October is National Cybersecurity Awareness Month (NCSAM). NCSAM was launched in 2004 by the U.S. Department of Homeland Security and the National Cyber Security Alliance.
What used to be a solely American event is now recognized around the globe because cyber threats don’t recognize borders.
It is imperative that small business owners understand one thing—your companies are not too small to be attacked. Your businesses and everything you’ve built are at risk.
Stats from Accenture’s Cost of Cybercrime Study reveal that nearly 43% of cyberattacks are on small businesses. And only 14% of these businesses are prepared to face these types of attacks.
Seth Blank, the CTO of email security provider Valimail, says one cyberthreat that’s “often pushed to the background but deserves center stage is email security.” Blank is right. According to an FBI Public Service Announcement released in June, the FBI’s Internet Crime Complaint Center (IC3) reports extensive damage from business email compromise/email account compromise fraud (BEC). From October 2013 to December 2022, the total exposed losses from the BEC scam nearly reached $51 billion globally and over $17 billion in the United States.
Types of email scams
BEC
The FBI says BEC is “a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when an individual compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds.”
But, the FBI warns, the scam is not always associated with a transfer-of-funds request. Some BEC variations “involve compromising legitimate business email accounts and requesting employees’ Personally Identifiable Information, Wage and Tax Statement (W-2) forms, and more.
And the Bureau points out that BEC has evolved over the years, often targeting small local businesses. Last year, for instance, there was a jump in BEC reporting in the real estate sector.
Blank adds that email “is the battleground where some of the most sophisticated social engineering attacks, like spear-phishing and whaling, are waged. These attacks exploit human psychology, leveraging the absence of the usual cues we rely on to assess trust—no facial expressions, no tone of voice, just cold text on a screen.”
What is spear-phishing?
Spear-phishing email scams are highly targeted phishing attacks designed to trick people or businesses into revealing sensitive information or clicking on malicious links.
Typically, these emails are personalized to the victim and may include information the attacker has gathered about the victim’s job, personal life, or interests. This makes spear-phishing emails much more convincing than traditional phishing emails, which are usually sent to large groups of people and not personalized.
Spear-phishing emails are often used to steal sensitive information such as usernames, passwords, credit card numbers, and Social Security numbers. Spear-phishing emails can also install malware on the victim’s computer, which can quickly spread throughout a company’s network.
Here are some examples of spear-phishing email scams:
- An accounting employee gets an email from you or a manager asking them to transfer a large sum of money to a new account.
- An email from your bank asking you to update your account information.
- An email from a shipping company asking you to click on a link to track your package.
- An email from a social media company asking you to reset your password.
- An email from a government agency asking you to provide personal information.
It is essential to make sure all employees know what to look for and to never click on something that looks suspicious. One tip is to hover over links to see the actual URL before clicking on them.
If someone does click on a spear-phishing email, make sure they immediately report it to you or IT. Contact your bank and credit card companies ASAP to alert them to possible fraudulent charges.
Then, tell all your employees to change their passwords (no exceptions) and enable two-factor authentication on all your online accounts.
What are whaling scams?
A type of spear-phishing, whaling scams target business owners, CEOs, CFOs, and other senior executives. Whaling scams tend to be more sophisticated and harder to detect.
Whaling scammers usually gather a lot of information about their targets before sending them a phishing email, including their job title, email address, phone number, and personal interests. This helps them personalize their emails to make them more believable.
Whaling scams are generally designed to steal money or sensitive information from a business. For example, a whaling scammer may send an email to a CEO that appears to be from the company’s CFO. The email may ask the CEO to approve a large wire transfer to a new account. The CEO, thinking that the email is legit, approves the transfer, and the scammer makes off with the money.
Plus, whaling scams are often used to install malware on the victim’s computer, which can then be used to steal sensitive information, such as login credentials and trade secrets.
This seems obvious, but you and your accounting department should be very suspicious of any email asking for large sums of money or sensitive information.
Beef up your email security
Seth Blank worries that being so inundated with stats, such as 91% of cyberattacks start with phishing, makes it “easy to look at email as an old problem. But those stats show the problem is not just as bad as it’s ever been; it’s getting worse. Much, much worse.”
His advice: “Beef up your email security, or get ready for a world of hurt. The ball is in your court, and it’s ticking.”
