Many cyberattacks start with an email. You receive a message from someone within your organization or an email address you recognize and don’t think twice about the request. According to a 2019 study by Avanan, 1 in every 99 emails is an attempted cyberattack. Of these, about 51 percent involve malware downloads and 41 percent ask for credentials.
Although the terms spoofing and phishing are often used synonymously it is important to know the difference. Spoofing involves a hacker using a counterfeit email – one you probably recognize – instructing you to update software, protect files and more. Many times they will insert a button that leads to a malicious website or attachment. This could result in malware being downloaded too your device, and could allow the hacker to access the information on it. A phishing email could also come from a recognized address and contain buttons or links, but these will typically lead to a website where you are prompted to enter personal or sensitive information. This could include passwords, SSN, or company logins that give them access to networks, bank accounts, and more. Both spoofing and phishing emails will often try to evoke fear that your computer has a virus or that there is an urgent need to complete what they claim to be required. This can cause employees to frantically click without confirming the email is legitimate.
Recognize Suspicious Signs
An employee falling victim to a spoofing or phishing email could cost your business more than just lost data. In many cases, attackers will request a payment of thousands of dollars to get information back. Educating your employees on email safety could save your business from an attack. Warning signs your employees should watch out for in emails include:Some common tricks to look out for include:
• Strange or unexpected requests, even if they appear to be from a trusted individual within your organization
• Links leading to a different URL than what is stated in the email
• Urgent requests that threaten consequences if action is not taken
• Misspellings within the email message or switched letters in the sender's address
• Low quality graphics or company logos
Creating cybersecurity policies and requiring new employees to complete training documents should be the first step in keeping your network safe. Partnering with a third-party security training company may be a valuable investment. Instruct employees to be wary of suspicious emails; hovering over links before clicking, alerting IT of unknown addresses, having strong passwords and deleting anything they are not sure about. Keep cybersecurity at the top of their minds by frequently providing tips.
Give Yourself Peace of Mind
Consider utilizing the following safeguards to protect your business from receiving imposter emails:
• Email Authentication. This is a technical solution used by organizations to set rules that dictate which messages are accepted. Once implemented, a mail server will scan every email that comes through to determine if it is a risk. The server will then reject, flag, or deliver the email. Many times, all emails coming from an external domain will contain a caution message for the user even if it is delivered
• Keep Software Up to Date. Require employees to update software as soon as a new version becomes available or have your IT team schedule an update on all computers within the organization. Configuring systems to update automatically would be the best solution if it does not interfere with working files.
• Protect Remote Devices. Require employees to use secure connections, such as an encrypted router, whenever they connect to your network whether at home or in the office. Encryption ensures information cannot be decoded even if it is intercepted. Only allow employees to connect to public Wi-Fi on a company device when also using a virtual private network (VPN) to encrypt traffic between the computer and network. This is often referred to as a remote login or desktop.
• Multi-factor Authentication. Multi-factor authentication requires an additional verification step after a user enters their password. The most common MFA method is sending a one-time code to a mobile device or email account that is generated when the account is being accessed. Other examples could be biometrics like a fingerprint or tracking the location of the user's IP address.
For more tips, visit our blog post on Cybersecurity Basics for Small Businesses.
Learn From Mistakes
If someone in your business does fall victim to an imposter email, consider these steps to mitigate the damage and prevent it from happening again:
• Report It. Train employees to alert your IT department of all suspicious emails received whether they clicked on them or not. The sender can then be blocked by the server so no one else will be fooled. You can also report emails that have been identified as a scam to the FBI's Internet Crime Complaint Center to warn others of the attempt.
• Alert Staff. Update your staff on any incidents so they are aware and can respond accordingly if any of their files were impacted or passwords should be changed. Use it as an opportunity to continue their cybersecurity training to ensure no one else makes the same mistake.
• Make Customers Aware. If customer information is involved in a data breach following an email scam, notify them as soon as possible. Provide any necessary steps they might need to take to be sure their information was not used. If the scammers have already stolen their private information, provide resources and direct them to IdentityTheft.gov for recovery assistance.
The best way to help prevent your employees from falling for an email scam is to keep them informed and aware. Working together to spot fake emails can protect all of you. For more tips during cybersecurity month, visit our Security Center.