How to Avoid Ransom Attacks Delivered by Email
Organizations are seeing all kinds of new challenges in the era of post-pandemic remote working. Our previous blog post covers off what technology considerations are helping with this transition, but now we're facing another big problem. Malicious email attacks.
2020 has seen many employees’ workloads increase while providing additional business support. With working from home, fatigue and long hours, it’s evident that self awareness decreases and ransomware attacks are on the increase.
Imagine receiving an email from your CEO asking you to urgently perform some wire transfers late at night so they can finalize a deal. This may seem a little far fetched, but with the sudden changes in the economic climate and how we work, this could appear genuine to many people. Unfortunately, it turns out that this isn’t the CEO but a cyber attacker attempting to launch a Business Email Compromise (BEC) Attack.
In the last quarter, global businesses saw a 50% in the daily average of attacks, compared to the first half of 2020. US ransomware attacks doubled (98% increase) in the last 3 months, making it the #1 most targeted country for ransomware, followed by India, Sri Lanka, Russia and Turkey. BEC Attacks are low cost and highly effective to allow attackers to gain sensitive data from an organization. The attacker then demands a ransom in exchange for the data or the promise not to exploit it.
The good news however is that as they are user level threats, it’s easy to educate end users on how to spot a potential BEC attack.
How do BEC Attacks occur?
BEC Attacks are a considered a social engineering scam because they rely on a user being familiar with the sender and context of email. The emails are carefully crafted in a way that makes them sound alarmingly believable. Account compromise is gained by quoting team members, confidential information and email structures. Confidence is achieved when the victims of data breaches initiate financial transfers to attacker accounts,
How do Attackers create these believable disguises? Often it’s by gaining access to end user credentials and simply operating from their email accounts. Spear phishing is a common way to access these credentials by targeting CEOs with malicious email attachments or malicious links. The link will usually bring the user to a very sophisticated portal that looks like an online banking login screen and there they will unknowingly share their credentials.
How do fraudsters identify senior leaders in an organization?
Victims of Ransomware will always be surprised by the sophistication of an attackers knowledge on the business. The reason for this is simply because there is now so much information readily available online about an organization. Company websites often provide information on their senior leadership team and most employees can be found on LinkedIn. Although LinkedIn has a few privacy blockers, it is easy to navigate around these using Boolean searches.
Another common source of information are lead generation services. Often offering 7-day trials, fraudsters are able to use Rocketreach and Crunchbase to find victims. No business is safe from this activity with fraud being reported from large organizations all the way down to local scout groups.
How to spot BEC Attacks
One must bear in mind that BEC Attacks are often highly sophisticated and difficult to identify at first glance. It is therefore important that users make a habit of checking common BEC Attack tactics as and when they come across them.
The type of email will typically fall under one of the following:
- Payment requests: The easiest way for attackers to gain financial information is using a legitimate or fraudulent invoice from a supplier. With this material, they then request a payment to an account they control.
- CEO fraud: As discussed previously, attackers may pose as a senior executive in order to request a payment to an account they control.
- Legal impersonation: Similar to CEO fraud, in legal impersonation, attackers pose as a law firm representative requesting sensitive information or payment as part of their duties or responsibilities.
If a user receives one of the above emails, they can then use the checklist below to identify whether it is a phishing email.
- Spoofed Email posing as a legitimate sender: The fraudster poses as an individual from your organization by creating email accounts and even email domains that look very similar. Look out for letters, numbers and special characters added into the email address. For example if John Smith’s authentic email address is firstname.lastname@example.org , a fraudster could attempt to contact you with email@example.com.
- Messages to send funds immediately: If the email has an urgent voice to it or odd grammar, it could be a potential fraudulent email. Never act immediately, take a few minutes to review the request and make any necessary checks, phone calls or messages to authenticate the email.
- Generic terms instead of real names: Although many attacks are quite sophisticated nowadays, users should be aware of generic terms such as “dear” “sir” “customer”. If a fraudster is rolling out a mass attack on behalf of a vendor, they will stick to generic terms rather than individuals.
How to prevent BEC Attacks
Educating users is of course imperative in preventing BEC Attacks occurring. However, there a few things you can do at an organizational level to prevent ransomware infection.
- Implement Multi-Factor Authentication: Fraudsters will be unable to login to email systems if they require multi-factor authentication. From text code generation services to key fob strategies, there are a multitude of ways across all budget to put this in place.
- Change settings so that external emails are flagged with a warning message: Flagging that emails are coming from an external source nudges the user to notice that even though the email may look internal, the source is from a different domain. You can also put a system in place to catch external emails so they can be reviewed all at once for authenticity.
- Buy similar domains: To avoid fraudsters creating domains similar to yours which can be missed, you should purchase a range of similar domains to ensure they can’t be bought.
- Monitor email rules: If an attacker has hacked into email accounts, they typically will set a rule where all emails are forwarded to them unknowingly to the account owner. Admin tools can automatically check for unusual rules.
- Add limits to incorrect login attempts: This prevents brute force attacks that try hundreds of passwords before identifying the correct login. You can give users 3 attempts before requesting that they contact an administrator for a failed login.
- Enable systems that authenticate emails. Systems such as DKIM and DMARC will authenticate that emails are real.
- Verify changes in information about customers, employees or vendors. Fraudsters can log into online accounts and change account information and contact details to ones they control. If a supplier claims that their contact information has been amended, ensure that the old contact information is no longer active by trying to reach the person using the old information.
- Confirm requests by phone before acting: If users receive strange emails requesting information or payment, simply put a practice in place to check via telephone with the alleged sender of the email
As mentioned, BEC Attacks are an easy way for fraudsters to commit their crimes but can be easily preventable with a good eye for detail.
HostedBizz offers hosted anti-spam solutions that will enable your remote workforce to better protect themselves from invasive hackers. Coupled with proper backup and Disaster Recovery, you can rest assured that your data is well protected from lurking online predators.
Find out how we can help - get in touch with our team today.