Why spear phishing attempts on SMBs are often successful | Email security

July 4, 2012

Every small business owner knows how computers and specifically email have transformed into critical business systems that businesses cannot function without. It is often easy for business owners to assume their computer systems are safe from attack because it “won’t happen to my business”. Complacency is a dangerous option when it comes to SMB security.

High profile attacks on large corporations get coverage but hackers are increasingly targeting small and medium businesses

Over the past year, there have been numerous high-profile data breach cases involving major corporations. Iin the past year compromised security at Sony, the global games company, allowed criminals 20 million accounts which including email addresses, phone numbers, passwords, and in some cases credit card numbers. It has been reported that some of this information is for sale in several cybercrime forums. Another high profile attack and possibly the biggest data breach in US history was the Epsilon attack earlier this year.

Epsilon a global provider of marketing services had their IT system hacked and the criminals gained access to the names and email addresses on their customer database which included some of the worlds largest companys across a variety of sectors. This successful attack gave criminals access to large amounts of information about individuals in these companies, details which will allow them to more effectively target each company more specifically.

This may give the perception that only large corporations are potential targets for hackers however the reality is that hackers are increasingly targeting small and medium sized business knowing that oftentimes they do not have the resources or technical knowledge that large corporations do.

Internet Crime unit inundated with complaints from small and medium sized businesses

At SpamTitan we see countless scenarios where small businesses come to us as a result of falling victim to threats similar to those suffered by these high profile companys. Any medium sized company that relies heavily on email to conduct business requires anti spam and anti phishing protection. Over 400,000 complaints were filed with the Internet crime complaint centre in 2011, a partnership between the National White Collar Crime Center and the FBI. These complaints came from small and medium sized businesses affected by online phishing scams and other Internet related crimes.

How to protect your business against phishing attacks

Visiting the Anti-Phishing Work Group will give you sound advice to safeguard your business against phishing scams and gives you beneficial information on how to avoid becoming a victim.

Some of their advice is

  • Employees should never respond to spam email with confidential or sensitive information, a legitimate companies will never ask for sensitive information via email.
  • Make employees aware of what a spear phishing attack is and to be on the look out for anything in their in-box that looks suspicious. The best way to avoid your company becoming a victim of a spear phishing attack is to improve awareness of what’s happening before anyone loses any personal information.
  • Never give out company financial information such as banking numbers to an email enquiry. Your bank does not need you to confirm your account information…they already have this information.
  • Make sure your network is protected with up-to-date virus, anti spam and malware protection. Ensure you update the software regularly and use a trusted and recommended solution.

A 2011 poll carried out by SpamTitan discovered that 70% of companies that believe their organisation had been a victim of a spear phishing attack are unsure that such attacks are reported to I.T. and dealt with appropriately. This lack of proactive measures to deal with the attacks can cost companies financially through the loss of data and system downtime. Educating employees around a range of security issues is an important step that many companies ignore. Yes, robust, powerful and updated security solutions are crucial but this doesn’t mean that companies can afford to ignore the ‘softer’ behavioural issues associated with security. It only takes one employee to open the wrong email to give access to senstitive company data bring a whole company’s IT systems to a halt.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Impact of cybercrime underestimated as most crimes go unreported|Network security

May 4, 2012

For a cyber crime to count as a statistic, the crime has to be reported. Has your company ever been the target of a phishing attack and not reported it? Because cybercriminals can launch coordinated attacks from all over the world catching them becomes more difficult as cyber crime continues to grow. Does a company have a legal obligation to come forward about cybercrime? Some consider that companies have ethical, civic and legal obligations to report cyber threats to authorities.

Many cyber attacks go unreported

In 2010, there were over 303,000 complaints filed with the Internet Crime Complaint Center (IC3), a partnership between the FBI and the National White Collar Crime Center (NW3C). Its purpose is to receive Internet related criminal complaints and to further research, develop, and refer the criminal complaints to federal, international law enforcement or regulatory agencies for appropriate investigation . Since its inception, the IC3 has received complaints in relation to a variety of threat and cybercrimes including online fraud , hacking, Online Extortion, Identity Theft and every other internet crime imaginable.

Many police departments are now training computer crime units where people can contact for information and assistance. These units come under the umbrella of law enforcement and the main role is investigative in tracking down cyber criminals.

Punishment for cyber crime is growing in severity

Different countries have different laws that cover cyber crimes and as the level of cyber crime increased the punishments dished out are growing in severity. Here are some examples of the punishments handing down in the U.S (from Carnegie Cyber Academy) :

  • Hacking – Hacking is covered under a Federal law. Punishments range from paying a large fine to going to jail for up to 20 years, depending on the seriousness of the crime and how much damage the hacker has done.
  • Spamming – Spamming is covered under the CAN-SPAM Act and the minimum punishment is a fine of up to $11,000. Additional fines are added if the spammer violated policies or used automated bots to collect email addresses. Spammers can be sent to jail if they used false information or a computer they weren’t allowed to use.
  • Identity Theft – The laws covering identity theft were enhanced in 2004, requiring tougher punishments to match the seriousness of the crime. Identity thieves can go to jail for up to five years. There are also increased punishments for identity theft used to commit terrorist acts and for people who abuse their position for identity theft.

Many high profile companies have suffered serious data breaches; possibly the biggest data breach in US history was the Epsilon attack last year. Epsilon a global provider of marketing services had their IT system hacked and the criminals gained access to the names and email addresses on their customer database which included some of the worlds largest companies across a variety of sectors. This successful attack gave criminals access to large amounts of information about individuals in these companies, details which will allow them to more effectively target each company more specifically. For a company this can have far reaching and costly consequences.

According to the FBI, worldwide cybercriminals earn over $100 billion per year through their increasingly sophisticated cyber attacks. SMBs are frequently more exposed to risk from cybercriminals than larger companies.

Security Challenges SMBs face :

  • Inadequate security awareness among employee
  • No Dedicated IT security professional
  • Limited IT security budget
  • Lack of IT security policies

Big company thinking is often about maximising the IT security budget, whereas SMEs are much more frugal and need to think about the customer. SMEs require fast, cost-effective and easy to manage solutions. Small businesses are faced with many of the same risks as larger firms but without the same level of resources. In this senario planning for security is an imperative.

1 Comment | Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Cyber attacks multiply in run up to the 2012 London Olympics

May 4, 2012

Cybercriminals are looking to capitalise on the growing interest and enthusiasm around the Olympic games with several phishing scams which aim to impersonate the Olympics official website or associated partners. The cyber criminals and malware writers know that just about any subject line with the word “Olympic” in it is likely to be opened by a large proportion of recipients.

Costly consequences of phishing attacks

No global event is more in the public eye at the moment than the 2012 London Olympic Games. Many of these scam emails will contain malicious code rather than cut price tickets or other Olympic-themed products. For a company a successful phishing can have far reaching and costly consequences resulting in financial loss and loss of customer data.

We have detected and blocked a number of these kinds of Olympic phishing messages whose goal is to entice users to submit their personal information. It is expected that these phishing attacks will grow in number and become more targeted. Spear phishing.

These kinds of attacks will continue to exist as long as it is profitable and with growing numbers of people on the internet spammers have a growing market of millions of people for their spam. It’s purely a numbers game, the greater the market for the spammers the greater chance of a response and therefore the greater the reward.

To prevent these attacks, organisations need to remain vigilant and follow proven guidelines such as not clicking on links or attachments in unsolicited emails.

To avoid becoming a victim of a phishing attack there are a few simple rules:

  • Don’t trust any unsolicited email, ever.
  • Never “unsubscribe” from a service you haven’t subscribed for in the first place. You are literally handing your email address to spammers to use for future and possibly more targeted attacks.
  • If you interested in an offer contacting the company behind the message by phone and verify that the message is genuine.
  • Keep your company security solutions valid and up to date so that you can secure your organisations network.
  • Employees and other insiders actions are responsible for the majority of security breaches, a culture of security awareness is an important factor in preventing these security failures.

Remember if you receive notice that you’ve won a free Olympic ticket the chances are you haven’t and as always if it sounds too good to be true, it probably is!.

1 Comment | Application Hosting, Managed Service Hosting, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 745 other followers