a local doctor, or a large hospital system.

However, the typical format legitimate providers follow is that they’ll send you information on the vaccine and remind you to contact your health care professional to schedule an appointment.

Another example of the phishers’ methods is that they’ll send a link asking you to verify your information to determine eligibility (or even a link to buy the vaccine from a supplier).

Again, red flags. Take a moment to ask yourself why – when the vaccine distribution is so controlled – would a random person have a surplus of product?

These are all pretty basic ideas, but it is easy to get lax in proceeding with caution. It’s even more of a challenge to stay alert when the attacks are using current events to their advantage.

The days of free money from a “Nigerian Prince” are mostly over, but almost everything we do right now is influenced by COVID.

If and when you get the message asking you to “click here to verify your vaccine eligibility,” don’t do it. Next month, when you are hit with messages for updates on your taxes or missing money, don’t click on those either. Later this year at Christmas, don’t click on the link for the discounted, hot item everyone wants. And in 2022… rinse and repeat.

Phishing will always find a way to be relevant, and you can never let your guard down.

Would You Know If You Were Being Smished?

Ooof… you’d hope so, right? Sounds uncomfortable.

But push away whatever image that word has put in your head, and turn your attention to your mobile phone.

Smishing is the text message version of phishing.

What’s phishing again? It’s where criminals send you an email, pretending to be someone else (like your bank), to try to get sensitive information from you.

Yes, these cyber criminals really are resourceful. And the more ways there are to try and infiltrate your data, the more they’ll use different platforms.

Just like with phishing, smishing attempts are not always as easy to spot as you might think.

Most of them pretend to be sent from a recognized business – like your network provider, for example – rather than just a random number. Some look like they’ve come from someone you know personally.

They’ll ask you to click a link to take an action like checking your monthly bill, updating your account information, or maybe to pay a bill. It’s usually the kind of message you would expect to see from that business.

But if you click that link… you’ve potentially given them access to your device. And that means they may have access to your data, passwords, and any other information stored on your phone.

Terrifying.

Protecting yourself is really similar to the way you’d deal with a phishing attempt on your email:

• Never click on any links unless you’re certain the sender is who they say they are

• If you’re unsure, contact the company (or person) on their usual number to check

• And if an offer seems too good to be true, it usually is (sorry, you didn’t really win that competition you never even entered)

Consider this our number one most important golden rule: Never click a link if you’re not expecting it. Wait to verify it with the sender first.

The Eleven Types Of Phishing Attacks You Need To Know To Stay Safe

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Like Darwin’s finches, phishing has evolved from a single technique into many specialized tactics, each adapted to specific targets and technology. First described in 1987, phishing is now carried out via text, phone, advertising and, of course, email.

Boiled down, all of these tactics exist for the same purpose – to steal confidential information from an unsuspecting target in order to extract something of value.

Knowing about the hugely diverse set of today’s phishing tactics can help you be more prepared for the inevitable instance when you become the target.

Standard phishing – casting a wide net
At its most basic, standard phishing is the attempt to steal confidential information by pretending to be an authorized person or organization. It is not a targeted attack and can be conducted en mas. [Read more…]

Buyer Beware: New Phishing Scams Appearing On Craigslist

Craigslist email scams come in many shapes and forms, but in general, a Craigslist email scammer is known to do at least one of the following things:

● Ask for your real email address for any reason at all.
● Insist on communicating by email only (using either your Craigslist email or your real email).
● Send you fake purchase protection emails that appear to be from Craigslist itself.

Asking for your real email address
Scammers might ask you for your real email address for any of the following reasons:

The scammer claims they want to send payment via PayPal. Scammers posing as buyers might try to talk you into accepting online payments, such as those via PayPal.

Once you give your PayPal email address to the scammer, however, they can easily send you a fake PayPal confirmation email to make you think that they paid when they really didn’t.

The scammer claims they use a third-party to securely handle the payment. Similar to the PayPal scenario above, a scammer (posing as either a buyer or a seller) might ask for your real address so that they can send a fake email that appears to come from an official third party.

These types of emails typically are cleverly designed to look like they offer a guarantee on your transaction, certify the seller, or inform you that the payment will be securely handled by the third party.

The scammer intends to send you multiple scam and spam messages. A scammer who asks for your real email address might be creating a list of victims they’re targeting to hack their personal information.

They could be planning to send you phishing scams, money or lottery scams, survey scams or even social network scams.

Insisting on communicating entirely by email
Scammers might insist on talking exclusively by email for any of the following reasons:

The scammer can’t speak to you by phone or meet up in person. Many Craigslist scammers operate overseas and don’t speak English as their first language, which is why they prefer to do everything via email. If they’re posing as a seller, they almost definitely don’t have the item you’re trying to buy and are just trying to get your money.

The scammer is following a script and has an elaborate personal story to share. Scammers use scripts so that they can scam multiple people. If they’re posing as a buyer, they might refer to “the item” instead of saying what the item actually is.

Since English is typically not most scammers’ first language and they operate around the world, it’s very common for them to misspell words or use improper grammar. And finally, to back up why they can’t meet up or need payment immediately, they’ll describe in detail all the problems they’re currently facing/have faced in order to get you to sympathize with them.

The scammer is looking to pressure you to make a payment, or wants to send a cashier’s check. Using their elaborate story, the scammer who’s posing as a seller might ask you to make a deposit via a third party such as PayPal, Western Union, MoneyGram, an escrow service, or something else.

They might even convince you to make multiple payments over a period of time, looking to extract as much money from you as possible before you realize you’re not getting what you’re paying for.

On the other hand, the scammer who’s posing as a buyer might offer to send a cashier’s check, which will likely be discovered as fraudulent days or weeks later.

Beware of anyone who tells you they’re in the military. This is a strong sign of a scam.

Sending fake purchase protection emails
Scammers have been known to send protection plan emails that appear to be from Craigslist. Of course, Craigslist doesn’t back any transactions that occur through its site, so any emails you receive claiming to verify or protect your purchases via Craigslist are completely fake.

The most important thing you can do to avoid getting involved in a Craigslist email scam is to never give away your real email address to anyone you’re speaking to from Craigslist.

Email Checklist: Is It A Phishing Attack?

More than half of phishing attack emails contain malicious links. Furthermore, approximately one-third of all phishing attack emails manage to bypass default security methods.

So how do you determine if an email you’ve received is a phishing attack?

Sure, sometimes it’s obvious. But as cybercriminals continue to evolve and become more sophisticated, their phishing attack emails are becoming more convincing than ever before.

Here’s a complete checklist to go through when you receive a suspicious email:

An Overly Generic Greeting
More often than not, phishing emails are sent out to a massive list rather than one individual.

This means they’ll often contain generic greetings, such as “dear customer” or “dear member” whereas a legitimate source, such as your bank or a government organization, would probably address you by name.

A Request to Update or Verify Information
If the email contains some sort of request to update or verify your information, it’s likely a phishing email. No legitimate source will ask you to update or verify sensitive information over the internet. Chances are, they will call you or wait until you’re in the store/at the bank to go over this request with you.

A Lack of a Domain Address
Aside from looking at the name and company information, don’t forget to double check their domain address.

Hover your mouse over the “from” address to see if there is a legitimate domain or not. For instance, they may have !IRA.com instead of IRA.com. However, this isn’t always foolproof and it’s important to check for other signs too.

Grammar and/or Spelling Errors
Large organizations tend to spell check their email content carefully – meaning it’s not very common to find grammar and/or spelling errors throughout emails from your bank, government entities and other legitimate sources. Pay close attention to the grammar and/or spelling in the email.

A Sense of Urgency
If something is urgent, a legitimate source will typically call you or send you a piece of direct mail.

Cybercriminals tend to create a sense of urgency, such as “if you don’t respond, your account will be canceled” or “if you don’t pay the attached invoice, you
will be charged interest and it will go to collections.”

An Unsolicited Attachment
As a general rule, if the email contains an unsolicited attachment from an unknown sender or an unsolicited attachment that seems out of place from a sender you do know, don’t open it.

Typically, legitimate sources don’t randomly send emails with attachments. Instead, they will direct you to download something directly from their website.

Suspicious Links
Before you click on a link, hover over it to see where the link is actually going to take you. Often, cybercriminals will make it appear as though the link is going to a legitimate place, but once you’ve hovered over it, you’ll find that it’s taking you to somewhere else entirely. Always hover over any links before clicking them.