Despite major improvements in how organizations can block millions of cyber-attacks, email threats are able to break through defenses because hackers are continually morphing them to be more complex and sophisticated.
Whoa. That sounds so… corporate. Here’s what I mean by “complex and sophisticated” – the hackers are switching things up to be even more innocent-appearing and deceptive. It’s like seeing a cute cuddly creature that seems innocent and appealing suddenly switch into a carnivorous sharp-toothed predator the moment you reach out your hand.
That’s right – the old saying “looks can be deceiving” has never been more true, as hackers get more and more clever with their attacks.
Click Here! Download This! Nope.
We saw a good one today. A company our client had never heard of sent them an email “We are advising a client in the construction industry, currently searching for a supplier Within the pre-qualification process, [company name] has been identified as a potential target solution, and the client is now requesting further information. Please find attached the RFI document containing open questions on [company name]. To qualify for the next stage…”
You get the idea. There’s a document to download. From a company we’ve never heard of. Sent as an attachment to an email that sounds very real. AND – it’s an opportunity to make a sale! Why would you NOT click on this and answer those questions? It’s so simple, right?
You see, it’s not just code that cyber attackers are modifying, they’re also changing tactics – moving from high volume assaults to more targeted maneuvers, such as from malware to social engineering and from lone operators to organized criminal enterprises laying down attacks that can begin with a single phishing email.
And yep, you guessed it – the email I quoted above? That’s a single phishing email.
Clicking to download that document could open up a variety of for hackers to do USING YOUR SYSTEM – all of them bad.
- Installing a keystroke logger, which will capture your usernames and password for everything you log into
- Sending spam emails from your email address
- Finding and exporting data from any system you log into
- Pretending to be you and sending out scam emails – or using your email address to get to your social networks to scam your friends and associates
- Locking you out of your systems
- Locking your systems – all of them – and holding them ransom
- Conversation hijacking – intercepting emails and pretending to be you in responses
- Installing malware, spyware, ransomware – all the bad-wares you can imagine (and a few you probably can’t)
- Seizing financial information, including logins, bank account numbers, credit card numbers, passwords, etc.
- and much more
Attacks are getting more clever. Phishing emails are getting more innocent-looking all the time.
And it’s NOT JUST THE BIG COMPANIES. I cannot say that enough. Smaller companies are BIG targets for hackers. Let’s face it – small companies are LESS likely to have comprehensive systems in place to guard against hackers – which therefore makes small companies easier targets.
Take a look at these statistics
Here are some key findings from recent studies:
- An average employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.
- Conversation hijacking grew almost 270% in 2021.
- 51% of social engineering attacks are phishing.
- Microsoft is the most impersonated brand, used in 57% of phishing attacks.
- 1 in 5 organizations had an account compromised in 2021.
- Cyber criminals compromised approximately 500,000 Microsoft 365 accounts in 2021.
- 1 in 3 malicious logins into compromised accounts came from Nigeria.
- Cyber criminals sent out 3 million messages from 12,000 compromised accounts.
Yikes!
So what can you do?
To protect your businesses and your people, you’ll want to invest in 2 things: 1) technology to block attacks and 2) training for your people to act as the last line of defense.
Small businesses often have fewer resources and lack security expertise, which leaves them more vulnerable to spear-phishing attacks, and cyber criminals are taking advantage. That’s why it’s important for businesses of all sizes not to overlook investing in security, both technology and user education. The damage caused by a breach, or a compromised account can literally take a business to its knees.
We always recommend starting with a security audit – whether with us or someone else you trust. Get that done first to identify vulnerabilities and opportunities for improvement. Then take the steps to mitigate the risks the audit identifies.
We’ve created a document for you that outlines 10 steps you can take. You can download that by clicking on the graphic in this post.