There are not many ways to break into a bank; however, gaining access to personal bank accounts is becoming a very common way for criminals to get in. One way this is achieved is by clicking on a link within an email. Spam is very cost effective for cyber criminals, as emailing is a near free service to send tens of thousands of messages in very little time. And the fake emails are often disguised to look like a message sent from the bank.
Email is an open door into your network; data passes through it every day. If you are like most small businesses, each email address receives a ton of messages. If criminals want to break in, some will be sneaky and throw on a disguise. By pretending to be someone else, such as someone you know, they will try to earn enough of your trust to steal from you. This includes messages that appear to be sent by your bank. Spammers will use the bank name, logos and include an urgent message to “log into” a fake website, giving the spammers your bank credentials.
Here’s how email phishing works:
- A criminal sends an email which appears to come from a trusted sender, such as a bank or a known contact.
- The email gives the recipient a message that requires action, such as logging into your account by following a link.
- The link is directed to the spammers website, not the intended banks home page.
- If you enter your credentials, the criminals now have your password!
It is difficult catch all emails, even in our office sometimes a piece of spam slips though our filters, but here are a few simple reminders to keep top of mind:
- Even if you recognize the sender, it is best to access the website directly by typing it in your browser instead of clicking the link from your email. This is especially true for emails from financial institutions.
- If you receive an urgent message from a known contact, do not click any links or download any attachments. You should verify this contact intended to send you such an email, especially if the urgent message seems fishy.
- Never send private information via email. Legitimate companies will never ask you to send passwords, credit card numbers, social security numbers, or any other important information via email.
- Consider 2 factor authentications which is easily setup though your online bank to have a 2nd password generally sent as a text message to your cell phone.
- Review subscription based firewalls, also called Unified Threat Management (UTM).
- Spam filtering is a must in this day and age, even if your mail host has a spam filter; definitely consider a service if spam is still reaching your inbox.
- Antivirus is one of the last lines of defense; you should not leave the maintenance of the virus definitions nor the alerting of a virus infection up to the end user (employee). Your IT/Managed Service Provider (MSP) can provide Managed Anti-Virus and keep subscriptions up to date, and ensure workstations are scanned regularly. They are also alerted of any virus infections and can react quickly versus an employee who may not be behind their computer to notice the virus infection notification.
- Have at least 3 copies of your critical data, and 1 of those copies should be off-site using a cloud backup solution from a MSP.
Social engineering is becoming smarter, in the past you could spot spam simply by the misspellings, but today the spam messages are spelled and worded much better. They even appear to come from your bank by using their name and logo.
Business owners can protect their information and train their employees with security awareness. This is a service or a program that sends out factious emails to the staff, asking for a response. If the user does the wrong thing of clicking the link, a message is displayed stating that it was sent by IT support as a training exercise. These types of services can also include a mandatory 10 minute training video when they take action on the factious email. This is important as it explains to the employee on how to spot phishing emails and stresses the risks associated with clicking an email link or opening an email attachment from an unknown source.
Your IT provider can offer layered security, firewall, antivirus, spam filtering, web protection, backup and patch management to lower your chances of being infected should a dangerous piece of spam enter your network and convinces a user to inadvertently install an infection. You might be surprised how inexpensive business grade protection can be; additionally, it takes away the added stress imposed on the business owner, allowing them to focus their time on other items.
Jeff Olejnik is the President of Newport Solutions, Inc. He has been an ASCII group member since 2016.