There are many ways bad actors can penetrate your business, steal your data, and hold your company ransom. While some are nearly laughable, all are very sneaky and deceitful. Here are some of the most common methods cybercriminals use to access businesses and approaches for stopping those methods dead in their tracks before they do any damage.
Phishing
Phishing occurs when a cybercriminal sends out a mass email asking the recipients to click on a link or open an attachment. The link is hacked or the document nonexistent. If someone honors the request by the cybercriminal, the link or attachment will request their password. If the recipient types it in, the bad link or attachment will then capture their password. This allows the hacker access to their password, thus compromising their systems.
To avoid becoming the victim of a phishing scam, don’t open attachments or follow links from people you don’t know or those in unexpected emails from people you do know. If something seems suspicious, pick up the phone and call the sender to see if it is actually from them. Use your Spidey senses. If you’re not expecting it, don’t open it.
Spear Phishing
Spear phishing is when a cybercriminal does some research upfront to further deceive their victims and, like phishing, spear phishing involves email. A bad actor will look online to learn more about your business and the people who work there. They will conduct research to determine who is in accounting, who is in human resources, and/or who your chief executive officer may be.
After doing all of this homework, the hacker will send an email, posing as your CEO or another business leader. They will target specific people with these emails so that they can access what they need. For example, if they are after cold hard cash, they might send an email to someone in accounting asking for a funds transfer for a business expense such as travel, paint, services, etc. The fact is, the email isn’t really from the CEO but someone posing as the CEO.
Another way cybercriminals use spear phishing is to send an email from the “CEO” with a bad link or attachment to other employees in the company. As with phishing, the email will request that the recipient visit the link or download the attachment as they are “out of the office,” “On the road,” or simply “can’t open it.” Again, if the recipient complies (after all this email is from the boss), then the hacker can capture their password, access the system, and steal the company’s valuable data.
Don’t become a victim of spear phishing. You need to look at every email closely before you open any links or attachments. If someone sends you an email, hover over the email address to make sure it’s really their email address. If not, notify them immediately by phone that they may have been hacked.
Next, make sure everything is spelled correctly. If it isn’t, then be suspicious. Also, read the email. Does it sound like the person who sent it to you? If not, call the person who sent you the email to ensure they actually sent it.
Finally, look at the email signature. Is it the same as the email signature from past emails? Is the email address correct in the email signature? If not, alert them that they may have been the victim of a cyberattack.
Ransomware
Ransomware, like phishing and spear phishing, uses email. The hacker will fool you into clicking on an attachment or downloading a file from the internet, and that file then encrypts all of the data on your computer and your network. The cybercriminal will then contact you and require a ransom to be paid in order to access your data. These bad actors typically ask you to pay them online through something such as bitcoin.
You can avoid becoming the victim of ransomware by taking several steps. First, don’t open any attachment or download any files from an unknown source. Also, don’t open or download any files from a known source if you aren’t expecting it. Simply call the person and ask if they sent you an email with an attachment or download.
Next, be sure that you are not reusing passwords and that your passwords are strong. Use a different password for each program, email, application, etc. that you utilize. A password manager can help you keep track of all of them and there are many that are available for free or at a very low cost. Strong passwords contain uppercase, lowercase, numerals, and symbols. A combination of these are harder to break.
Finally, employ anti-virus software with anti-ransomware capabilities and a strong firewall on your network. Be sure to also keep your network backed up so that if a breach does occur, you can access your data without paying out a substantial ransom. You’ll also want to educate your employees so they are also following all of these guidelines so they don’t become victimized while exposing your business.
Voicemail & Phone Calls
Cybercriminals are tricksters. They have learned how to get information out of you to make the most money possible. They will call you and pretend to be the IRS or another government agency to access your social security number. They may leave a voicemail asking for banking information to cover a past-due bill. A bad actor may call, pretending to be from Apple or Microsoft, and request access to your computer as it has been exposed to a virus and they will fix it for you.
With companies, hackers can be just as bad. They may call your office and pretend to be one of your vendors in order to get information. For example, there was a printing company in Boston that would call local companies and ask for their printer number. The company would then receive printer cartridges it didn’t order but would then receive an invoice for the cartridges from this company.
Never give out your social security number to someone over the phone. The IRS does not make phone calls. The IRS would simply send a letter. Also, keep your bank information safe. If someone calls from a company claiming you owe money, tell them you will call them back. Follow up with a call to the company to see if you really owe money and then make a payment if necessary. Never allow anyone access to your computer unless you know them. Your computer has more personal information about you than you can imagine.
As for your business, have a list of vendors you work with and share it with your employees. If a vendor calls, they should be directed to one or two employees who know them. Not everyone should be working with your vendors. The people who do work with the vendors should be leery of giving out information that they should already have on hand. Again, hang up the phone and call the vendor directly to see if they are really requesting this information.
USB Tests
This is insidious as bad actors will use your sense of good against you. You’re walking through the parking lot at work and find that someone has accidentally dropped their USB drive. You take it into work and plug it into your computer to see what is on it so you can get back to the rightful owner and BAM, the hacker has you.
Cybercriminals will infect a USB drive, drop it in a parking lot at a business, and wait for you or another employee to take the bait. Once you insert the USB drive into your computer, they have infected your network.
Don’t become the victim of a USB test. If you find a USB drive, turn it in to the receptionist at the front desk. Ensure she doesn’t open it. If someone has lost it, they can ask for the lost and found. If no one claims it in a few weeks, toss it. It’s that easy.
Dark Web Compromises
The Dark Web is the criminal underbelly of the internet, hidden away from conventional search engines. This is the place where hackers and cybercriminals take stolen information from social security numbers and birthdates to passwords and business data to be auctioned off to the highest bidder.
Not only is the Dark Web a threat to your personal identity, but it can negatively impact your business as well. This is because the credentials of you and your employees can be a way for bad actors to break into your business. With personal information such as email logins, passwords, and usernames, cybercriminals can access business applications, email, the company network, and beyond.
The most effective method for protecting your personally identifiable information (PII) and your business is to utilize a Dark Web monitoring program such as Dark Web ID offered through ORAM Corporate Advisors. This proprietary software continuously monitors the Dark Web to determine if your credentials or those of your employees have been exposed. With constant monitoring, you can be alerted to any compromises so you can change your login credentials, usernames, password, and more before bad actors can take advantage of what has been stolen from you.
For more information on protecting your business from the most common cyber threats, contact ORAM Corporate Advisors at (617) 933-5060 today or visit us online to schedule a free consultation.
