Hacking, Ransomware, Scams, Intrusions, Phishing – Bad for Business By Any Name!

Every business knows the importance of staying current in the marketplace. Well cyber-thieves and scammers are no exception! They take every opportunity to add to their repertoire, refresh their schemes to hijack your legitimate business operations, and make more money for themselves. For business owners, this is more than staying ahead of your competition – it’s become a matter of survival to side-step these high-tech criminals!

It only takes one incident or cyber-intrusion to compromise your brand and reputation, open your company to extortion and litigation – and possibly close your doors forever.

Today in the media it’s fairly common to hear about cyber-attacks against corporations and larger companies. Yet, statistically there are more online attacks aimed at small businesses because:

• Smaller companies usually have less resources to devote to IT personnel, cybersecurity, employee training, and ongoing prevention measures;
• Smaller firms tend to be more complacent than their corporate counterparts, mistakenly thinking “who’s going to bother with us when there’s bigger fish to fry!”

And it’s exactly for these reasons that small business leaders and owners must stay alert and be aware of current computer threats! You are in the crosshairs as the perfect cyber-target!

Just the Facts…

Cybersecurity awareness is the first step to ensuring your companies aren’t easily victimized as thousands of small businesses fall prey to malware, hacking, phishing, and other types of internal and external intrusions annually.

In 2018, the Ponemon Institute  conducted independent research on data protection and emerging information technologies with the help of 1,045 small and medium-sized businesses in the U.S. and the U.K.

Based on responses, they discovered:

• 60% of companies who experienced a data breach identified a negligent employee or independent contractor to be responsible.
• Up to 82% experienced malware and data exploits despite having intrusion detection or antivirus software.
• Mobile device access to business-critical applications and IT infrastructure was the most common network vulnerability identified.
• ⅔ of the surveyed companies had been threatened by ransomware and 70% of those companies paid an average of $1466 to the cyber-thieves to retrieve their property. (Don’t be fooled by the apparent low dollar value; cyber-criminals are using ransomware less to generate revenue and more to disguise other attacks.)
• 47% of respondents admitted that they had no clear understanding of how to protect their companies against cyber-attacks.

Despite being considered easy targets for cyber-crime, you can proactively protect your company. Knowing what to expect is key because you and your teams can plan accordingly.

Domain Hijacking

Domain hijacking occurs when a domain name is stolen from the legitimate owner. Once thieves gain control of your domain name, they can usurp your legal rights and claim ownership to a crucial piece of your business. Some scammers will even offer to sell it back to you for an exorbitant sum – effectively ransoming your domain name.

Because your domain name is your organization’s online identity, it’s one of the most important assets your business owns, controls, or holds the rights to.  And would-be thieves know it. If they are successful, not only do you lose access to your website and email (including employee, vendor, partner, and customer information), but also your organization’s good name is threatened if the hijackers begin using your domain for illegal activities.

In some schemes, unsuspecting business owners actually sign away their rights via email communications with someone pretending to be the domain name registrar and asking for signatures on updated agreements. A quick phone call can easily confirm that you are speaking to YOUR domain registrar company and not an impersonator.

Others lose their rights by neglecting to renew their registration BEFORE it expires. Sometimes you are so engrossed running your company, you can forget important events. Domain renewal is as important as paying taxes or renewing insurance and business registrations; it must be prioritized as such.

While you might get away with forgetting your anniversary, forgetting that your domain name has an expiration date is not so forgiving. Using high-tech tools, cyber-thieves are ready to grab your domain rights the nano-second it expires! Literally!

To protect your domain name from being hijacked:

1. Don’t ignore or overlook the renewal reminders from your domain registrar company. Make sure your domain is renewed every year and your contact and billing information is current.
   • Use your calendar to remember domain renewal anniversaries. Prioritize domain renewal on your Must-Do’s.
   • Delegate responsibility for early renewal. If you have an IT person or Assistant, communicate the importance of staying on top of all crucial due dates, including domain registration.
2. Ask your domain registrar to contact you before allowing any changes.
3. Use a separate email address for the accounts you use to manage your domain. Secure your ownership information, domain records, and account access details.
4. As an option, possibly use a domain privacy service to hide the contact information of your domain.

Business Email Compromise (BEC)

One of the fastest growing scams, BEC is also called “email spoofing”, “CEO fraud”, and “W-2 phishing”. Cyber-criminals take advantage of your company’s operational or IT vulnerabilities, or your employees’ loyalty and trust.  They use your company’s information for illegal activities including identity theft and continue to profit by selling your proprietary and confidential information on the dark web.

Usually a company executive’s email or phone number is spoofed (this information is easily found on LinkedIn or your company website). Scammers send requests or texts to unsuspecting employees from an internal email address or a supervisor’s phone number to gain access to protected information for what appears to be a legitimate business purpose. The crooks count on most employees not questioning a company leader and completing the request as soon as possible.

BEC involves two basic ploys:

1. The phony message is sent to Accounts Payable. The request contains bank information to route funds for a vendor payment – actually it’s to the cyber-thief’s’ bank account. A variation on this scam is that the fake message comes from a vendor or supplier asking to change or update their payment account information.
2. The bogus message is sent to Human Resources or Payroll. The request is for a list of employees, including their W-2 information. If successful, the cyber-criminals gain access to your people’s home addresses, social security numbers, wage and tax information, etc. – everything needed for identity theft and tax ID fraud. A slight twist on this one is that the email seems to come from HR instructing the employee to update their login credentials – so those accounts can be accessed remotely by the intruders.

In any case, the thieves’ goals are simple:

• steal funds from your business; and
• gain access to confidential personal and financial information (putting anyone associated with your business at great risk).

To prevent BEC, educate your team about this cyber-threat and share these tips to spot spoofed and spear-phishing emails.

• Contact the actual person on a number known to be legitimate before completing the request to send money or provide personnel records.
• Verbally confirm any emailed instructions to change payment methods or bank information by calling the vendor or supplier on a known contact number. (Don’t call the phone number listed in the suspicious message.)
• Carefully check the sender’s email address to ensure it’s genuine. Scammers usually change the address slightly (adding a letter or changing punctuation) to make it look legit on first glance.
• Don’t click on links or open attachments in any suspicious business email as it could unleash malware.

If you discover a fraudulent transfer occurred because of BEC:

• Contact your bank immediately as it may be able to stop the transaction or recall the funds.
• Save all emails and other evidence of the attack. Report and provide copies to law enforcement.

Scareware

Beware if you receive a tech support message claiming your computer system is infected and you must download the software immediately to eradicate the problem and stop it from spreading. This is a giant red flag!

Scareware is a scam in which cyber-criminals try to gain your credit card information and access to your computer by tricking you into buying fake antivirus software. If the scam works, you will end up installing malware or spyware on your computer and sharing your financial information in the process! Their scareware allows them to access your files, send out fake emails in your name, or track your online activity.

To protect your business from scareware, teach your team to recognize the warning signs and think before they act.

• The pop-up warning looks scary, makes noise, and is hard to close! They try to frighten you into panicking and not thinking clearly. If unable to close the pop-up, use Ctrl-Alt-Delete to shut things down. Never click the download button.
• Before downloading and installing any software over the Internet, research the product and company’s official website online. Avoid future frustration by taking a few minutes now to ensure everything is on the up and up.
• Legitimate businesses will take company credit cards. They will never require your business to pay with Google Pay, Amazon cards, or bitcoin, etc.

Cyber-Smart

Staying safe online must be a company priority for all businesses.  As an owner or business leader, you should:

• Acknowledge cyberthreats are real and clearly communicate to your teams that IT protocols must be followed.
• Allocate the resources needed to protect your company. Educate your employees and contractors about online safety.
• Cover cyber-incidents in your Business Continuity Plan. Communicate, train, and practice scenarios to ensure everyone is on-board and knows what to do.
• Buy cyber-insurance as an additional layer of protection for your business.

Useful Cybersecurity Resources

• USA.Gov offers free information on protecting yourself and responding to current scams and frauds.
• Better Business Bureau provides access to BBB Cybersecurity Program, a free business education resource for small and midsize businesses (SMBs) with valuable tools, tips, and content to help manage cyber risks and learn about best practices in today’s business environment.
• SCORE’s technology resources include webinars, eguides, and blogs.
• Travelers Insurance offers cybersecurity infographics, videos, tools, articles, and best practices to help identify risks and protect your business.
• Progressive Insurance business resources include tips for data loss prevention and cybersecurity best practices.
• The Cybersecurity and Infrastructure Security Agency (CISA) is the federal risk advisor providing cybersecurity and infrastructure security knowledge, guides, and best practices.

 

* DISCLAIMER:
The contents of this site is targeted to a U.S. audience. This information is provided solely for reference purposes and should not be construed as providing legal or tax advice, nor as an endorsement for any particular business, organization, or institution.

Author: Julie Ramdial, President of U Learn Enterprises, Inc.