Phishing Attacks are an email based social engineering tactic of cyber criminals used to target you through your device. Successful phishing attacks can allow a criminal to install a RAT (Remote Access Trojan) on your system, lock up your device with ransomware, install botnets, access your banking and financial information, steal proprietary information, sustain a long term deployment on your home or business network, or move through your contacts and wreak havoc on your friends, family, business associates and worse.

Phishing vs. Spear Phishing

Simply put Phishing is a broad, wide scale attempt to catch whatever jumps into the net. The Nigerian Prince email scam is an early example of a general phishing campaign.

Spear Phishing is a targeted attempt directed at specific members of your organization, usually those who control or have access to the information or systems that the criminal is after. Successful spear phishing attacks are well executed when the attacker spends more time investigating the victim. Investigation of many spear phishing targets is done pretty easily by studying the victim’s social media accounts, their company’s own website, and utilizing public databases. Many times the ease of finding personal information dictates the target. Not the other way around.

It is important to remember that most times cyber crime is NOT personal. It’s not about you or your circumstances. When the target is money it doesn’t matter if you have $50 or $50k, if you leave easy access to it a criminal is going to steal it. Some of the most well known “hacks” in recent news were successful phishing attacks.

Small Businesses are a major target

Small businesses are now a major target of phishing campaigns because they are assumed to have less knowledge, fewer resources, and generally care less about security. Many see cyber crime as something that happens to other people, not “lil ole” them. Or worse, something that they can get around to later since they’ve been lucky so far. This attitude has proven to be fatal for thousands of Small Businesses and individuals all over America.

According to Symantec 43% of cyber attacks target small businesses, and 60% of small business who have been hit with an attack shut down within 6 months.

Another Symantec report shows that about 1 in 40 small businesses are at risk of being the victim of a cyber crime. That pales in comparison to the 1 in about 2 large businesses which are targeted every year — multiple times — with a cyber attack.

The 2016 State of Small Business Cybersecurity Report shows that “hackers” have breached half of all small businesses in the United States. A 2017 CNBC article states that 14 million small businesses were hacked in a 12 month span.

Phishing and Cyber Attacks against Small Businesses

Source: Symantec infographic on small and large business cyber attacks

So what can you do?

I wish I could tell you that there was an easy button that would solve all of your cyber security problems, but there isn’t.  You will have to learn a few things and make an effort.  There’s also no such thing as completely safe, but there is safer. Unless you’re being specifically targeted cyber criminals tend to look for easy targets. It’s not personal. You’re just a system or a device standing in the way of the prize.

In this article I’m not trying to make you an email security savant. I just want you to take some basic precautions so that you stop being an easy target.

Since phishing attacks are carried out predominantly via email, here are a few free or very low cost things that you can do personally and in your organization to help protect yourself.

 

1. Clean and Organize

it’s time to clean up your inbox. Since your inbox is the attack area, in order to better identify and protect yourself from savvy email tricks you need to be able to recognize things that look out of place. You can’t do that if your inbox is a constant mess.

  • Unsubscribe from things you don’t need, don’t read, or have no idea how you got on their list.  A junky inbox that you never zero out provides cover for cyber criminals.
  • Utilize folders to organize emails that you must save, and clean those folders out frequently.
  • Don’t use folders as a phonebook. No matter what platform or device you are using they all have a place for you to organize your contacts. Use it and stop keeping emails in your inbox because you need that person’s contact info.

2. Use Separate Business and Personal Email addresses.

If you are using one email address for both business and personal emails, stop it. You are not only making yourself  an easy target for phishing, but you have created a single point of failure or loss for ALL of your accounts.

Business emails should ONLY be going to and coming from your business email account. DO NOT USE free email addresses for business. If you have a business website then you should be using business email on that domain.  Without getting into which email service is better than the other, the main point is to be able to recognize incoming emails that look out of place and should not be coming to that inbox.

You should further organize and provide separation by using multiple email addresses for specific business functions, and by creating a “junk” email account that you use to sign up for newsletters and such.

Every platform, email client and app lets you connect to multiple email accounts, or forward from one inbox to another. There’s no excuse anymore for doing everything in your life from one email address. It’s not only unprofessional, it’s unsafe.

Email services like G-Suite, Rackspace, Microsoft Exchange and many others have robust email security and encryption. Whichever email service you use, get to know it’s security features so that you have a basic understanding of how they work to protect you from spam, and phishing attacks

 

3. Use team/internal messaging systems

With phishing and spear phishing email is the entry point.  You can cut down on internal emails by using team messaging systems like Slack, Hangouts, Trello, Microsoft Teams or one of many others. Choose the one that works best for your organization based on the tools that you already use.  Most have apps for all of your devices which not only make communication more secure, but may also increase productivity by making it easy for your teams to communicate and collaborate.

4. Use 2 Factor Authentication

These days losing control of your inbox is worse than losing your purse of wallet.  If a criminal has control of your email account the sky’s the limit on what they can do to you and your contacts.  2 factor authentication is about protecting your inbox.

Authentication basically boils down to any one of or combination of 3 factors:

  • Something you know: Your username and password are something you know.
  • Something you are: Fingerprints or other biometrics.
  • Something you have: A second device, passkey, access card and so on.

I’m a big fan of the “Something you have” method of 2 factor authentication such as the wide range of products from YubiKey  and other U2F/FIDO devices to protect your most critical accounts. 2 Factor keys work as the second factor to supplement your password.  You cannot complete the log in process unless that key is presented usually by inserting it into your device’s USB port, or via bluetooth or NFC for mobile devices. Many keys work multiple ways so that you can use a single key across all your devices.

Yes it adds an extra step to logging into your account, but at least you have the peace of mind of knowing that no can access that account without the key.

What if you lose the key? Get 2. Most platforms that accept 2 factor keys suggesting having 2 keys just in case. If you lose one key, you can log in with the second and disable the one that you lost.

SMS based authentication

If a physical key isn’t possible for locking down all of your accounts, mobile 2 factor (you are messaged a passcode before you can access your account) will do. However, many security researchers warn and have proven that SMS messaging is not the most secure way to use 2 factor. Also losing your phone means that the person who has it now has access to your messages.  This is also why it’s so important to lock your phone with a code, password or available biometrics to keep it secure just in case. If we could predict our your devices will be lost, or stolen no one would ever lose a device.

Token based authentication

The general concept behind a token-based authentication system is simple. Allow users to enter their username and password in order to obtain a token which allows them to fetch a specific resource – without using their username and password. Once their token has been obtained, the user can offer the token – which offers access to a specific resource for a time period – to the remote site. You can read more about token based authentication here: https://swoopnow.com/token-based-authentication/ 

Examples of token based authentication include Google Authenticator mobile app, Authy, FreeOTP, Toopher and many others.

Every major platform and most major accounts support some form of 2 factor authentication and it’s becoming widely available on a variety of account types.  Look for instructions in your account’s security settings.

Google 2 Factor: https://www.google.com/landing/2step/
Microsoft 2 Step Verification: https://support.microsoft.com/en-us/help/12408/microsoft-account-about-two-step-verification 
Apple 2 Factor authentication for Apple ID: https://support.apple.com/en-us/HT204915

You should also check out “How to set up 2 factor authentication” for your social media accounts over at The Verge: https://www.theverge.com/2017/6/17/15772142/how-to-set-up-two-factor-authentication

5. Create workplace security policies and enforce them

The weakest link of all digital security processes is the user. Phishing continues to be employed because it keeps working. It is important to create email security policies for your organization to follow so that everyone is on the same page, and lower your risk of mistakenly allowing a successful attack.

Remember that stat above that says 60% of all small businesses who experience an attack are out of business in 6 months?
Don’t let laziness or slight inconveniences cost you the entire kit and kaboodle.

Coming up with some basic rules doesn’t require much effort. Here are a few things that you may want to include.

  • Establish a device policy. Require that every person in your organization protect the devices that they use to communicate with the organization with some kind of access lock be it password, fingerprint, or pin code. An unsecure lost device could be the catalyst to infect the entire organization before the owner even knows it is missing.
  • Create rules for how to handle attachments. Infected MS office and PDF’s are one of the main ways to deliver malware, Most times you know when an attachment is coming. When in doubt contact the sender and verify that they have sent it before opening it.
  • Inform your associates and contractors of your attachment policies and make it clear that they follow them.
  • Consider setting up a cloud account (Dropbox, Google Drive, OneDrive, etc) for receiving large numbers of files at a time and only share it with approved senders, and restrict access to a limited time frame.
  • Online resources like Virus Total (https://www.virustotal.com/#/home/upload) let you scan websites, links and attachments before opening them to see if it sets off any red flags from known exploits.

I know this all seems like a lot of work and no one says you have to do them all, or all at once. The point is that email is the most common way for an attacker to try and get you, and phishing attacks are rampant.  You should do what you can to prevent yourself from being an easy target. If/when an attack happens it’s too late to go back. Like the lock on your front door you only need to forget to lock it once for disaster to strike.

Supplemental

Have you been pwned?
Phishing- Have I been pwnedTo check if your email address has already been compromised by reported hacks, check out HaveIBeenPwnd. Created by a Microsoft security developer Troy Hunt, HaveIBeenPwned.com checks your email address against know hacks and breaches and will let you know if it has been compromised.

If you find that it has, simply change your passwords everywhere that you use that email address, or consider using a new email address altogether.

Has your password been pwned?
Many breaches have compromised usernames, email addresses AND passwords. Created by the same researcher, check your passwords against known breaches to see if it’s been compromised. https://haveibeenpwned.com/Passwords. 

If you find that it has completely change it everywhere that you are using it, and stop using it or anything similar to it.

If you have any questions, comments, opinions or need additional help leave a comment.

By now I’m sure you’ve heard tech experts,  other business owners, friends & family beat the drum about the importance of backing up your computers.

It’s hard to believe, but a staggering number of people, businesses, & particularly small businesses don’t take security seriously, do not back up their systems or information, & have absolutely no disaster recovery plan. Consequently small businesses have become easy targets for hackers, & ransomware with devastating consequences with more than 60% of small businesses who have experienced a cyber attack going out of business within 6 months. 

There is no reason not to have a back up in this day & age. Most small businesses with under 1 or 2 computers can do it in less time than it takes to watch a House Hunters rerun on HGTV. Read more

With the stunning  new (lack of) internet privacy rules (passed by both houses, & expected to be signed by President Trump) allowing ISP’s to sell your data & personal information,  Americans are scrambling to put privacy tools in place. But what about your business?

Over the past year multiple security blogs & news outlets have been warning us that hackers are increasingly targeting small businesses. Mom & Pop store fronts & restaurants to work from home freelancers. The rise of attacks can be attributed to lack of awareness, carelessness, & many small businesses mistakenly feel that they don’t have anything of value that anyone would want. Unfortunately this makes small businesses easy targets & they are getting picked off left & right.

A 2016 article from the Denver Post states that 60% of small business that suffer a cyber attack are out of business within 6 months. This should be alarming to EVERY small business owner.

If you use a computer for business, you should not only be worried about your own security, but that of your clients & associates whose information you probably have stored on it in one way or another.

This article cannot possibly cover the entirety of business security, but it can help you with one small truth: If your business can be easily tracked online, it can be easily hacked online.

In my previous article “How to stop your internet service provider from tracking you”, I only touched on part of the internet privacy problem. Yes, you can direct your internet traffic through a different DNS (Domain Name Server) other than your ISP’s DNS, but that only thwarts some tracking. It doesn’t necessary protect your internet privacy.

 

Everything is Packets, & your Packets are public

 

Everything you do on the internet travels in packets of information. If you’ve ever opened your network settings you’ve likely seen your active network activity measured in Bytes or packets sent & received.

Every Web page that you receive comes as a series of packets, & every e-mail you send leaves as a series of packets. Networks that ship data around in small packets are called packet switched networks. Each packet carries the information that will help it get to its destination — the sender’s IP address, the intended receiver’s IP address, something that tells the network how many packets this e-mail message has been broken into & the number of this particular packet.

The packets carry the data in the protocols that the Internet uses: Transmission Control Protocol/Internet Protocol (TCP/IP). Each packet contains part of the body of your message. A typical packet contains perhaps 1,000 or 1,500 bytes. – read more about packets at ‘How Stuff Works’.

Yes, I know that was boring, but it’s important to have a basic underst&ing of how your internet traffic works.

 

The bad news is that once packets leave your machine they are public & go over the open internet. Technically they can be captured, “sniffed”, or redirected by bad actors (or law enforcement) at anytime with very little effort (or a warrant) by a knowledgeable person.

So how do you make private, or encrypt those packets so that no one can look inside other than the person at the intended destination? One way is to use a VPN, or Virtual Private Network.

What are VPNs & how do they work to protect your internet privacy?

 

The people over at Android Authority put together an easy to underst& video on how VPN’s work.

 

 

So basically VPNs protect your internet privacy by creating an HTTPS (Hypertext Transfer Protocol Secure) internet connection between you & your destination. They primarily work per device, & only for internet traffic…search, & file transfer. They don’t necessarily work with messaging, or email which is managed & controlled by a completely different server depending on what kind of email you’re using. I’ll talk more about secure email & messaging options in the next post.

So where do I get me one of those VPNs?

 

VPNs are plentiful, & are both free & paid services depending on your needs.
Software VPN’s are programs that you can install that create virtual walls between you & your internet connection. I’ve personally use software solutions such as Avast VPN on both my desktop & mobile devices, & the Lookout app which comes included with my mobile service & is also available for iOS devices. I generally use a VPN when using public or free WiFi, & have them installed on all of my computers & devices.

There are also hardware VPN’s that work by physically getting in between your device & the internet to create a secure connection. Hardware VPN’s are popular with travelers who use a lot of hotel & airport internet connections. If you don’t have the ability to use your own modem &/or router & are forced to use your ISP’s equipment, or if you travel or use wifi out in the wild, I HIGHLY recommend a hardware VPN.




 

Most VPNs are relatively easy to install & set up, & to create a secure connection you simply have to turn them on. If you use a lot of different internet & WiFi connections say for traveling, work, or just out & about I highly recommend that you use a VPN to protect yourself from packet sniffers, hijackers & snoopers AT ALL TIMES.

So if I get a VPN then I’m protected, right?

 

Yes, & no. Just like any product or service there are bad VPNs that don’t do much to protect your privacy at all, & some have been caught actually tracking you themselves.

A good VPN will create a secure connection between you & your internet destination. This will protect you from packet sniffers, snoopers & man in the middle attacks. However, they don’t necessarily protect you from your ISP or worse, they may not do much for your internet privacy when it comes to the government or law enforcement snooping on you without a warrant.

  • The website  That One Privacy Site which lays out a comparison of “pros” & “cons” of various VPN services.

Own your equipment.

 

A VPN is an after the fact solution. If you really want more control over your internet privacy  it first starts with owning your own equipment. If you’re using the ISP’s modem, router, or subsidized phone on a payment plan that you got from your mobile company, it’s very likely that those devices will come pre-installed with software & bloatware to circumvent any attempt to hide your activities from them, & that the company has control to install software on them into the future.

To have the best chance at as much privacy control as possible,you have to buy & use your own equipment. Some ISP’s won’t allow you to do use your own modem, but you can still buy your own router. When it comes to your mobile devices you have a choice of whether or not you buy a bloatware infested device from the company, or purchase your own unlocked phone outright either direct from the manufacturer or another retailer.

If you want protection from Government snooping, don’t buy American

 

As a flag waving, 100% buy American, & United States Military veteran it pains me to say this, but if you really want internet privacy from your own government whether it be from a VPN, website host, or any secure messaging service, you have to use services based in countries that are out of the reach of U.S. law enforcement & international agreements

Even though you have nothing to hide, many governments feel they should have the keys to everything. That there should be no privacy or encryption that they can’t see into freely & without having to get a warrant. They don’t ask for your cooperation, they just take your information without your knowledge or permission. That’s a little too much to accept for most who believe that the 4th Amendment is just as absolute as the rest of the U.S. Constitution, & that it shouldn’t be ignored every time we get scared or can’t come up with any better ideas.

Under the UKUSA Agreement agreement the United Kingdom, United States, Australia, Canada, & New Zeal& agree to cooperatively collect, analyze, & share intelligence. Members of this group, known as the Five Eyes, focus on gathering & analyzing intelligence from different parts of the world. While Five Eyes countries have agreed to not spy on each other as adversaries, leaks by Edward Snowden have revealed that some Five Eyes members monitor each other’s citizens & share intelligence to avoid breaking domestic laws that prohibit them from spying on their own citizens.

The Five Eyes alliance also cooperates with groups of third party countries to share intelligence (forming the Nine Eyes & Fourteen Eyes), however Five Eyes & third party countries can & do spy on each other. -read more about Global Mass Surveillance & Privacy at Privacytools.io

 

Plainly put if the American government (or any government actually) says that companies in their jurisdiction must give up their encryption keys in the name of terrorism or child pornography ( you know, the old default st& by excuses), it’s a crap shoot whether or not the company will even fight it, how hard they’ll fight it, or if they win in a court battle.

Caveat emptor/Catch 22: When purchasing anything from outside the U.S. underst& that you may not have the protection of U.S. laws from unfair business practices & fraud. Do your homework.

Most VPN services are privacy advocates & underst& the need for the people to be secure in their communications. Don’t let price be the only determining factor in picking a VPN. Pick a VPN because it’s what you need, want, & has the trust & credibility that you’re looking for. You may have to try a few out before you find the one that works best for you.

Extra

To VPN or Not To VPN? – Threat Wire