Dream Firms Talks 01/2023

01/01/2023

Topic: Basics / Phishing and BEC

Basic Security

  • 12 Character Minimum for all passwords.
    • Anything 8 characters or less is vulnerable to immediate brute force attacks.
  • Businesses should use Premium Business versions of Anti-Malware software.
    • Make sure it is updated regularly.
  • Regular, Off-Site backups of your data. Not just a copy in the cloud.
  • Don’t use Gmail as your business email. Businesses should have their own domain.
  • Employee training is a very important part of your Cyber Security plan. Training frequency should be at least twice a year.
  • Monitor your internal networks and systems for alerts and changes. 

Phishing

  • A type of Cyber Crime in which targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data.
    • PII – Personally Identifiable Information
    • Banking and Credit Card details
    • Passwords
  • Cybersecurity threat trends report suggests that at least one person clicked a phishing link in around 86% of organizations.
  • The data suggests that phishing accounts for around 90% of data breaches.
  • 96% of phishing attacks arrive by email.
  • Many malicious emails no longer contain an attachment. In fact, 2021 Tessian research found that 76% of malicious emails did not contain an attachment.
    • Of those that included attachments – research suggests that PDFs are the most common type of malicious file attached with phishing emails.
  • EXAMPLE – Architect Email Scam
    • Good day,
    • Are you busy? send your mobile # I want you to run an errand for me.
  • Security leaders cited the following consequences:
    • 60% of organizations lost data
    • 52% of organizations had credentials or accounts compromised
    • 47% of organizations were infected with ransomware
    • 29% of organizations were infected with malware
    • 18% of organizations experienced financial losses
  • This chart – pulled from Google Safe Browsing – shows the steep increase in the number of websites deemed unsafe between January 2016 and January 2021.
    • Malware vs phishing sites_googlesafebrowsing
  • Phishing Defense
    • View FULL email address of the sender. Not just the Contact Name.
    • Does the email create a ‘sense of urgency’?
    • Inspect the email for spelling, grammatical and word usage errors.
    • Does the email ask for personal information?
    • Call the sender (person or company) to verify the email.
      • Not using the phone number in the email
    • Techie way – Inspect the header of the email to see where it originated from.
    • Other advanced techniques are available that we can help you with.

BEC – Business Email Compromise

  • A type of Phishing where attackers hijack or ‘spoof’ a corporate email account.
    • Essentially spear phishing or Targeted Attack
    • Boss / Manager
    • Co-Worker
    • HR
    • Trusted Client or Vendor
  • Ranks at number one in cost, costing businesses an average of $5.01 million per breach.
    • This cost can be broken down into several different categories, including:
      • Lost hours from employees
      • Damaged corporate reputation
      • Lost intellectual property
      • Direct monetary losses
      • Compliance fines (tripled if you can’t prove you have taken the required steps to prevent it)
      • Lost revenue
      • Incident response
      • Legal fees
  • The FBI’s Internet Crime Report shows that in 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime.
  • EXAMPLES – Employee and Department Targets: 
    • Employee Target – Email from the President sent to Exec team – Lost my contact list, Please forward your contact info.
    • Employee Target – Email from the Sales Director to Admin Assistant – Buy Gift Cards for our Distributors. 
    • Department Target – Email to client using intercepted and spoofed email – Credit Card Processing is currently down, requesting payment via pay app using Gmail account. Caught by employees and stopped.
    • Department Target – Invoiced via spoofed email with updated bank accounts. Email had warnings that it was a different domain. There were multiple procedures in place that should have prevented. Payment was made anyway.
  • BEC Defense
    • Employee Training!
      • To include all of the previously mentioned phishing defenses.
    • Frequently updated policies and procedures
    • Verify! Verify! Verify! 
    • Advanced email server settings we can assist with.
    • Humans are the soft target.
  • The top five subject lines for business email compromise:
    • Urgent
    • Request
    • Important
    • Payment
    • Attention
    • All words designed to make an employee act quickly and not question
    • This is why it’s so important that employees have the knowledge to identify Phishing AND the confidence to Question and Verify!

Links

Recent Posts

Archives

Contact Us

For decades, we have been helping clients dealing with legal issues of all sorts. Our firm is committed to simplifying the legal process and achieving effective results for each client.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.