Cybercriminals are coming for your business, and they’re getting in via email.
In 2021, according to technology research firm Comparitech, 79% of U.S. businesses reported falling victim to a successful phishing attack, and $2.4 million was stolen via business email, a 28% increase over the previous year.
“We are targeted by phishing every day,” said Ian Harper, information technology manager for Bellingham Cold Storage, a refrigerated warehousing company with 175 employees and three locations, two in Bellingham. “A lot doesn’t make it past our advanced email defense system.”
For the emails that do slip by, Harper and his team conduct a “search and destroy” routine to reduce the possibility that employees will respond.
“The ones that our users typically bite on are made to look like a note from their supervisor or another executive asking for a favor or some urgent task,” Harper said.
If employees are in a hurry, they’re more likely to miss the signs that messages came from outside.
It’s not just employees. Business owners and managers are top targets for phishing, Harper said.
“They are much more likely to receive phishing emails than the rest of their staff,” he said. “Hackers do this because owners/managers have more control over organizational finances, so the payout is bigger.”
Hackers buy lists of employees from companies that sell marketing leads and use that to target their campaigns.
“Even IT pros will fall for scams from time to time,” Harper said. “It’s happened to me and my team. When it does, it’s when you are in a rush … How critical are you at five minutes to lunch or going home for the day? What happens when an email comes in asking for one quick click? Wouldn’t you want to take care of it now, so you don’t have to deal with it later? It will only take a minute, right?”
Dennis D’Ambrosio, fraud investigations officer for Heritage Bank, with two locations in Bellingham, said scammers create that sense of urgency, pressuring you to take action now.
“A lot of very intelligent people have fallen victim to scams,” D’Ambrosio said. “It’s human nature to trust people, especially when they are assumed to be in a position of authority or we believe it’s someone we know.”
D’Ambrosio said business email compromise and ransomware are the biggest threats now: “They can cause the greatest damage to a business financially or operationally.”
Business email compromise is particularly lucrative for scammers, according to Comparitech: The average amount of money that businesses lost via business email compromise nationally in 2021 increased nearly 25% over 2020.
Besides the increase in business email compromise, in 2022 the financial industry saw a resurgence in check fraud, D’Ambrosio said.
“Mail theft rebounded, and the dark web has become a marketplace for the sale of checks,” D’Ambrosio said. “Business identity theft could be the next big thing, so it’s important for businesses to monitor their accounts.”
Scammers aim to stay a step ahead of businesses and the public in general. “Cybercriminals’ full-time job is scamming honest people out of money,” Harper said. “They are constantly working to improve the effectiveness of their scams. They have developed organizations and even social networks to make attacks more effective. They will share best practices and even hacking tools or services through these connections.”
D’Ambrosio concurs, saying cybercriminals are always looking for gaps or weaknesses in systems and processes.
“It’s a constant cat-and-mouse game where they poke and prod until they find a loophole that they can exploit,” D’Ambrosio said.
In a business email compromise scheme, criminals use a compromised email account to research the company and the target.
D’Ambrosio said: “The imposter may drop into an active email chain with, ‘I’m following up on the status of invoice 1234. We need to have the payment sent to our new account, since we are in the middle of an audit. Let me know when it’s completed so I can let accounting know to watch for it.’ You’re familiar with the project invoice and the sender, so you don’t think twice about it until the real vendor says they didn’t get the payment.”
What you can do
“My mantra is stop, call, confirm,” D’Ambrosio said. “Most scams can be stopped in their tracks if you follow these three simple steps.”
- Stop: Do not process a payment change request received by email.
- Call the sender’s verified phone number, not the one in the email.
- Confirm the change request.
General security practices for businesses are a good starting point: Arrange for antivirus software to update automatically; keep firewalls up to date; have the router protected by a password that is not a default password; regularly back up data to additional, unconnected storage; limit employee access to only the data systems they need for their jobs.
Harper highlights other essential practices:
- Separate administrative access from an employee’s daily use accounts. “Typically, businesses will allow regular accounts to have administrator rights, to make installing software easier. This hole allows malware to hijack these permissions and start running amok in your systems. Having a separate account for admin access will stop a lot of malware from infecting a PC.”
- Have strong email filters. “The No. 1 attack delivery these days is via email.”
- Train employees to be aware.
- Use multifactor authentication for all critical online accounts to prevent hackers from getting in if your password is stolen or guessed.
- Use dual authentication for financial transactions; one person enters the transaction, and another approves it before funds are released.
- Review or create an incident response plan.
- Encrypt sensitive data.
- Use strong passwords, and don’t reuse passwords. Credentials obtained from a breach on one service can be used by cybercriminals to log in to other, unrelated sites or services, wreaking havoc.
- Take advantage of online banking alerts.
- Know your insurance. Do you need more coverage?
All businesses should have an up-to-date inventory of IT assets, including computers, firewalls, networking equipment and software.
“From there you can start securing your network,” Harper said. “There’s a lot of basic blocking and tackling that businesses should be doing that doesn’t require expensive hardware or subscription services.”
Some businesses send their own phishing emails to employees to help train them to avoid those that come from outside. Harper said he considers this essential for developing awareness among employees. D’Ambrosio added that it’s preferable to learn from a fake phish rather than the real thing.
“In the event you do fall for a phish, you need to know what to do and who to contact,” D’Ambrosio said.
Both Harper and D’Ambrosio stress the importance of education.
“I deliver optional training on a regular basis to all employees, and we have additional yearly mandatory cybersecurity training,” Harper said.
As D’Ambrosio put it, “It’s much easier to avoid phishing and any number of scams with just a little training.”