Posted by: Heather Toll on June 22, 2018 at 8:00 am
Recently, a client put in a ticket that started off, “So this was not [my boss] emailing me.”
Her “boss” had emailed her, asking her to purchase gift cards to use as thank-you gifts, something they do regularly. He asked her because, supposedly, another employee — mentioned by name — was not available. Thankfully, our contact noticed that the reply-to field had a generic email and not any address her boss actually used, and the scam ended there.
This was an example of “spearphishing,” a targeted scam that is becoming more common. In this incident, the criminals figured out how the company formatted their email addresses, then faked the boss’ email and targeted two other people on staff.
That ticket, and some other incidents that we have read about recently, showed that it’s time for an update on what’s new in cybercrime, and how you can protect your business.
Targeted Attacks — Still Rare, But More Dangerous Than Ever
Email spoofing/spearphishing. This is probably the most common kind of targeted cybercrime. Hackers troll your web site, LinkedIn, etc. looking for an email address for anyone in your company. Once they know the format your company uses to set up emails, they can send messages, pretending (“spoofing”) to be from a high-level manager or C-suite. The typical request asks for W-2s, gift card purchases, or large fund transfers. Because it’s from “the boss,” many workers will comply.
Watering hole attack. A “watering hole” attack is when the cybercriminal tracks the web sites commonly visited by employees of the target business or government. Then, they infect those sites with malware. Picture your company as a wildebeest, and the cybercriminal is a hungry lion. What sites do you go when you need information from a safe, reliable location? Those are your “watering holes.” The end goal is the same — gotcha. Thankfully, this kind of attack is pretty rare still.
Government attacks. Atlanta. San Francisco. Even our own Lansing, Michigan.What do these cities have in common? All have dealt with cybercrime attacks in the past couple of years. Smaller governments need to be on alert as well. Criminals may target them as a “trial run” before hitting a bigger city or government entity.
Scam within a scam. Today in, “We Really Hope This is Not a Trend,” a bank in Chile lost 9000 workstations and 500 servers in a virus attack. Terrible, right? But wait, there’s more. The virus attack was just a smokescreen to distract from an even bigger crime. The real target? $10 million shuffled off to a bank account in Hong Kong while everyone was worried about the massive workstation loss. (Yikes.)
Untargeted Attacks Are Still a Threat
Sadly, the rise of targeted cybercrime does not mean “little guys” can rest easy. Untargeted attacks are still common, and growing, because they work.
What’s new? Cryptojacking. You’ve probably heard of Bitcoin, maybe even invested in it yourself. Bitcoin and other cryptocurrencies require massive amounts of computer processing power to generate value (called cryptomining). The demand for these currencies is driving up the cost of processing units. So, the less-scrupulous miners look for a cheaper source of processing power — someone else’s computer or server. The victim often doesn’t know they’ve been ‘jacked until their computer gets noticeably slow and unresponsive. But those issues can be attributed to other causes as well, which makes cryptojacking particularly difficult to diagnose and resolve without professional help.
Besides these, all the other scams we’ve been warning you about for years are still around, such as viruses hidden in email attachments.
- Avoid those “what’s your [fandom] name/character” online quizzes. The information they ask for is often the same as common security questions such as your first pet or the street you grew up on.
- Don’t click on that “hot celebrity news” email attachment.
- Did a “company” email you and tell you to log into your account? Don’t do it from their email link. Open a fresh web browser window and go to the site from there.
- Check with your boss in person or by phone before buying gift cards or wiring large amounts of money.
- Bosses: Write and enforce a policy for wire transfers and gift card purchases. Write a bunch of other data security policies as well.
- The IRS won’t call you, and they don’t accept iTunes cards.
- Microsoft won’t call you to fix your computer.
- Use secure passwords.
- Use multi-factor authentication whenever possible.
Knowing basic precautions is important, not just for IT managers, but for everyday people including office workers, medical staff, and others. If you use email or use a computer that accesses the internet, you need to be aware of these precautions.
Be alert, be safe.
When was the last time a computer network professional reviewed your network security? Call TAZ Networks today or fill out the form on the right to get started.