Email and messaging apps and platforms have become the new way of communication among modern societies and are used both in business and personal interactions. However, while these options are very convenient, efficient, and cost-effective, they come with a security threat that your business should evaluate as the top priority. Any slight vulnerability in your email and messaging systems can leave you exposed to phishing, smishing, and all sorts of cyberattacks. Hackers use communication platforms such as email, Skype, Snapchat, and Twitter to trick people into making the wrong decision and falling victim to cyber-attacks. Fortunately, there are various things you can do to protect your business against smishing and email attacks. Here are a few insights:
Recognize Phishing and Smishing as a Serious Threat
When starting a business, most people do not immediately think about cyber threats unless the venture is a mega enterprise. The average small business owner depends on industry-standard SSL certificates and virus scanners for online protection. However, email and messaging applications are just as vulnerable as websites. It is crucial to recognize phishing and smishing as a severe threat that can extort and cripple your business. Phishing and smishing messages contain malicious links and infected attachments that can work in the background to cripple your servers and business. As such, the best way to protect your business is to avoid opening these messages. The frauds can also use personalized emails and phone calls that trick you into giving up highly sensitive details. In such cases, emails and conversations are fabricated to mimic legitimate banks or businesses.
Recognize Phishing and Smishing Attacks
The first step to protecting and securing your business communications is identifying the threats and vulnerabilities your systems posses. Hackers can send messages and emails to millions of users or target your business specifically. As such, it is essential to establish measures for identifying and eliminating potential phishing and smishing threats, which includes using spam filters to remove unauthorized emails from your primary feed automatically. Here are a few characteristics of a phishing email or smishing message:
Below are some examples of potential scam emails that can be found on phishing.org.
- The email or message has a sense of urgency that demands immediate action
- Evokes an intense curiosity of something too good to be true
- Pressures you to ignore policies and work procedures
- Uses generic salutations like "Dear Customer" instead of your real names
- Requests sensitive, confidential information such as password, pin, credit card number and other details that legitimate senders already have
- An email with a "Reply-To" addressing personal account or from a personal address like "@gmail.com or "@outlook.com or @yahoo.com."
- Has a tone that doesn't sound like the sender you know
Below are some examples of potential scam emails that can be found on phishing.org.
Fake Unusual Login Activity Emails
With many service providers increasing there security measures, you maybe getting emails from services you use often when they suspect an unusual amount of logins with your email address. Hackers recognize that these service providers are doing this so they are also jumping on the bandwagon thinking they can fake you out with there own. Below is an example for a fake PayPal security alert. you can recognize that it is fake if it is poorly designed or if it has bad grammar. This one mentions "unusual log in activity" and hopes the recipient will click a link to a malicious website and it is also from an "outlook.com" address which is a free account.
This is a fake Microsoft email from Microsoft regarding "Unusual sign-in activity" which points people to a fake phone number.
Another phishing example are .html attachments which can slip by anti-spam protection. Below are some examples.
Hackers also use LinkedIn as well. See below a fake Wells Fargo "InMail" LinkedIn message.
One of the most common phishing scams is the CEO fraud email. Hackers will find out who the CEO of a company is and using a free email account like Gmail, or Outlook.com, will send phishing emails to the CEO's employees or clients. Below are a couple of examples we got from Symantec and Phishing.org.
Set Up Your Protection Measures
Once you know how to spot phishing and smishing, the next step is to set up measures that can protect your business from such exploitations. There are several solutions for modern companies, including:
- Stay Informed About Latest Phishing Scams - For end-users, keep up to date with the latest scams so you are aware and can potentially recognize a phishing scam that you get at work or on your personal email. For IT administrators, we recommend you implement some sort of security awareness training for your end-users. We will provide some great resources at the end of this guide.
- Set Up Strong Passwords For Your Servers And Monitor Users - Every business computer or server should have a strong password with designated users. You can track users to ensure accountability and make it more natural to recover from an attack. All emails and digital communication platforms should also have strong passwords and designated administrators that manage them.
- Be Careful When Opening Emails and Messages - If you suspect the email is a scam or phishing attempt, you shouldn't open it. Delete and clear it from your thrash box, and do not open any attachments or links. You can also forward the mail to your IT Team so they can take a look at it. Without opening a phished email or message, the attachments and malicious links cannot achieve much and remain enclosed in the deleted mail. It is also important to avoid entering any sensitive information via pop up screens as legitimate companies do not ask for sensitive data using such means.
- Set Up Phishing Filters - The spam filter is Gmail's phishing filter that protects you from potential threats and scams. You can add various emails to spam and avoid receiving them. However, there are several other anti-phishing filters you can install on your email server, email application or browser. While such applications will not stop all phishing attempts, they will reduce most of them, especially those hackers release to general public addresses and computers. You can also install an Anti-Phishing toolbar for your browser as another layer which is free.
- Make Sure The Site is Secure - If you are submitting any information in a site, make sure it has the "https" at the beginning of it.
- Keep Your Web Browser Up to Date - Make sure your web browser you use is up to date. Technology vendors release these updates in response to security vulnerabilities.
- Use Firewalls - Make sure you have updated desktop and network firewalls deployed in your business. Firewalls can help filter out malicious websites.
- Use Antivirus - Make sure you have antivirus solutions in place on your desktops and servers, especially ones that come with anti-ransomware protection. Make sure they are always up to date with the latest software updates.
- Watch Out For Pop-Ups - Most browsers have the ability to block pop-ups, but if they don't, just close them and do not enter any information or client on any links provided by them if you are not familiar with it.
- Do Not Give Personal Info Online - Try and make sure you do not give any personal information that was initiated by an email or message. Go to the main site if you do and access using the secure login credentials you have setup directly with the company's website.
- Use Private VPN's in Public - Use a private VPN connection when accessing the internet in a public Wi-Fi setting.
- Do Not Use Unknown USB - Never stick an unknown USB device into your computer as it could have malicious software on it.
Business communication security is integral to success. Without adequate security measures around your communications, your business will be vulnerable to attacks that can result in shutting down operations, violation of customer privacy and confidentiality, extortion, and more. It is thus essential to set up a system that monitors for viruses and filters potential threats. All personnel must also exercise precaution when using email and messaging services. Subscribe to learn more about how you can beef up your business communication security.
For further reading, you can go to the following sites and or use the following products.
- Sophos Security (Anti-Ransomware, End-User Security Training)
- Mimecast Email Security (Anti-Phishing Email Protection, Email Impersonation Protection)
- Phishing.org (Email phishing awareness, news and training)
- Messaging / Smishing Attacks Ouch Newsletter - https://www.sans.org/security-awareness-training/resources/messaging-smishing-attacks
- Personalized Scams Ouch Newsletter - https://www.sans.org/security-awareness-training/resources/messaging-smishing-attacks
- CEO Fraud/BEC Ouch Newsletter - https://www.sans.org/security-awareness-training/resources/ceo-fraudbec