One clever (but easily created email) nearly cost one of our clients an emptied bank account. Thanks to DiamondIT’s rapid remote IT support response and managed cybersecurity solutions, the attempt was unsuccessful, but it packs a powerful message. If your IT provider is not talking to you about cybersecurity, your business is vulnerable to attacks that could compromise critical data and cost your company thousands.
These hackers do not care about only going after large corporations. They go after companies like yours every day.
3 Critical Email Cybersecurity Lessons
The targeted client is a small but global business in the oil and gas industry. They were targeted with a spoofed email, which highlights the importance of quality cybersecurity protections in a few ways:
The masked email came from a Gmail account
The Gmail address meant that it was nearly impossible for a spam protector to filter it out – after all, Gmail is so widely used that filtering out email addresses would be a quick way to miss many critical client communications.
The email was spoofed with the right boss’s name
Since the email displays the name on the email automatically, and not the actual email address, it becomes super easy for someone moving quickly at the end of the day to overlook the importance of checking for the actual email address.
The message was very believable
The email was written in such a way that the employee really believed it came from their boss – calling the employee by the correct name and doing their homework so that it sounded legitimate.
Since the email asked for sensitive account information, the employee replied that they would get the information for the boss in the morning.
Invested Remote IT Support
Without properly checking the email to see what the actual address was, the employee went by the spoofed name that appeared in the “from” section. The email was so cleverly written that nothing about the text set off alarm bells for the employee.
Before we stepped in, the recipient had not even realized that the email was suspicious, and they were on the verge of providing critical account information. Keep in mind, the company targeted works in a niche industry, they are not a particularly well-known company. This criminal took the time to thoroughly research the organization and craft a convincing email.
The company narrowly escaped a potentially devastating loss of funds. The spoofed email ended up in the inbox, bypassing initial spam filtering because of it’s clever construction. Once the employee responded that they would provide the requested account information in the morning, the email security service placed a block on further communications and notified our security team who immediately sprang into action to notify the general manager and halt any potential financial transactions that could have occurred.
Why Cybersecurity Services and Awareness Training Don’t Fix Everything
Hackers don’t just go after the big names for these types of attacks. They go after anyone for whom they can find the right information. The email addresses, the organization of employees and even different people’s responsibilities can all be found online and used to launch a successful attack against businesses of all sizes, even small ones. They want money and sensitive information, and they will come for it however they can. Managed security offers a number of tools to install protections that help to keep these emails from reaching employees. But, even the best tools aren’t foolproof. You need to build a culture of security in your organization.
Yes, you need cybersecurity awareness training
Every business needs cybersecurity awareness training. Teaching employees how to do simple steps, like verifying email addresses to catch a spoofed email, can have a tremendous impact. Having a security officer who remains up to date on the latest in cybersecurity to provide a second set of eyes, like the remote IT consulting team did here, can be invaluable as well. More than training, you have to have a culture of security built into your organization.
Why you need a security officer
In addition to cybersecurity awareness training, have someone on staff who ensures that the training is having an impact. A security officer would look review for:
- Are all employees taking the training (even executives)?
- Are they passing the training?
- Is remedial cybersecurity training being conducted?
- Is the training frequent and varied enough to provide adequate protection?
- Are you working with a remote IT support provider who is cybersecurity-focused?
A security officer (internal or a cybersecurity IT consultant) will also advise you to classify your data based on sensitivity. Publicly knowable intel, like the information on your website, is standard. Company payroll or client bank accounts? Highly sensitive. Every piece of data you work with should be likewise categorized.
Once you have the classifications, create rules for data handling and a system of checks and balances to ensure the safety of that information. For example, if account information is requested, have a policy of calling – not emailing – to confirm the request. Then securely deliver the information. Standard email is not secure. Reply emails could potentially be intercepted or otherwise compromised, so the verification should be done via phone call. The bottom line is, no matter how effective your security management, security is everyone’s job.
Know What Your IT Provider Is Doing to Ensure Your Protection
If your IT provider cannot talk to you about their security precautions, you should assume you are not secure. What steps are they taking to secure your organization? Do these meet industry best practices? Working with a qualified and experienced cybersecurity professional like Cody Cooper – DiamondIT’s service manager and a Certified Information Systems Security Professional (CISSP), the gold standard of cybersecurity – is the best way to keep your business safe.
When you work with DiamondIT, you get a relationship with a team of experts who will continuously work with you to ensure your protection and build a company culture of being cybersecure.
Don’t trust your cybersecurity or IT support to anyone else. If you want to give your business the protection it deserves, reach out to us today.