How to Spot a Cyber Scam is the headline for this third post on the critical topic of cybersecurity for small businesses.
To the recipient, an email in their Inbox appears to come from a business partner asking the reader to “open the attachment” by clicking on the attached document. It’s so easy for a user to absentmindedly open and click an action that would result in an instant ransomware infection. It happens every single day.
Ensure all employees are wary of any email containing an attachment they aren’t expecting. Make sure they confirm with the sender (via phone, text, and separate email) what it is before opening or clicking anything.
Another example of an email scam could be a notice from any number of prominent companies like Amazon.com, PayPal, eBay or ANY prominent company. The point is the contents and the technique, not who it comes from. It lures the reader to click a link rather than an attachment, but with the same business-crippling results. The link appears to direct the reader to a legitimate PayPal web page and yet, when the mouse is hovered over the link, it actually directs to a different site designed to inject malware or illegally collect personal information. Red flags to watch for: Missing sender or recipient information, generic greetings, misspelled email addresses (i.e., firstname.lastname@example.org), and email addresses that don’t match the company name. Any emails that ask the recipient to download a form or macro in order to complete a task are highly suspicious and an employee should NOT click on anything. Instead, report the email to IT immediately.
Malicious Websites and Malvertising
Malicious websites and malvertisements are designed to look like a page or ad on a legitimate website. These sites can look incredibly real, featuring branding and logos, which is why so many end up giving cyber criminals their personal information or access to directly inject malware onto their systems. Typically, hackers will insert code into a legitimate site, which redirects unsuspecting users to their malicious site.
Train employees how to check URLs that links point to (by hovering mouse over the link to reveal the complete URL in the status bar at the bottom of the browser).
Another common lure is a pop-up that claims the user’s computer is “infected” and thus a fine must be paid or they must call a special Tech Support (scam) number to “clean” their system. The lure instructs users to click a link in order to pay a fine, which is bogus.
Red flags: Links that redirect to a different domain, pop-ups that require you to enter personal information, misspelled URLs, and URLs with unusual domain extensions. This type of attack can be very hard to detect, even if employees are highly vigilant. This is why it is very important to deploy business-class malware detection software, which we will cover in the next blog post from this series on cyber scams.
Be certain that employees understand this type of cyber scam is designed to prey upon human fear. Instruct employees who encounter this type of pop up NOT to click. Instruct employees who encounter this type of pop up NOT to click, nor follow any of the instructions therein.
SETTING UP A CYBERSECURITY TRAINING PROGRAM
The cybersecurity training schedule you choose will be dictated by the specific nature of your business and the systems, software and hardware you leverage. However, a good start would be ensuring that all new employees receive training as part of their orientation and all employees receive training on a bi-annual basis. It is important to have a formalized plan in place to keep security front of mind and employees informed about new threats. While formal training is important, informal training can be very effective as well. Point staffers to blogs on key security topics, ask them to take an online cybersecurity quiz, print out and post funny IT security memes around the office, etc. Do whatever it takes to keep people aware and following safe browsing practices. If you don’t have resources to put this type of training together, talk with your IT service provider and see if they can assist with educational materials or plans.
In our next post, we’ll continue with this series on cybersecurity.
If you would like more information on Data Backup and Disaster Recovery, download your Free Business Advisory Guide Here.
Don’t worry about some sales guy calling you from our office because you downloaded information off our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.
If you would like to chat about this, or anything call us at 503.359.1275
Dedicated to your success,
dts|infotech . . . computer networks that work