Happy (Late) National Cyber Security Awareness Month!
October was National Cybersecurity Awareness month. One of the ways we celebrated at CyberArmed was by participating in Washington DC Cyber Week. We found it to be very fun as well as very informative.
I attended various sessions and learned about the newest cyber threats that are directed at everyday people. The first session was a joint presentation by the FBI and The Secret Service. I found this very interesting and helpful. It gave me a new perspective on things that can easily be compromised and made me more aware of things that I needed to improve in my life. I am sharing some of the things that I have learned in hopes of bringing new knowledge to others.
The session was called Business Email Compromise and made me realize how easy it can be to fall for a scam and put your business at risk.
B2B commerce is the most targeted for scams of this kind. This is because of the amount of money involved in these transactions. Lawyer's accounts can also be targeted especially with trust account information or real estate transactions. There are also fake lawsuits that serve as “legal service money mule”.
Some ways that this can happen are:
Hackers aren't just the experts that you would expect. There are now easy ways for hackers to get into your email and other parts of your computer.
Fake email- They may send you an email saying you need to change your password; it will then lead you to a webpage that looks just like gmail, however there will be a small typo in the url. Once you are on this fake page it will instruct you to change enter in your old password, as well as a new password. It may say it couldn't work and to try again later or it will tell you that it was successful. Either way, you just gave the hackers your password!
Malicious file- a good example of this would be a pdf that you download, thinking it is something else. One way that this can happen is by downloading a "free" textbook. This would in turn put a key logger onto your computer.
Typo in the email address- most people read their emails fairly quickly and don’t always verify the email address. A new people one is a lowercase r and n next to each other to make a m. rn m If you are looking a hurry it might be hard to notice.
The hackers are very patient. They are willing to wait a lot of time because it is a big payoff for them in the long run. They spend time reading your emails and getting to know you as well as getting to know your company and how your company runs.
Ways to tell if your email is compromised: Are you any of your emails opened that you know you didn’t open? Also, check your logs to see where and when you email was last logged in. Verify it was all you. Check under settings to see if you have any rules like automatically forward all emails to this address.
If any of these things happen then you want to change your password immediately.
Ways you can protect yourself:
- Make a policy of providing verification after receiving emails telling an employee to wire or send money someone. Have the person call back to verify the transaction.
- Do the same with other businesses that you interact with. When you first start doing business with them let them know that your company’s policy is to verify over the phone before sending a financial transaction.
- Two-factor authentication is very important to making sure unauthorized transactions do not occur. You can also add it to your Gmail.
- Every company should have a cyber incident response plan. You should document what to do, who to tell and what order. If you will need help from a third-party, you should figure who you would like to work with now, so it will be one less thing to worry about.
- As far as security questions for passwords go: if the answer can be found on Facebook or social media than you should change the answer. I had honestly never considered this point before and had to make some changes myself.
If you or your company is a victim of a crime like this, the first thing you should do is contact your bank right away if contacted within 48 hours, you have a better chance to get your money back. You should also contact the FBI and they can start working on the case immediately. The FBI has a website dedicated to reporting internet crimes. You can report your crimes here.
Overall, it was a great way to celebrate National Cyber Security Awareness Month. But here at CyberArmed, that is every month. If you need any more tips to keep your business safe we are happy to help you.