Phishing Attacks are an email based social engineering tactic of cyber criminals used to target you through your device. Successful phishing attacks can allow a criminal to install a RAT (Remote Access Trojan) on your system, lock up your device with ransomware, install botnets, access your banking and financial information, steal proprietary information, sustain a long term deployment on your home or business network, or move through your contacts and wreak havoc on your friends, family, business associates and worse.

Phishing vs. Spear Phishing

Simply put Phishing is a broad, wide scale attempt to catch whatever jumps into the net. The Nigerian Prince email scam is an early example of a general phishing campaign.

Spear Phishing is a targeted attempt directed at specific members of your organization, usually those who control or have access to the information or systems that the criminal is after. Successful spear phishing attacks are well executed when the attacker spends more time investigating the victim. Investigation of many spear phishing targets is done pretty easily by studying the victim’s social media accounts, their company’s own website, and utilizing public databases. Many times the ease of finding personal information dictates the target. Not the other way around.

It is important to remember that most times cyber crime is NOT personal. It’s not about you or your circumstances. When the target is money it doesn’t matter if you have $50 or $50k, if you leave easy access to it a criminal is going to steal it. Some of the most well known “hacks” in recent news were successful phishing attacks.

Small Businesses are a major target

Small businesses are now a major target of phishing campaigns because they are assumed to have less knowledge, fewer resources, and generally care less about security. Many see cyber crime as something that happens to other people, not “lil ole” them. Or worse, something that they can get around to later since they’ve been lucky so far. This attitude has proven to be fatal for thousands of Small Businesses and individuals all over America.

According to Symantec 43% of cyber attacks target small businesses, and 60% of small business who have been hit with an attack shut down within 6 months.

Another Symantec report shows that about 1 in 40 small businesses are at risk of being the victim of a cyber crime. That pales in comparison to the 1 in about 2 large businesses which are targeted every year — multiple times — with a cyber attack.

The 2016 State of Small Business Cybersecurity Report shows that “hackers” have breached half of all small businesses in the United States. A 2017 CNBC article states that 14 million small businesses were hacked in a 12 month span.

Phishing and Cyber Attacks against Small Businesses

Source: Symantec infographic on small and large business cyber attacks

So what can you do?

I wish I could tell you that there was an easy button that would solve all of your cyber security problems, but there isn’t.  You will have to learn a few things and make an effort.  There’s also no such thing as completely safe, but there is safer. Unless you’re being specifically targeted cyber criminals tend to look for easy targets. It’s not personal. You’re just a system or a device standing in the way of the prize.

In this article I’m not trying to make you an email security savant. I just want you to take some basic precautions so that you stop being an easy target.

Since phishing attacks are carried out predominantly via email, here are a few free or very low cost things that you can do personally and in your organization to help protect yourself.

 

1. Clean and Organize

it’s time to clean up your inbox. Since your inbox is the attack area, in order to better identify and protect yourself from savvy email tricks you need to be able to recognize things that look out of place. You can’t do that if your inbox is a constant mess.

  • Unsubscribe from things you don’t need, don’t read, or have no idea how you got on their list.  A junky inbox that you never zero out provides cover for cyber criminals.
  • Utilize folders to organize emails that you must save, and clean those folders out frequently.
  • Don’t use folders as a phonebook. No matter what platform or device you are using they all have a place for you to organize your contacts. Use it and stop keeping emails in your inbox because you need that person’s contact info.

2. Use Separate Business and Personal Email addresses.

If you are using one email address for both business and personal emails, stop it. You are not only making yourself  an easy target for phishing, but you have created a single point of failure or loss for ALL of your accounts.

Business emails should ONLY be going to and coming from your business email account. DO NOT USE free email addresses for business. If you have a business website then you should be using business email on that domain.  Without getting into which email service is better than the other, the main point is to be able to recognize incoming emails that look out of place and should not be coming to that inbox.

You should further organize and provide separation by using multiple email addresses for specific business functions, and by creating a “junk” email account that you use to sign up for newsletters and such.

Every platform, email client and app lets you connect to multiple email accounts, or forward from one inbox to another. There’s no excuse anymore for doing everything in your life from one email address. It’s not only unprofessional, it’s unsafe.

Email services like G-Suite, Rackspace, Microsoft Exchange and many others have robust email security and encryption. Whichever email service you use, get to know it’s security features so that you have a basic understanding of how they work to protect you from spam, and phishing attacks

 

3. Use team/internal messaging systems

With phishing and spear phishing email is the entry point.  You can cut down on internal emails by using team messaging systems like Slack, Hangouts, Trello, Microsoft Teams or one of many others. Choose the one that works best for your organization based on the tools that you already use.  Most have apps for all of your devices which not only make communication more secure, but may also increase productivity by making it easy for your teams to communicate and collaborate.

4. Use 2 Factor Authentication

These days losing control of your inbox is worse than losing your purse of wallet.  If a criminal has control of your email account the sky’s the limit on what they can do to you and your contacts.  2 factor authentication is about protecting your inbox.

Authentication basically boils down to any one of or combination of 3 factors:

  • Something you know: Your username and password are something you know.
  • Something you are: Fingerprints or other biometrics.
  • Something you have: A second device, passkey, access card and so on.

I’m a big fan of the “Something you have” method of 2 factor authentication such as the wide range of products from YubiKey  and other U2F/FIDO devices to protect your most critical accounts. 2 Factor keys work as the second factor to supplement your password.  You cannot complete the log in process unless that key is presented usually by inserting it into your device’s USB port, or via bluetooth or NFC for mobile devices. Many keys work multiple ways so that you can use a single key across all your devices.

Yes it adds an extra step to logging into your account, but at least you have the peace of mind of knowing that no can access that account without the key.

What if you lose the key? Get 2. Most platforms that accept 2 factor keys suggesting having 2 keys just in case. If you lose one key, you can log in with the second and disable the one that you lost.

SMS based authentication

If a physical key isn’t possible for locking down all of your accounts, mobile 2 factor (you are messaged a passcode before you can access your account) will do. However, many security researchers warn and have proven that SMS messaging is not the most secure way to use 2 factor. Also losing your phone means that the person who has it now has access to your messages.  This is also why it’s so important to lock your phone with a code, password or available biometrics to keep it secure just in case. If we could predict our your devices will be lost, or stolen no one would ever lose a device.

Token based authentication

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. Once their token has been obtained, the user can offer the token – which offers access to a specific resource for a time period – to the remote site. You can read more about token based authentication here: https://swoopnow.com/token-based-authentication/ 

Examples of token based authentication include Google Authenticator mobile app, Authy, FreeOTP, Toopher and many others.

Every major platform and most major accounts support some form of 2 factor authentication and it’s becoming widely available on a variety of account types.  Look for instructions in your account’s security settings.

Google 2 Factor: https://www.google.com/landing/2step/
Microsoft 2 Step Verification: https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification 
Apple 2 Factor authentication for Apple ID: https://support.apple.com/en-us/HT204915

You should also check out “How to set up 2 factor authentication” for your social media accounts over at The Verge: https://www.theverge.com/2017/6/17/15772142/how-to-set-up-two-factor-authentication

5. Create workplace security policies and enforce them

The weakest link of all digital security processes is the user. Phishing continues to be employed because it keeps working. It is important to create email security policies for your organization to follow so that everyone is on the same page, and lower your risk of mistakenly allowing a successful attack.

Remember that stat above that says 60% of all small businesses who experience an attack are out of business in 6 months?
Don’t let laziness or slight inconveniences cost you the entire kit and kaboodle.

Coming up with some basic rules doesn’t require much effort. Here are a few things that you may want to include.

  • Establish a device policy. Require that every person in your organization protect the devices that they use to communicate with the organization with some kind of access lock be it password, fingerprint, or pin code. An unsecure lost device could be the catalyst to infect the entire organization before the owner even knows it is missing.
  • Create rules for how to handle attachments. Infected MS office and PDF’s are one of the main ways to deliver malware, Most times you know when an attachment is coming. When in doubt contact the sender and verify that they have sent it before opening it.
  • Inform your associates and contractors of your attachment policies and make it clear that they follow them.
  • Consider setting up a cloud account (Dropbox, Google Drive, OneDrive, etc) for receiving large numbers of files at a time and only share it with approved senders, and restrict access to a limited time frame.
  • Online resources like Virus Total (https://www.virustotal.com/#/home/upload) let you scan websites, links and attachments before opening them to see if it sets off any red flags from known exploits.

I know this all seems like a lot of work and no one says you have to do them all, or all at once. The point is that email is the most common way for an attacker to try and get you, and phishing attacks are rampant.  You should do what you can to prevent yourself from being an easy target. If/when an attack happens it’s too late to go back. Like the lock on your front door you only need to forget to lock it once for disaster to strike.

Supplemental

Have you been pwned?
Phishing- Have I been pwnedTo check if your email address has already been compromised by reported hacks, check out HaveIBeenPwnd. Created by a Microsoft security developer Troy Hunt, HaveIBeenPwned.com checks your email address against know hacks and breaches and will let you know if it has been compromised.

If you find that it has, simply change your passwords everywhere that you use that email address, or consider using a new email address altogether.

Has your password been pwned?
Many breaches have compromised usernames, email addresses AND passwords. Created by the same researcher, check your passwords against known breaches to see if it’s been compromised. https://haveibeenpwned.com/Passwords. 

If you find that it has completely change it everywhere that you are using it, and stop using it or anything similar to it.

If you have any questions, comments, opinions or need additional help leave a comment.