Heads Up: Hackers Are Exploiting Email Forwarding Rules

Mark Funchion is a network technician at Tech Experts.

The ways in which hackers attack accounts are endless, and a lot goes into keeping your accounts both safe and usable.

A newer attack style that is being used (and one we have personal experience with resolving) is the manipulation of email forwarding rules.

Email forwarding rules are rules that are set up in your inbox to forward a message to another mailbox as soon as it arrives.

The danger for the email owner is that these rules can also clean up after themselves by deleting the message, preventing a copy of the forward from showing in the “Sent Items” folder, and deleting the message from the “Deleted Items” folder.

If a hacker takes advantage of this, then all your email will be sent to and read by someone you do not even know.

Think about the items in your inbox, especially the ones that are sensitive and/or confidential. Can you risk there being a period of time where your messages are being forwarded without your knowledge?

Also, as the hackers are good at cleaning up and hiding their tracks, you need someone with the experience and expertise to resolve this for you if it does occur.

One of the big dangers with this attack style is that changing your password or adding two-factor authentication will not stop the current breach once the rule is in place.

Forwards will continue to be sent because the rule is not password dependent. It’s the same with two-factor authentication; if you enable this after the rule is in place, it will not do you any good.

There are steps that can be taken to prevent these types of attacks, however most of them are not settings that an end user would be familiar with.

It’s important to not allow forwarding to occur to email addresses outside of your domain, and relatedly, it’s a good idea to allow the full sync of settings between the web client and the local desktop client.

For example, Office 365 by default will not sync these settings, so if someone gains access to your email and creates a forward on the web page, you and your IT department will not see it if they look in your Outlook client on your local computer.

These rules can be hidden if the hacker knows what they are doing. This means a quick open-and-check-if-a-rule-exists is not sufficient. Steps need to be taken to make sure there are no rules, not just a lack of visible rules.

Checking for these rules if there is a suspected breach is critical because of another potential problem: if you do a password reset on another account that you are concerned about (for example, your bank because you use the same password), that email with details gets forwarded to the hacker and they may be able to gain access to that account.

Hackers will continue to evolve as they need to. As this exploit is discovered and procedures are put in place to mitigate their effect, the next exploit will be used and the cycle will start again. Having a partner to help you navigate through all these potential issues is essential.

Being aware of these exploits, watching for new ones, and making necessary changes to keep your business safe is a big part of what Tech Experts does.

Handling these concerns is part of our core business, giving you the peace of mind to handle your core business.

Go Phish: Keeping An Eye On Your Email

Brian Bronikowski is a field service technician for Tech Experts.

Email phishing scams are nothing new in the IT world. There are always new messages coming through that seem more and more realistic. When you add this to your messages from princes, lottery winners, and investment requests, your inbox can grow rapidly.

There are a few ideas that phishing scams use, but there are also ways to look out for them.

There are a few different types of phishing on the Internet. Some will focus specifically on an organization or group.

Others are more generic. Some will take an idea that could apply to those with a certain attribute of family or business life. There are even attempts that pinpoint the “higher ups” in certain organizations and businesses.

So what are ways to notice these scams? A largely common way to decipher what’s real and what is not is the sense of urgency that these messages will have.

They require important personal information as quick as possible. This urgency is used to put your caution aside so you don’t lose out on whatever they are threatening.

These will also be very broad so it seems you’re not the only one receiving this message – and of course, you aren’t.

Either way if someone states they are deleting your emails, suing for some unknown offense, or offering part in a larger grouping of people, it’s likely that you need to take a minute and think about what’s really going on.

Another easy method that cannot be stated enough is the amount of spelling and grammatical errors.

Professional emails are generally well-groomed and checked over by the sender. Phishing scams, however, seem to have a commonality in that they never seem to read properly. These will have easily noticeable spelling errors.

You can also notice that sentence structure is off and it is very broken in general. While people can make spelling mistakes and others may not be the best proofreaders, there is always a need to be on the lookout for errors. In the scenarios where a business or group is targeted, there may be a few other steps to take.

Emails may be sent that were not expected by the receiver. Perhaps it is an event you did not hear about beforehand. Other times, and commonly as of late, there will be a document that the receiver was allegedly “expecting.”

Other times, they will use the tactics mentioned previously such as the urgency or broadness. While none of these are good to open, it is especially dangerous to open any attachments that are in the spam messages.

These can lead to ransomware and cryptoware infections that cost a lot more than the annoyance of seeing the messages.

Luckily, for all of these issues, there are ways to prevent the messages as a whole. Most large email providers will have some level of protection.

The messages will instead be directed towards your junk folder in hopes you won’t accidentally click on them.

For those that use hosted services, providers are likely taking further steps to prevent these messages. Tech Experts is one of these providers; we are able to host email and protect against a large majority of these threats.

Regardless of what you use for email services, it is always important to keep in mind what’s real and what’s too good to be true.

Keeping that in mind can be the deciding factor between infections, data loss, or identity theft.

The Three Scariest Threats To Small Business Networks

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

While spam, pop-ups, and hackers are a real threat to any small business network, there are three security measures that you should be focusing on first before you do anything else.

Worry About E-mail Attachments, Not Spam
Sure, spam is annoying and wastes your time, but the real danger with spam is in the attachments.

Viruses and worms are malicious programs that are spread primarily through cleverly disguised attachments to messages that trick you (or your employees) into opening them.

Another huge threat is phishing e-mails that trick the user by appearing to be legitimate e-mails from your bank, eBay, or other financial accounts.

Here are three things you must have in place to avoid this nightmare: [Read more…]

Avoid These Five Email Annoyances

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Email is a primary form of communication in the business world because it allows people to work within their own schedules and time-management styles.

With its ease of use, however, we may be sending more messages than necessary, contributing to a general email overload that can mask which items are most important.

Here are some common pet peeves in regards to this lightning-fast communication that may help you refine your email practices:

Sending/Responding to All
Before you send a mass email to all of your contacts or reply to all on an email, ask yourself if each of those people really have a need to know the information within your message.

While this may cover all bases, it is disrespectful to the recipients of your message that aren’t an essential part of the conversation by wasting their time and clogging their inbox. [Read more…]

Wire Fraud: How An Email Password Can Cost You $100,000

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Wire fraud is one of the most financially damaging threats to people and businesses today. Victims can lose hundreds of thousands of dollars in the blink of an eye.

What is wire fraud? Let’s start with the basics:

A wire transfer is an electronic transfer of funds between entities, usually a bank and someone else.Wire fraud utilizes this system to steal money. Typically, this is done by fooling a financial institution into wiring money to a fraudulent account.

The process often begins with the theft of personal data or email credentials, which means data security is paramount to preventing this threat.

Here’s an overview of wire fraud so you can better protect your business and clients. [Read more…]

How Can Small Businesses Amplify Employee Communication?

Michael Menor is Vice President of Support Services for Tech Experts.

Using email to conduct important business always starts with the best intentions, like saving everyone time. Just think back to the last time you used email to solve a significant business issue or answer detailed questions from an important customer.

But, sometimes, email creates a disaster of miscommunication. Tone, intonation, and emotion get lost in translation. Messages and ideas are misunderstood. Nothing really gets accomplished.

So, what’s your next step when email isn’t working?

Usually, it’s a meeting in person or a quick conference call. Un-fortunately, those communication methods can create a whole new problem. In an increasingly mobile business world where teams, employees, and customers are spread out over multiple remote offices, work-from-home setups, or field operations, it can be nearly impossible to get everyone into the same place at the same time.

Tethering to the mothership: The lasting value of a virtual phone system
Web conferencing has helped mitigate the above problem. However, the fact that many businesses lack the communication and collaborative tools their team’s need — regardless of where they work — is the bigger issue. For example, even with web conferencing, many remote or work-from-home employees still rely on personal cell phones that aren’t connected to the company’s main phone system.

That’s problematic for a couple of key reasons:

• With personal landlines and cell phones, it’s significantly more difficult for remote employees to access antiquated company systems for voicemail, call forwarding, and conferencing.

• Without a true company-owned connection between the corporate office and the employee, the relationship between the two feels more like a contract gig than a full-time job — hurting employee engagement and retention.

Thankfully, there’s a relatively simple way to solve that problem: implementing a new, company-owned communication system that’s flexible, mobile, and collaborative.

One common solution is a VOIP (Voice Over IP) service, which can be based in the cloud or on-site.

The reality is that voice communication is still a far superior — and much more immediate — way for team members to connect with each other. It typically leads to richer, more sincere, and more empathetic communication, which in turn amplifies productivity.

These tools are like a tether to the corporate mothership. They’re a lifeline that allows everyone to feel connected to their colleagues and customers, but in a way that aligns with the mobility and functionality that today’s remote workers need.

Why many businesses are moving to the cloud
Of course, the image of a desktop phone doesn’t exactly convey a sense of mobility. And it certainly doesn’t solve the problem of being able to connect from any location.

That’s where cloud-based phone systems come in.

Cloud-based phone systems allow team members to receive company calls, access corporate voicemail, and set up virtual conferences from a basic Internet connection.

When employees step out of the office, calls can be forwarded and certain features can be accessed from their cell phone.

Traditional phone systems, on the other hand, often hinder remote workers’ communication effectiveness because of their limited mobile capabilities. This often results in lost money, lost productivity, and big headaches. Even worse, businesses often pay more for traditional phone systems in the form of equipment maintenance and outages.

Virtual communication systems create an overall experience that makes people feel like an effective part of the team, wherever they are. No more emotionless email exchanges and no more awkward, disjointed conference calls. At the end of the day, that’s good for your team, your company, and, most importantly, your customers.

HIPAA Email Encryption Requirements

Michael Menor is Vice President of Support Services for Tech Experts.

Question: does the Security Rule allow for sending electronic patient health information (e-PHI) in an email or over the Internet?

Answer: the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. The HIPAA Security Rule does not expressly prohibit the use of email for sending e-PHI.

However, the standards for access control, integrity, and transmission security require covered entities, such as insurance providers or healthcare providers, to implement policies and procedures.

These policies and procedures restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security also includes addressable specifications for integrity controls and encryption.

By default, whenever you send or receive email, you must connect through the Internet to an email service provider or email server.

The reality is that most email service providers do not use any security at all. This means everything you send to or receive from your email service provider is unsecure, including your user name, password, email message, attachments, who you are sending to, and who you are receiving from.

It gets worse! Most email service providers connect to other email service providers without any encryption.
If the other party is not using a secure email service, their emails can also be compromised. So the email you send and receive through the Internet is wide open, unsecure, and can be intercepted and stolen by thieves.

This is one of the main causes for identity theft, spam, and PHI breaches.

According to the U.S. Department of Health & Human Services (HHS), “…a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

This basically states that encryption is required. If you choose not to encrypt your data, you must document, in writing, a reasonable explanation why you chose not to do so.

In the event of an audit, the Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you. You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so.

I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re beached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct.

I have convinced myself and others that encryption is required by HIPAA.

Better safe than sorry, after all.

Six Tips For Dealing With Email Overload

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Most, if not all, small business owners are barraged by the large number of emails they receive on a daily basis. As a consequence, way too much time is spent on email that actually slows down productivity.

Email has become a ‘disruptive’ technology that could take you on a tangent and eat up your time fast. So, it is important to take charge of your inbox and filter unwanted emails. Here are some ways you could do that:

Prioritize incoming emails
As a rule, not every email you receive requires immediate attention. Filtering out the most important messages allows you to prioritize the emails you should answer and saves you valuable time.

Most email software have a few good filters that make this possible.

Set specific times to respond to your emails
Giving in to the temptation of checking and responding to your emails is actually an issue of inefficiently dealing with emails rather than the abundance of emails.

Instead of continuously checking your email from multiple devices, set specific times throughout the day to check your email and refrain from checking email outside these times. It is actually more efficient to respond to your emails in bulk rather in piecemeal.

Use the search function
Organizing your emails in folders are important; however, if you are searching for an old email, use the search function, the advanced search operators, and filters to quickly find what you are looking for.

Unsubscribe from unwanted lists
To eliminate the many emails that are not spam but which are still cluttering your inbox, take some time and unsubscribe from newsletters or services which you no longer read or use. Look into using a mass unsubscribe tool if you don’t want to unsubscribe from each list.

Smartphone in hand musicUse filters
Most email systems allow filtering, which you can assign to any type of email that you get regularly. For instance, a filter makes it possible to forward emails which contain particular keywords to your assistant or have a particular automated response to certain emails. This significantly reduces the amount of time you spend on email.

Turn off notifications from social media sites
You really don’t need to get an email each time someone responds to your Facebook comment or tweet. Since you’ll eventually see such updates once you actually visit those sites, they shouldn’t be allowed to clutter your inbox. In fact, such notifications are just distractions that could cut on your productivity.

(Image Source: iCLIPART)

Outlook.com Tips And Tricks

Ever since Microsoft switched Hotmail to Outlook some users have had difficulty adjusting to the changes even though it is essentially still the same, and attaching photos and files is more simple than ever before.

There is however some simple tips for those who have found the changeover confusing.

The important thing to remember is that your email address has not changed and continues to end with hotmail.com. You can even add an alias account via http://windows.microsoft.com/en-gb/windows/outlook/add-alias-account.

The alias makes use of the same contact list, settings and inbox as your primary email address.

Those who don’t like the default blue color scheme can also change it to suit simply by selecting the small ‘cog’ icon that can be found in the right hand corner of the Outlook window and selecting from the 18 available color schemes.

If you are writing an email that has turned out to be almost novel size but don’t have time to finish, just tap the button marked “Save Draft” on the colored Outlook menu bar.

This will save a copy to your Drafts folder and allow you to go back, finish and send it at a later time.

Improve Your Business With Tech Expert’s Email

By Tech Experts Staff
With the many different types of email offerings out there what type of email should you be using for your business and why?

At Tech Experts we offer several different email plans for your business needs that are reliable, secure, and offer many features you don’t find just anywhere.

Many people today make the mistake of trying to use free email services for their business. The main problem with free email services is that they are a huge security risk.

For example, say you use a free email provider such as Yahoo for your business email, anyone else can create email accounts in the same fashion as your company.

An example of this is that if your employees use email accounts like TJ.mycompanyname@yahoo.com for their email address, anyone that uses Yahoo for email could make a similar email address and act as if they are an employee of your company.

So what are the other kinds of email that Tech Experts hosts if you should not use free email services for your business?

We offer three main plans and another type of email called Hosted Exchange.

The first “Basic Plan” we offer allows you to have your own domain name which will increase your company’s security by not allowing hackers to use email addresses on your company’s domain.

This plan also offers the option of enhanced spam filtering, unlimited mail aliases, a basic website, and a maximum of 5 mailboxes.

This is our best “starter” plan allowing companies to get into email that’s secure without costing an arm and a leg.

Our second plan, the “Plus Plan”, offers all of the features of the basic plan but allows users to have 5 email accounts with enhanced spam filtering, still unlimited aliases, an enhanced website, unlimited mailing lists, and a maximum of 25 included mailboxes.

This plan is designed more for medium sized businesses that are already fairly well established but still haven’t taken the step to have their own domain or email services.

Our third plan, the “Advanced Plan”, offers an enhanced website still but with much more storage space, 10 email accounts with enhanced spam filtering services included, again unlimited aliases, unlimited mailing lists, and an unlimited number of mailboxes (up to 10 GB of storage space included).

This is our package for larger companies that have over 25 employees. Increased storage space can always be added as well as needed.

The final service we offer is called Hosted Exchange email. Hosted Exchange email takes security up a notch and improves on features and performance greatly.

Hosted Exchange email requires usernames and passwords just as the previous email offerings do but they can have other features enabled such as encrypted emails and archiving if your business is the type of business where you really need to be able to access other employees emails or if you need to keep them for a period of time for compliance reasons.

One major benefit to Hosted Exchange email is that it syncs across all of your devices. For example, if you send an email from your phone, that same email will show up in the sent items on your computer and on the Online Web Access.

Just the same, if an email is sent to you and you get it on one of your devices it will also show up on the other devices you have email setup on.

What’s really nice is that not only do the emails show up across all of your devices the statuses update as well. So if you read an email on your phone it shows as read on your PC as well.

So with all the email choices out there what works best for your company?

If you’re not sure the answer to that question, give us a call and we can work with you to determine this.