All Tricks and No Treats.

Halloween: Famous SMB Cyber Attacks in Disguise.

Halloween normally conjures up images of costumes and candy, black cats and witches, ghosts and goblins, carved pumpkins, and scary activities. However, no amount of Halloween costuming or scary activities, come close to causing the amount of fear and damage that cyber attacks can cause small and medium-sized businesses (SMBs). With cyber attacks, rather than black cats poised to strike, it’s black hats poised to strike, and rather than kids disguised in different Halloween costumes arriving at your door, it’s malware disguised as innocent emails or safe websites arriving on your business’ computers. But make no mistake: malware is all trick and no treat.

Cyber attacks, whether they come in the form of identity theft, phishing, ransomware, or any other type of attack, comprise one of the biggest threats and biggest fears facing SMBs today. CPOMagazine.com confirmed this in a recent report stating that 45% of SMBs feel that they are vulnerable to cyber attacks. More worrying, however, than statistics about the number of small businesses that fear a cyber attack, are the statistics, reported by smallbiztrends.com, that 43 percent of cyber attacks target small businesses, and 60 percent of those attacked go out of business within six months.

Not scared yet? Hold on to your pumpkins – you will be after you read about these famous and damaging cyber attacks on SMBs.

Fake Invoices Scam – This type of scam can take many forms, but the objective is always the same: to get a business to send a payment to a fake supplier account. To launch this attack, hackers will first monitor a business’ payment processes in order to learn how to create a convincing looking invoice. Once this step is achieved they then send an invoice requesting payment for services rendered. The invoice can appear so authentic that company accounting departments release the requested funds without ever suspecting fraud; and they’re not small funds either. Cnbc.com, for example, recently reported about a small accounting firm in Brooklyn, New York that was scammed out of $700,000 in one year after receiving fake invoices for legal services. An assistant at the firm, who was in charge of releasing the funds for payments, paid the invoices without ever knowing they were fake.

Brute Force Attacks – One of the most popular types of hacks, are brute force attacks, which attempt to crack passwords or PINs in order to gain backend access to a website and obtain the sensitive information it holds. Any website with a password can be a target, and as the name suggests, this type of attack takes a ‘bulldozer’ type approach to guessing the passwords or PINs. While brute force attacks can take forever to uncover passwords and are not always successful if strong password security measures are in place, if passwords are weak, they can take a matter of seconds. And if successful, hackers gain illegal access to websites and the valuable information (e.g., credit card credentials) they hold. One of the largest and most well-known brute force attacks was the attack against GitHub which involved 40,000 separate hacker IP addresses.

Identity theft – Businesses, not just individuals, can have their identities stolen too. In fact, identity theft is big business for cyber identity thieves who steal and then use business identities to open credit card accounts, file fraudulent tax returns, obtain bank loans, initiate wire transfers, and more. The attacks have both reputational and financial consequences for businesses.

According to the 2018 Business Identity Theft Report by the National Cybersecurity Society, business identity theft cases have caused $137 million in damage with some of the most frequent targets of those attacks being businesses offering services in management consulting, accounting and bookkeeping, health, and construction.  A notable example of a business identity attack is the one in Tennessee where cyber criminals created fake websites that impersonated the identity of legitimate car dealerships so they could scam people into making deposits for automobiles that didn’t exist. Indeed the 250% increase in the number of fraudulent returns reported by the IRS have many businesses wisely taking their identity theft protection far more seriously today.

Spoofing – A particularly cunning cyber attack, spoofing emails are sent by cyber criminals who have spoofed the email address of a company executive. The emails that are sent are received by company employees and look just like the real deal. Never suspecting that the email is not really from the boss or some high-level executive, the employee innocently executes the request in the email which usually involves making a payment… to the cyber criminal of course. Austrian aerospace parts maker FACC, lost approximately 54 million Euros in such an attack after a hacker was able to successfully pose as the CEO of the company and convince an entry-level accounting employee to transfer the funds to an account for a fake project.

Ransomware – Still a favorite of many cybercriminals, ransomware is perhaps one of the most pervasive types of cyber attacks on businesses with attacks estimated to cost $6 trillion annually by 2021. That figure isn’t too hard to believe when you understand that the losses caused by the NotPetya ransomware alone could exceed $1 billion. For example, FedEx lost an estimated $300 million in just the first quarter of 2017 after falling victim to a NotPetya attack.

Got your attention now? 

Right about now, you’re probably wondering if and how SMBs can actually protect themselves from hackers, especially since there are so many potential vulnerabilities and different types of attacks. Well, we’re happy to report that there are highly effective cybersecurity measures that SMBs can implement to protect themselves. Here are some of the most important ones:

Train your employees about security basics. SMBs that take cybersecurity seriously have established security practices and policies in place for their employees to follow such as password protocols, rules for protecting customer information and other sensitive data, rules of response in case an attack is suspected, etc.

Get a firewall. Firewalls prevent unauthorized access to or from your network by acting like a shield between the Web and your company network.

Install a strong antivirus. Effective cybersecurity is nothing without a strong antivirus suite that provides browser security, tracking protection, and ransomware protection, in addition to anti-malware scanning, threat removal, and real-time protection. Other security features to consider in antivirus software are camera and microphone protection, a software blocker, and multi-device options.

Regular backups. Regularly backing up your data is also mission critical. This includes data stored on the cloud. Backups should also be stored in a location that is separate from the business location in case of fire or flood.

Verify vendor security. Your vendors’ security controls should also be a priority, especially if they have access to a lot of your business data. Cyber attacks on supply chains are a growing and immeasurably damaging type of cyber attack, so knowing what your vendors’ security policies are, and how your data will be stored and accessed is another vital step in cybersecurity.

Wi-Fi security. Some companies use one WiFi for guests and personal devices and a separate one for secure company devices. Virtual private networks (VPNs) are another useful security solution and are used to secure remote access.

Response Plan. While we hope that implementation of these security measures can prevent any type of attack, in reality, an attack is always possible. Consequently, security best practices include having an effective response plan in place. Such a plan should consider legal issues, how to inform customers, and finding out how the breach occurred among other elements.

Don’t be one the 60 percent…

A scary 60 percent of small companies go out of business within six months of a cyber attack. Don’t join that statistic. Cyber security requires constant vigilance to the latest threats. Implementing the measures stated above will help ensure that your business is not the next victim.

Wishing you many treats and no tricks this Halloween.

Leave a Reply