In 2020 we saw a huge increase in Cybercrime. It is in part due to the pandemic, cybercriminals love to jump on new trends to appear valid and real. And unfortunately the pandemic provided this opportunity for them to attack.
The pandemic aside, these criminals have continued to get better and better year after year.
In fact, the correspondence they send out appears so real it’s easy to be fooled into providing your credentials and financial information.
How do these criminals do it?
Email is Potentially Dangerous
Cybercriminals favorite and most used tool to gain access to your data is by email. It’s called phishing and is the number one way they gain access.
The reason criminals use phishing is because it is easy for them to make the emails “look” official. They do a little bit of research on your company and they have the information they need.
Then they send you emails from an email address that you recognize.
You open the email, because you believe you know the person, and you click a link, open an attachment, or follow instructions in the email.
Phishing schemes work so well because the emails look official and rely on the savviness of an employee to spot.
If your employee is not trained to watch for these types of emails they will unknowingly open them.
And when they do, you have a huge problem on your hands; stolen data, lost data, drained bank accounts, devices that no longer work, your employees are unable to work and the downtime you may experience can be devastating to your business.
I want to share with you the ways cybercriminals gain access to your assets to help you from being phished. But remember, to truly be safe and protected you need a solid data backup and disaster recovery plan, what we call “business continuity planning”, and ongoing employee training.
I’ll be talking more about business continuity planning and ongoing employee training in future articles.
The Five Ways Cybercriminals Hack Your Business With Email
#1 Spear Phishing
You receive an email from an organization you are familiar with or someone you know well. The email will ask for some kind of information. For example, you could receive an email from the bank you use, let’s say Bank of America, asking you to reset your password.
EXAMPLE of phishing attack email disguised to look like it came from Bank of America:
#2 Whaling
Look at whaling like this, spear phishing goes after small fish and whaling goes after the big fish, the C-Suite in a company. Or the phishing email comes from what looks like a C-Suite person. It’s all designed to look even more official because it is supposedly coming from an executive within an organization.
EXAMPLE whaling attack email, disguised to look like it came from the CFO:
#3 Mass Phishing
Emails are sent to hundreds and sometimes thousands of people insisting a password needs to be changed or credit card information needs to be updated. These emails can go to everyone in your organization or multiple companies at the same time. The emails look like and ask for the same types of information as spear and whale phishing emails. They just go to more people.
#4 Ambulance Chasing Phishing
Cybercriminals use a current crisis or event to create a sense of urgency to gain access to valuable information. This is what took place with the pandemic. The pandemic created an easy way for attackers to play upon fears and unknowns about the virus. So they sent out phishing scams.
EXAMPLE Ambulance Chasing Phishing email, sent to the State of New York Unemployment Claim applicants:
#5 Pretexting
Pretexting is the set up before the crime. The criminal will correspond with a recipient using alternative forms of communication before the malicious email is sent. The other methods of communication might be voicemail, text or a delivery notice. Essentially a correspondence letting the recipient know they are expected to do something or receive something in the next couple of days.
So now that you know how phishing works, let’s talk about how to spot a phishing email.
How to Spot A Phishing Email
If you receive any email that seems out of sorts, odd, or just plain weird in any way, even if you recognize the sender, you should check the “signed by” field in the email. The signed-by field is generated by DomainKeys Identified Mail (DKIM).
You can check this in Gmail by clicking the 3 dots in the top right of the email message, choose “show original” and look at the DKIM line. You will see the domain of the person who sent you the email in the text. For example, in the image below, you can see where to click the three dots, and “Show original” to reveal my domain, Attaintechnology.onmicrosoft.com, in the DKIM.
Here’s an example DKIM with my domain:
If an email is shared through any service like Drive, Box, Dropbox, Active Campaign or Calendar, the DKIM will have the name of the service provider in the DKIM line. For example, here is an example of an email signed-by google.com.
This email was sent from Google Calendar, you can see Google’s domain in the DKIM, google.com
You must be aware and watchful of emails at all times. It’s better to be cautious when an email seems off to you, regardless of the sender.
Protecting Yourself from Phishing Emails
Now that you know the number one way a cybercriminal attacks and gains access to your valuable data and you know how to spot a phishing email, how do you protect yourself?
There is no foolproof way to protect yourself from phishing emails, that’s why you need a professional Managed IT Services partner to help you stay safe and protected with a business continuity and disaster recovery solution.
We will put a shield around all your computers, your network and your data to prevent cybercriminals from getting in. Then, we’ll implement regular backups of all your data, so that in the event of a data breach, we will lock it down and neutralize it, then restore your data and network – keeping you up and running.
But, as we’ve discussed in this article, your employees can be manipulated with phishing scams. This makes them the weakest link in the chain of cybersecurity.
And while this article shows you how to identify a phishing email, we deliver in-depth ongoing cybersecurity awareness training for your employees to ensure you are as safe as possible.
This, along with a solid business continuity plan will mitigate the risks of a data breach.
A business continuity plan for your company will help ensure your data is backed up so when an attack happens you will be up and running in a matter of hours, not weeks or months.
Protecting your business is vital to your success … but there is a major benefit to your employees as well.
Imagine the anxiety you would have if you clicked a link in an email and unleashed a virus, a worm, or a trojan onto your company’s network.
When you have a solid business continuity and disaster recovery solution in place, your employees will feel more at ease opening emails and can focus on being productive because they understand what to be cautious of, and how to report an issue if, god forbid, they do click a link by a savvy cybercriminal.
Because they know, your business won’t be devastated with downtime that lasts for days, weeks, even months. You have a business continuity and disaster recovery plan in place.
If you would like help implementing cybersecurity awareness training for your employees or developing a business continuity and disaster recovery plan, you can sign up for a free Construction Technology Audit here.
We will help you assess your current vulnerabilities and recommend a plan to help you stay safe and protected.