Cyber attacks of all types are on the rise, increasing the odds that your business will be the next victim of a spearphishing attack
Spam emails, phishing emails, and emails that contain malicious content are nothing new. These types of messages have been an ongoing source of trouble for businesses and individuals alike for a very long time, and won’t be going away anytime soon. However, we’ve noticed recently that there seem to be even more of these potentially harmful emails making the rounds than usual, and they’re growing more sophisticated by the day.
Recently, the CTECH team helped a client of ours survive a spearphishing attack. Unlike phishing campaigns, which are designed to target as many potential victims as possible by using broader tactics, spearphishing attacks target a specific business or employee. On one hand, the chances of someone on your team accidentally opening one of these emails and clicking on an attachment or link dramatically increases when a phishing email lands in the inbox of every single employee. On the other hand, this can sometimes make them easier to spot because the messaging is more generic. Spearphishing emails are a different story.
While the bulk of these emails are being successfully caught by spam filters and other network security measures, the sheer number of emails being sent out has made the odds of something managing to slip past your business’ defenses higher than normal. This doesn’t mean that your technology or your technology partner aren’t doing what you need them to be doing, it simply means that statistically speaking, there is a good chance a threat may find its way into your inbox regardless.
Spam filters are constantly updated, with the signatures of known threats being added to your filter’s database in order to make sure they’re recognized and stopped. As more signatures are added, fewer of these messages will be able to reach you and your employees. Your spam filter is doing most of the hard work for you, but the current high volume of threats serves as a great reminder that you should always be on the lookout for a suspicious email.
For business owners, staying a step ahead of a potential infection, intrusion, or scam means making a point of learning the basics of how to spot spam and phishing attempts, and training your staff to do the same. For employees, it means taking cybersecurity training seriously and actively applying what you know about how cybercriminals operate to your daily tasks.
There are a few common characteristics malicious emails share that make them easy to pick out once you know what you should be looking for. Spam and phishing red flags include:
- Overly-urgent or threatening-sounding subject lines
- Generic salutations (messages that aren’t addressed to a specific recipient)
- Spelling mistakes or grammatical errors that indicate a poor grasp of the English language
- Attachments that you were not expecting to receive
- Embedded links that don’t match the hyperlink text
- The sender indicates that their request needs to be met within a very short timeframe and/or implying that there will be consequences if you fail to act on their request
- The message seemingly comes from a familiar sender, but from an unfamiliar email address
- The message contains a request that wouldn’t normally be sent to that recipient
- The sender requests sensitive information that normally wouldn’t be shared through email
It’s always a good idea to use caution when opening any attachment or clicking on any links sent to you through email. If anything about a message you receive seems even the slightest bit suspicious, take a moment to read the message over closely. You should never hesitate to follow up with the sender or check with a supervisor before acting on an email that just doesn’t feel right. Taking a few extra minutes to respond won’t cause any harm, but opening an attachment that contains malware certainly will.
If you’re trying to verify the contents of a strange-seeming email, it’s important to remember not to use the contact information provided in the email to follow up. Even if the phone number in a signature line looks right, take the time to pull up a company contact sheet or internal database, especially if it’s for someone you don’t normally have contact with. That way, you know for sure you’ll be speaking to the right person.
One of the major weak points in the human component of many businesses’ cyber security policies is a reluctance for employees to raise concerns with management or supervisors for fear of being told they’re wasting time. Employees should feel comfortable asking questions, even if they seem like “dumb” questions. Following up on an odd request or double-checking that the files they’ve just been sent came from the person they’re supposed to have come from can spare your business a ton of lost productivity, and protect critical data from corruption or theft.
Discussing cyber security training with your IT provider is a great way to make sure you have access to the latest information and the resources you need to educate your team effectively. It’s important to remember that just like technology itself, threats leveled at your technology can change and evolve quickly. Routinely sharing updated information and retraining your employees on important cyber security skills is crucial.
Phishing attacks are meant to cause as much damage as possible by aggressively targeting as many businesses as they can reach in one sweep. Because this particular scam isn’t meant for you specifically, the infections and breaches these messages cause can create a huge headache for your business as they search out any bit of data that happens to be in your systems and network.
A sophisticated spearphishing scam is often a surgical strike, designed to let a hacker hit a specific target. A phishing scam is like a hand grenade – whatever it hits, it hits. Regardless of which type of attack is directed your way, it’s not something you ever want to find yourself in the crosshairs of.
Want to learn more about the steps you can take to keep your staff educated and your business secure? Contact CTECH Consulting Group at (403) 457-1478 or firstname.lastname@example.org today.