Can you remember the last time you spent a couple hours away from technology? With smart phones, smart watches, tablets, laptops – you name it – We can’t live without it. It’s become so embedded in our day to day lives, yet there’s still a scary amount of people who don’t protect themselves properly online, and suffer for it.
“58% percent of malware attack victims are categorised as small business.” Via Barkly.
Yep – That’s right! As if we don’t already have enough on our plates, small businesses are actually big victims when it comes to cyber attacks.
Not only are small businesses being hit by hackers, the attacks are costing them a lot of hard-earned cash. In 2017, average malware-related costs for small and medium-sized businesses included $1,027,053 due to damage or theft of IT assets, and $1,207,965 due to disruption to normal business operations. Sobering, right? Via Barkly.
Here’s some other sobering statistics for you:
- About 14.5 billion spam emails are sent every single day.
- For every 12.5 million spam emails sent out, only one person responds. That might not sound like much – until you consider that over 14 billion spam messages are sent on a daily basis.
- Spam earns senders around $7,000 per day. Even with only one response per 12.5 million messages sent, spammers earn around $3.5 million from spam email over the course of one year.
So what are we doing wrong & how can we protect our selves better?
It’s so important to understand cyber security risks and have appropriate security measures in place to reduce the risk of becoming a victim.
92.4% of malware is delivered via email. Via Barkly.
Email is the most commonly used attack vector to penetrate a business. On average, each user at a small business (fewer than 250 people) receives 9 malicious emails per month. All it takes is one slip or one wrong click for your business to be compromised.
Jargon Buster: Phishing – Phishing is the practice of sending an email pretending to be from a reputable company in order to lure individuals to provide information or click attachments.
Phishing emails may impersonate well known brands, like Xero, to lure the recipient into clicking on malicious links and attachments, to infect devices with malware or steal usernames and passwords.
You need to be wary each time your receive an invoice or document via email. The largest indication this was a phishing email is the email address and domain name.
Whilst they claim to be from Xero and emailing an invoice, the email address highlighted shows otherwise. Companies will not send emails from any BUT their domain name. Xero’s is ‘.xero.com’
If the recipient clicked on one of these links, it would have likely opened up a web page and shown you a page that looks like the login to Xero Page – Something you would be very familiar with, so you wouldn’t think twice about entering your details and logging in. After this, they have your Xero login, they would go and hack your real Xero file, steal all your contacts emails and any other information and then run the same email and password through a software that attempts to login to thousands of different websites each second.
This is why you should never have the same password for everything!
Attacks are becoming more severe and more sophisticated. Spear-Phishing is the perfect example of this.
The scammer sends a personalised email to either a group of employees or a specific executive officer or senior manager. The email is designed to look like it has been sent from a trustworthy source such as the employer or other staff members within the organisation.
The email addresses may look similar (but not identical) to frequently used email addresses. The subject of the email is usually about a fake ‘critical’ business matter, such as a legal subpoena or a customer complaint.
The scammer’s aim is to convince you that the email requires urgent action by following a link to a fake website. When you visit the fake, but convincing website, it will ask you to do one or more of the following:
- enter confidential company information and passwords
- provide financial details or enter them when making a payment for a fake software download.
- If financial details are provided, the scammer will use them to carry out fraudulent activities.
Alternatively, the email may ask you to download an attachment. If you do, it will download malware onto your computer. Malware can record your key strokes, passwords and other company information, allowing the scammer to access it when you go online. Via ScamWatch.
Are your details being sold on the black market?
Not long ago, a staff member at our office received a spam email – The subject had her old email address and a password that she used to use for EVERYTHING. It was a threatening email, stating they would share personal information they had obtained if she did not pay them $$$.
We went in and checked that she no longer used those login details for anything anymore and all was fine. But it posed the question, how and where did they get these details?
Well, it’s likely that her email was compromised from a data breach a long time ago – And those details bought recently on the black market to run new phishing schemes.
Yep – You heard that right! Scammers can buy lists of millions of previously compromised login information to run new phishing schemes just like the one our team member received.
Want to know if your information has been stolen in a prior breach?
You can enter your email address at HaveIBeenPwned. This site monitors hacker sites and collects new data every five to 10 minutes about the latest hacks and exposures.
Since phishing is still the number one data theft risk, you should be extra vigilant with all the email messages you receive. If you get an email or notification from a site that you find suspicious, never click, follow nor open its links and attachments. Take this phishing IQ test to see if you can spot a fake email.
Also, never reuse the same password across multiple online accounts. Many people use the same username and password on multiple sites. This is a terrible practice and you should never do it. If you’re using the same credentials on multiple sites, change them immediately to make them unique. (Via Komando)
Key things to do at your office
- Make sure all staff follow good password practices – use strong, unique passwords for each service or site (password manager software can help). Use additional authentication (2SA, 2FA, MFA, etc) wherever it’s available, especially your Xero, email and other financial services accounts.
- Train your staff how to spot phishing and other malicious emails. Educate them about social engineering and common scams, such as help desk and investment broker cold calls and advance fee fraud. Have a process to verify payment requests so you don’t fall victim to spear phishing or whaling.
- Keep your systems updated with security patches. Use reputable anti-malware software and keep it up to date.
- Backup your local data daily, and keep a copy off site from the source systems.
Meanings behind common words you may have heard:
Malware (Malicious software) – Malicious software is designed to facilitate unauthorised access to a system, or cause damage or disruption to a system. Malware is often downloaded to a user’s computer or system by visiting a malicious site, or clicking an unsafe link.
Ransomware – Extortion through the use of malware that typically locks a computer’s content. Attackers generally require victims to pay a ransom to regain access. It can also be accompanied by a threat that the computer has been locked as a result of illegal or questionable conduct by the victim.
Spyware – Spyware is software that aims to gather information about a person or organisation without their knowledge and that may send such information to another entity without the consumer’s consent, or that asserts control over a computer without the user’s knowledge.
Trojan – A Trojan horse or Trojan is any malicious computer program which is used to hack users by disguising its true contents. The term is derived from the Ancient Greek story of the wooden horse that was used to invade the city of Troy. For example – a user may download an app, believing they are downloading legitimate programme, when it is housing a virus.
Weaponized documents – Weaponized documents are often sent as email attachments and are encrypted to allow backdoor access points to user computers in order to steal information.
Download a full list of Cyber Security jargon via Connect Smart here.
- Xero Security page & Xero Security Noticeboard
- Online Safety Webinar
- ACORN Australia
- https://www.staysmartonline.gov.au/ & https://www.csa.gov.sg/
- The Center for Cyber Safety and Education resources for children, parents and educators
- Check if your email account has been compromised in a data breach (Note: the data on this site only includes those breaches where the compromised accounts have been made public)