Call (716) 373-4467

Managing a business on your own is challenging enough without worrying about cyberattacks. However, there is cause for alarm as hackers are using artificial intelligence (AI) to launch sophisticated cyberattacks to steal your data and disrupt business operations.

The good news is there are steps you can take to protect your business. This blog will explain how AI is being used in cybercrime and how you can safeguard your business.

 

How Hackers Use AI

Here are some of the ways cybercriminals are exploiting AI:

 

Deepfakes:

Hackers use AI to create highly realistic fake videos or audio recordings to impersonate someone you know, like your boss or a trusted friend. These deepfakes can be used to trick you into sending money or sharing sensitive information.

How to spot it: Closely look for details like unnatural facial movements or sloppy voice synchronization.

 

AI-Powered Password Cracking:

With the help of AI, cybercriminals can effortlessly crack common and easy passwords. Hackers with access to advanced computation offered by AI can automate the breaching process, so they can try millions of combinations to guess your password.

How to fight back: Always use unique passwords. Consider reaching out to Databranch to start the process of using a password manager.

 

AI-Assisted Hacking:

Hackers no longer have to spend hours looking for vulnerabilities. Instead, with the help of AI, they can create automated programs that not only identify weaknesses in your system but also create new types of malware.

How to stay ahead: Keep your security systems and software updated. Also, a mandate should be set up to scan for vulnerabilities routinely.

 

Supply Chain Attacks:

Threat actors use AI to insert malicious code into legitimate vendor products, which eventually will compromise your system as well. In a Business Email Compromise (BEC) instance, a hacker can also insert malicious content into reply chain emails coming from vendors vendors and suppliers

How to protect yourself: Only download software from trusted sources. Always be vigilant with updates, patches, and any email links.

 

Boost Your Defenses

AI-powered cybercrime is a growing threat. That’s why having Databranch by your side can be the ultimate weapon in your arsenal. Partner with us to leverage advanced technology to fortify your defenses. Download our checklist today to get started.

Reach out to us today at 716-373-4467 option 6, or [email protected] for a free consultation and learn how our team can secure your business against evolving cyber risks.

Cybercriminals are always looking for new ways to bypass security defenses. That’s why it’s essential to think like a hacker and adopt measures to stay ahead of them. This is what Defense in Depth (DiD) is all about.

The National Institute of Standards and Technology (NIST) defines DiD as “The application of multiple countermeasures in a layered or stepwise manner to achieve security objectives. The methodology involves layering heterogeneous security technologies in the common attack vectors to ensure that attacks missed by one technology are caught by another.”

In simple terms, DiD is a cybersecurity approach in which multiple defensive methods are layered to protect a business. Since no individual security measure can guarantee protection against every attack, combining several layers of security can be more effective.

Before you start your DiD journey, it’s crucial to stay informed about the changing threat landscape.

 

9 Threats to Protect Your Business Against

While there are numerous threats that businesses like yours must be aware of, let’s look at some of the most common.

 

 1. Ransomware 

Ransomware is a type of malware that threatens to disclose sensitive data or blocks access to files/systems by encrypting it until the victim pays a ransom. Failure to pay on time can lead to data leaks or permanent data loss.

 

2. Phishing/Business Email Compromise (BEC) 

Phishing involves a hacker masquerading as a genuine person/organization primarily through emails or other channels like SMS. Malicious actors use phishing to deliver links or attachments that execute actions such as extracting login credentials or installing malware.

Business email compromise (BEC) is a scam that involves cybercriminals using compromised or impersonated email accounts to manipulate victims into transferring money or sharing sensitive information.

 

3. Cloud Jacking

Cloud jacking, or hijacking, entails exploiting cloud vulnerabilities to steal an account holder’s information and gain server access. With more and more companies adopting cloud solutions, IT leaders are worried about cloud jacking becoming a significant concern for years to come.

 

4. Insider Threats 

An insider threat originates from within a business. It may happen because of current or former employees, vendors or other business partners who have access to sensitive business data. Because it originates from the inside and may or may not be premeditated, an insider threat is hard to detect.

 

5. Denial-of-Service/Distributed Denial-of-Service (DoS and DDoS)

These attacks are common and easy to carry out. In a DoS or DDoS attack, hackers flood the targeted system with multiple data requests, causing it to slow down or crash.

 

6. Artificial Intelligence (AI) and Machine Learning (ML) Hacks

Artificial intelligence (AI) and machine learning (ML) are trending topics within the IT world for their path-breaking applications. However, AI and ML help hackers more efficiently develop an in-depth understanding of how businesses guard against cyberattacks.

 

7. Internet of Things (IoT) Risks and Targeted Attacks

IoT devices are a favorite target of cybercriminals because of the ease of data sharing without human intervention and inadequate legislation.

 

8. Web Application Attacks

Vulnerabilities within web applications permit hackers to gain direct access to databases to manipulate sensitive data. Business databases are regular targets because they contain sensitive data, including Personally Identifiable Information (PII) and banking details.

 

9. Deepfakes

A deepfake is a cyberthreat that uses artificial intelligence to manipulate or generate audio/video content that can deceive end users into believing something untrue.

 

Get Up and Running with DiD

To keep sophisticated cyberthreats at bay, you need a robust DiD strategy. Your strategy should involve layering multiple defensive methods, like firewalls, intrusion prevention and detection systems, endpoint detection and response (EDR) and more, to build a security fortress that’s hard to crack.

DiD is an undertaking that requires time and effort. That’s why collaborating with a partner like Databranch, who can implement and maintain your DiD strategy while you focus on your business, is ideal.

If you want to learn more about how DiD can help protect your business, download our free eBook “7 Elements of an Effective Defense in Depth (DiD) Security Strategy.”

You can also reach out to one of our experienced team members at 716-373-4467 option 6, or [email protected].

Phishing scams remain one of the most prevalent and successful types of cyberattacks today, so being aware of the danger they pose to businesses like yours is extremely crucial. Your business could easily be the next victim if you don’t clearly understand how threat actors leverage phishing emails.

In this blog, you’ll learn the intent behind phishing emails, the various types of phishing attacks, and most importantly, how you can secure your email and business.

The Goal Behind Phishing Emails

Cybercriminals use phishing emails to lure unsuspecting victims into taking actions that will affect business operations, such as sending money, sharing passwords, downloading malware or revealing sensitive data. The primary intent behind a phishing attack is to steal your money, data or both.

Financial theft — The most common aim of a phishing attempt is to steal your money. Scammers use various tactics, such as business email compromise (BEC), to carry out fraudulent fund transfers or ransomware attacks to extort money.

Data theft — For cybercriminals, your data, such as usernames and passwords, identity information (e.g., social security numbers) and financial data (e.g., credit card numbers or bank account information), is as good as gold. They can use your login credentials to commit financial thefts or inject malware. Your sensitive data can also be sold on the dark web for profit.

Be vigilant and look out for these phishing attempts:

  • If an email asks you to click on a link, be wary. Scammers send out phishing emails with links containing malicious software that can steal your data and personal information.
  • If an email directs you to a website, be cautious. It could be a malicious website that can steal your personal information, such as your login credentials.
  • If an email contains an attachment, be alert. Malicious extensions disguised to look like a document, invoice or voicemail can infect your computer and steal your personal information.
  • If an email tries to rush you into taking an urgent action, such as transferring funds, be suspicious. Try to verify the authenticity of the request before taking any action.

 

Different Types of Phishing

It’s important to note that phishing attacks are constantly evolving and can target businesses of all sizes. While phishing emails are a common method used by cybercriminals, they also use texts, voice calls and social media messaging.

Here are the different kinds of phishing traps that you should watch out for:

Spear phishing — Scammers send highly personalized emails targeting individuals or businesses to convince them to share sensitive information such as login credentials or credit card information. Spear phishing emails are also used for spreading infected malware.

Whaling — A type of spear phishing, whale phishing or whaling is a scam targeting high-level executives where the perpetrators impersonate trusted sources or websites to steal information or money.

Smishing — An increasingly popular form of cyberattack, smishing uses text messages claiming to be from trusted sources to convince victims to share sensitive information or send money.

Vishing — Cybercriminals use vishing or voice phishing to call victims while impersonating somebody from the IRS, a bank or the victim’s office, to name a few. The primary intent of voice phishing is to convince the victim to share sensitive personal information.

Business email compromise (BEC) — A BEC is a spear phishing attack that uses a seemingly legitimate email address to trick the recipient, who is often a senior-level executive. The most common aim of a BEC scam is to convince an employee to send money to the cybercriminal while making them believe they are performing a legitimate, authorized business transaction.

Angler phishing — Also known as social media phishing, this type of scam primarily targets social media users. Cybercriminals with fake customer service accounts trick disgruntled customers into revealing their sensitive information, including bank details. Scammers often target financial institutions and e-commerce businesses.

Brand impersonation — Also known as brand spoofing, brand impersonation is a type of phishing scam carried out using emails, texts, voice calls and social media messages. Cybercriminals impersonate a popular business to trick its customers into revealing sensitive information. While brand impersonation is targeted mainly at the customers, the incident can tarnish the brand image.

 

Bolster Your Email Security

Emails are crucial for the success of your business. However, implementing email best practices and safety standards on your own can be challenging. That’s why you should consider partnering with a Managed IT service provider like Databranch.

We have the resources and tools to protect your business from cyberattacks, helping you to focus on critical tasks without any worry. We also have ongoing and interactive employee cybersecurity training that will help your company keep up with cybercriminals and their ever-changing tactics.

Meanwhile, to learn how to secure your inbox, download our eBook — Your Guide to Email Safety — that will help you improve your email security and avoid potential traps.

In recent years, email has become an essential part of our daily lives. Many people use it for various purposes, including business transactions. With the increasing dependence on digital technology, cybercrime has grown. A significant cyber threat facing businesses today is Business Email Compromise (BEC).

Why is it important to pay particular attention to BEC attacks? Because they’ve been on the rise. BEC attacks jumped 81% in 2022, and as many as 98% of employees fail to report the threat.

 

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of scam in which criminals use email fraud to target victims. These victims include both businesses and individuals. They especially target those who perform wire transfer payments.

The scammer pretends to be a high-level executive or business partner and will send emails to employees, customers, or vendors. These emails request them to make payments or transfer funds in some form.

According to the FBI, BEC scams cost businesses around $1.8 billion in 2020. That figure increased to $2.4 billion in 2021. These scams can cause severe financial damage to businesses and can also harm their reputations.

 

How Does BEC Work?

BEC attacks are usually well-crafted and sophisticated, making it difficult to identify them. The attacker first researches the target organization and its employees. They gain knowledge about the company’s operations, suppliers, customers, and business partners.

Much of this information is freely available online. Scammers can find it on sites like LinkedIn, Facebook, and organizations’ websites. Once the attacker has enough information, they can craft a convincing email. It’s designed to appear to come from a high-level executive or a business partner.

The email will request the recipient to make a payment or transfer funds. It usually emphasizes the request being for an urgent and confidential matter. For example, a new business opportunity, a vendor payment, or a foreign tax payment.

The email will often contain a sense of urgency, compelling the recipient to act quickly. The attacker may also use social engineering tactics. Such as posing as a trusted contact or creating a fake website that mimics the company’s site. These tactics make the email seem more legitimate.

If the recipient falls for the scam and makes the payment, the attacker will make off with the funds. In their wake, they leave the victim with financial losses.

 

How to Fight Business Email Compromise

BEC scams can be challenging to prevent, but there are measures businesses and individuals can take to cut the risk of falling victim to them.

 

Educate Employees

Organizations should educate their employees about the risks of BEC, along with how to identify and avoid these scams. This includes employees recognizing tactics used by scammers such as: urgent requests, social engineering, and fake websites.

Training should also include email account security, including:

  • Checking their sent folder regularly for any strange messages
  • Using a strong email password with at least 12 characters
  • Changing their email password regularly
  • Storing their email password in a secure manner
  • Notifying an IT contact if they suspect a phishing email

Contact Databranch today if your company lacks on-going cybersecurity training. Our Breach Prevention Platform and Security Awareness Training will give your employees the resources they need to spot real world phishing attempts.

 

Enable Email Authentication

Organizations should implement email authentication protocols.

This includes:

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)

These protocols help verify the authenticity of the sender’s email address and can also reduce the risk of email spoofing. Another benefit is to keep your emails from ending up in junk mail folders.

 

Deploy a Payment Verification Process

Organizations should deploy a payment verification processes, such as two-factor authentication. Another protocol is confirmation from multiple parties when making a business related payment. This ensures that all wire transfer requests are legitimate. It’s always better to have more than one person verify a financial payment request.

 

Establish a Response Plan

Organizations should establish a response plan for BEC incidents. This includes procedures for reporting the incident as well as freezing the transfer and notifying law enforcement. 

 

Use Anti-phishing Software

Businesses and individuals can use anti-phishing software to detect and block fraudulent emails. As AI and machine learning gain widespread use, these tools become more effective.

The use of AI in phishing technology continues to increase. Businesses must be vigilant and take steps to protect themselves.

Here at Databranch, our managed clients have the comfort of knowing that their systems are monitored and maintained on a 24/7 basis. Our tool-stack not only increases your protection from malware and phishing, but is also capable of detecting a breach in you network and isolating that device.

Enable Multi-Factor Authentication (MFA)

BEC can occur when a hacker gains access to your email’s login credentials. However, here are many valuable tools you can use to fend off these bad actors even after they have stolen your credentials.

According to a study cited by Microsoft, MFA is proven to prevent approximately 99.9% of fraudulent sign-in attempts.

This is because MFA adds a layer of cybersecurity protection by confirming the authenticity of users who are logging in to various platforms. This is completed by entering a code from your mobile device into the application you are trying to log into, or by approving a prompt that is sent to your mobile device. 

This means that unless the hacker also has your mobile device, they will not be able to approve the login attempt.

Reach out to Databranch today if your interested in setting MFA up for your business accounts.

 

Need Help with Email Security Solutions?

It only takes a moment for money to leave your account and be unrecoverable. Don’t leave your business emails unprotected. Get in touch today at 716-373-4467 x115 or [email protected] to discuss our email security solutions.

Article used with permission from The Technology Press.

As cyber threats continue to increase, businesses must take proactive steps. They need to protect their sensitive data and assets from cybercriminals. Threats to data security are persistent and they come from many different places.  

Today’s offices are digitally sophisticated. Just about every activity relies on some type of technology and data sharing. Hackers can breach these systems from several entry points including computers, smartphones, cloud applications, and network infrastructure.

It’s estimated that cybercriminals can penetrate 93% of company networks.

One approach that can help organizations fight these intrusions is threat modeling. Threat modeling is a process used in cybersecurity that involves identifying potential threats and vulnerabilities to an organization’s assets and systems.

Threat modeling helps businesses prioritize their risk management and mitigation strategies. The goal is to mitigate the risk of falling victim to a costly cyber incident.

Here are the steps businesses can follow to conduct a threat model.

 

Identify Assets That Need Protection

The first step is to identify assets that are most critical to the business. This includes sensitive data, intellectual property, or financial information. What is it that cybercriminals will be going after?

Don’t forget to include phishing-related assets. Such as company email accounts. Business email compromise is a fast-growing attack that capitalizes on breached company email logins. Some hackers are even known to use reply-chain phishing attacks after gaining access to a businesses email.

 

Identify Potential Threats

The next step is to identify potential threats to these assets. Some common threats could be cyber-attacks such as phishing. Others would be ransomware, malware, or social engineering.

Another category of threats could be physical breaches or insider threats. This is where employees or vendors have access to sensitive information.

Remember, threats aren’t always malicious. Human error causes approximately 88% of data breaches. So, ensure you’re aware of mistake-related threats, such as:

  • The use of weak passwords
  • Unclear cloud use policies
  • Lack of employee training
  • Poor or non-existent BYOD policies

Are your employees trained to spot real world threats such as phishing and business email compromises? Visit us here to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

 

Assess Likelihood and Impact

Once you’ve identified potential threats, take the next step. This is to assess the likelihood and impact of these threats. Businesses must understand how likely each threat is to occur. As well as the potential impact on their operations, reputation, and financial stability. This will help rank the risk management and mitigation strategies.

Base the threat likelihood on current cybersecurity statistics as well as a thorough vulnerability assessment. It’s best this assessment is by a trusted 3rd party IT service provider, such as Databranch. If you’re doing your assessment with only internal input, you’re bound to miss something.

 

Prioritize Risk Management Strategies

Next, prioritize risk management strategies based on the likelihood and impact of each potential threat. Most businesses can’t tackle everything at once due to time and cost constraints. So, it’s important to rank solutions based on the biggest impact on cybersecurity.

Some common strategies to consider include implementing:

  • Access controls
  • Firewalls
  • Intrusion detection systems
  • Employee training and awareness programs
  • Endpoint device management

Businesses must also determine which strategies are most cost-effective. They should also align with their business goals.

 

Continuously Review and Update the Model

Threat modeling is not a one-time process. Cyber threats are constantly evolving. Businesses must continuously review and update their threat models. This will help ensure that their security measures are effective. As well as aligned with their business objectives.

 

Benefits of Threat Modeling for Businesses

Threat modeling is an essential process for businesses to reduce their cybersecurity risk. Identifying potential threats and vulnerabilities to their assets and systems is important. It helps them rank risk management strategies. As well as reduce the likelihood and impact of cyber incidents.

Here are just a few of the benefits of adding threat modeling to a cybersecurity strategy.

 

Improved Understanding of Threats and Vulnerabilities

Threat modeling can help businesses gain a better understanding of specific threats. It also uncovers vulnerabilities that could impact their assets and identifies gaps in their security measures and helps uncover risk management strategies.

Ongoing threat modeling can also help companies stay out in front of new threats. Artificial intelligence is birthing new types of cyber threats every day. Companies that are complacent can fall victim to new attacks.

 

Cost-effective Risk Management

Addressing risk management based on the likelihood and impact of threats reduces costs. It can optimize company security investments while ensuring that businesses divide resources effectively and efficiently.

 

Business Alignment

Threat modeling can help ensure that security measures align with the business objectives. This can reduce the potential impact of security measures on business operations. It also helps coordinate security, goals, and operations.

 

Reduced Risk of Cyber Incidents

By implementing targeted risk management strategies, businesses can reduce risk. This includes the likelihood and impact of cybersecurity incidents. This will help to protect their assets. It also reduces the negative consequences of a security breach.

 

Get Started with Comprehensive Threat Identification

Wondering how to get started with a threat assessment? Our experts can help you put in place a comprehensive threat modeling program. Give us a call today at 716-373-4467 x115 or [email protected] to schedule a discussion.

 

Article used with permission from The Technology Press.

Imagine you’re going about your day when suddenly you receive a text from the CEO asking for your help. They’re out doing customer visits and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards and text the information right away.

The message sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll be in meetings. One last thing, this is a high priority. They need those gift cards urgently.

Would this kind of request make you pause and wonder or would you quickly pull out your credit card to do as the message asked?

A surprising number of employees fall for this gift card scam. There are also many variations. Such as your boss being stuck without gas or some other dire situation that only you can help with.

This scam can come by text message or via email. The unsuspecting employee buys the gift cards and sends the numbers back to the boss. They find out later that the real company CEO wasn’t the one that contacted them, it was a phishing scammer.

The employee is out the cash.

Without proper training, 32.4% of employees are prone to fall for a phishing scam.

Read about our Employee Security Awareness training and the services it offers here.

 

Why Do Employees Fall for Phishing Scams?

Though the circumstances may be odd, many employees fall for this gift card scam. Hackers use social engineering tactics and manipulate emotions to get the employee to follow through on the request.

Some of these social engineering tactics illicit the following:

  • The employee is afraid of not doing as asked by a superior
  • The employee jumps at the chance to save the day
  • The employee doesn’t want to let their company down
  • The employee may feel they can advance in their career by helping

The scam’s message is also crafted in a way to get the employee to act without thinking or checking. It includes a sense of urgency. The CEO needs the gift card details right away. Also, the message notes that the CEO will be out of touch for the next few hours. This decreases the chance the employee will try to contact the real CEO to check the validity of the text.

 

Illinois Woman Scammed Out of More Than $6,000 from a Fake CEO Email

Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.

In one example, a woman from Palos Hills, Illinois lost over $6,000. This was after getting an email request from who she thought was her company’s CEO. 

The woman received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some selected staff that had gone above and beyond.

The email ended with “Can you help me purchase some gift cards today?”  The boss had a reputation for being great to employees, so the email did not seem out of character.

The woman bought the requested gift cards from Target and Best Buy. Then she got another request asking to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.” 

The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. The woman realized she was the victim of a scam.

 

Tips for Avoiding Costly Phishing Scams

Always Double Check Unusual Requests

Despite what a message might say about being unreachable, check in person or by phone anyhow. If you receive any unusual requests or one relating to money, verify it. Contact the person through other means to make sure it’s legitimate.

Databranch recommends using the SLAM Method to review your emails and act accordingly. Don’t know what the SLAM Method is? Click here to read all about it.

 

Don’t React Emotionally

Scammers often try to get victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to realize it’s a scam. Don’t react emotionally, instead ask if this seems real or is it out of the ordinary.

 

Get a Second Opinion

Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error. 

 

Need Help with Employee Phishing Awareness Training?

Phishing keeps getting more sophisticated all the time, are your employee’s up to date on their security awareness training?

Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program that helps your team change their behaviors to improve cyber hygiene.

Contact Databranch today at 716-373-4467 x 115 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

 

Article used with permission from The Technology Press.

 

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

A cybercriminal may want to steal employee login credentials, launch a ransomware attack, or possibly plant spyware to steal sensitive info. For a hacker, sending a phishing email can accomplish all of this.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the increase in remote workers. Many employees are now working from home and don’t have the same network protections they had when working at the office.

Why has phishing continued to work so well after all these years? Aren’t people finally learning what phishing looks like?

It’s true that people are generally more aware of phishing emails and have gotten better at stopping them. However, it’s also true that these emails are becoming harder to recognize as scammers evolve their tactics.

One of the newest tactics is particularly hard to detect, the reply-chain phishing attack. 

What is a Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is sent to one or more people, one replies, and that reply sits at the bottom of the new message. Then another person chimes in on the conversation, replying to the same email.

Soon, you have a chain of email replies on a particular topic. It lists each reply one under the other so everyone can follow the conversation.

You don’t expect a phishing email tucked inside that ongoing email conversation. Most people are expecting phishing to come in as a new message, not a message included in an ongoing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain. 

How Does a Hacker Gain Access to the Reply Chain?

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain.

The hacker can email from an email address that the other recipients recognize and trust. They also gain the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

For example, they may see that everyone has been weighing in on a new product idea. So, they send a reply that says, “I’ve drafted up some thoughts on the new product, here’s a link to see them.”

The link will go to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.

The reply won’t seem like a phishing email at all. It will be convincing because:

  • It comes from an email address of a colleague. This address has already been participating in the email conversation.
  • It may sound natural and reference items in the discussion.
  • It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins. Both are contributors to how common BEC is becoming.

In 2021, 77% of organizations saw business email compromise attacks. This is up 65% compared to the year before.

Credential theft has become the main cause of data breaches globally. 

The reply-chain phishing attack is one of the ways that hackers turn that BEC into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

  • Use a Business Password Manager: This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won’t need to remember them anymore. Click here to learn more about our password manager solution, LastPass.
  • Put Multi-Factor Controls on Email Accounts: Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise. You can learn more about MFA here.
  • Teach Employees to be Aware: Awareness is a big part of catching anything that might be slightly “off” in an email reply.  Many attackers do make mistakes. Our Security Awareness Training will give your employees the tools they need to identify threats. Click here to learn more.

How Strong Are Your Email Account Protections?

Do you have enough protection in place on your business email accounts to prevent a breach? Let us know if you’d like some help!

Databranch has a foundation security suite with systems in place to identify any anomalies before cyber criminals have a chance to do significant damage to your network. Contact us at 716-373-4467 x 15, [email protected], or request more information below. 

 

Article used with permission from The Technology Press.

In 2020, 75% of companies around the world experienced a phishing attack. Phishing remains one of the biggest dangers to your business’s health and wellbeing because it’s the main delivery method for all types of cyberattacks.

One phishing email can be responsible for a company succumbing to ransomware and having to face costly downtime. As many as 92% of data breaches are due to human error such as falling for a phishing email. This can result in a user unknowingly handing over the credentials to a company email account that the hacker then uses to send targeted attacks to customers.

Phishing takes advantage of human error, and some phishing emails use sophisticated tactics to fool the recipient into divulging information or infecting a network with malware.

Mobile phishing threats skyrocketed by 161% in 2021.

Your best safeguards against the continuous onslaught of phishing include:

  • Email filtering
  • DNS filtering
  • Next-gen antivirus/anti-malware
  • Ongoing employee cybersecurity awareness training

To properly train your employees and ensure your IT security is being upgraded to meet the newest threats you need to know what new phishing dangers are headed your way.

Here are some of the latest phishing trends that you need to watch out for in 2022.

PHISHING IS INCREASINGLY BEING SENT VIA TEXT MESSAGE

Fewer people are suspicious of text messages than they are of unexpected email messages. Most phishing training is usually focused on the email form of phishing because it’s always been the most prevalent.

But cybercrime entities are now taking advantage of the easy availability of mobile phone numbers and using text messaging to deploy phishing attacks. This type of phishing (called “smishing”) is growing in volume.

People are receiving more text messages now than they did in the past, due in large part to retailers and service businesses pushing their text updates for sales and delivery notices.

This makes it even easier for phishing via SMS to fake being a shipment notice and get a user to click on a shortened URL.

BUSINESS EMAIL COMPROMISE IS ON THE RISE

Ransomware has been a growing threat over the last few years largely because it’s been a big money-maker for the criminal groups that launch cyberattacks. A new up-and-coming form of attack is beginning to be quite lucrative and thus is also growing.

Business email compromise (BEC) is on the rise and being exploited by attackers to make money off things like gift card scams and fake wire transfer requests.

What makes BEC so dangerous (and lucrative) is that when a criminal gains access to a business email account, they can send very convincing phishing messages to employees, customers, and vendors of that company. The recipients will immediately trust the familiar email address, making these emails potent weapons for cybercriminals.

Enabling Multi-Factor Authentication (MFA) is one of the best ways you can protect yourself and your business from BEC. Reach out to Databranch with any questions or if you would like assistance setting up MFA for your companies users.

SMALL BUSINESSES ARE BEING TARGETED MORE FREQUENTLY WITH SPEAR PHISHING

There is no such thing as being too small to be attacked by a hacker. Small businesses are targeted frequently in cyberattacks because they tend to have less IT security than larger companies.

43% of all data breaches target small and mid-sized companies, and 40% of small businesses that become victims of an attack experience at least eight hours of downtime as a result.

Spear phishing is a more dangerous form of phishing because it’s targeted and not generic. It’s the type deployed in an attack using BEC.

It used to be that spear-phishing was used for larger companies because it takes more time to set up a targeted and tailored attack. However, as large criminal groups and state-sponsored hackers make their attacks more efficient, they’re able to more easily target anyone.

A result is small businesses receiving more tailored phishing attacks that are harder for their users to identify as a scam.

THE USE OF INITIAL ACCESS BROKERS TO MAKE ATTACKS MORE EFFECTIVE

We just discussed the fact that large criminal groups are continually optimizing their attacks to make them more effective. They treat cyberattacks like a business and work to make them more profitable all the time.

One way they are doing this is by using outside specialists called Initial Access Brokers. This is a specific type of hacker that only focuses on getting the initial breach into a network or company account.

The increasing use of these experts in their field makes phishing attacks even more dangerous and difficult for users to detect.

BUSINESS IMPERSONATION IS BEING USED MORE OFTEN

As users have gotten savvier about being careful of emails from unknown senders, phishing attackers have increasingly used business impersonation. This is where a phishing email will come in looking like a legitimate email from a company that the user may know or even do business with.

Amazon is a common target of business impersonation, but it also happens with smaller companies as well. For example, there have been instances where website hosting companies have had client lists breached and those companies sent emails impersonating the hosting company and asking the users to log in to an account to fix an urgent problem.

More business impersonation being used in phishing attacks mean users have to be suspicious of all emails, not just those from unknown senders.

IS YOUR COMPANY ADEQUATELY PROTECTED FROM PHISHING ATTACKS?

It’s important to implement a multi-layered security strategy to defend against one of the biggest dangers to your business’s wellbeing, phishing attacks. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about what options are available to improve your organizations cybersecurity. Our Foundation Security Plan offers a wide variety of benefits such as increasing malware/ransomware protection, reduces phishing compromises, and helps prevent data theft/loss.

To request a free Baseline Security Assessment, click here.

 

Article used with permission from The Technology Press.

Access Control Administrative Privileges AI AI algorithms AI in Cybersecurity Annual Security Training Anti-Virus Artificial Intelligence Authenticator App Automation Backup and Recovery Backup Redundancy BCDR BEC breach prevention Breach Prevention Platform Breaches business continuity Business Continuity and Disaster Recovery Business Email Compromise Business Email Compromises Business Growth Business Phone System Business Software BYOD Call Directory Channel Futures MSP 501 Cisco Cloud Accounts Cloud Data Backup Cloud Infrastructure Cloud Security Cloud Solutions Compliance Comprehensive Cybersecurity Compromised Credentials Computer Installation computer support Computer Upgrades Conditional Access Credential Theft Cyber Attacks Cyber Criminals Cyber Defenses Cyber Insurance cyber liability insurance Cyber Risk Management Cyberattacks Cyberinsurance cybersecurity Cybersecurity Awareness month Cybersecurity Breach Cybersecurity Culture Cybersecurity Strategy Cybersecurity Training Cybersecurity Webinar Dark Web Dark Web Monitoring Data Backup Data Backup and Recovery Data Backup Solution Data Breach Data Breaches Data Governance Data Loss Data Management Data Privacy Compliance Data Privacy Regulation data protection Data Recovery Data Restoration Data Security deepfake Deepfakes Defense in Depth Denial of Service Device Security Disaster Recover Disaster Recovery DNS Filtering doug wilson employee cybersecurity training Encryption Endpoint Detection and Response Endpoint Protection field technician Foundation Security Gift Card Scams Hackers Hosted VoIP Hybrid work i.t. service provider Identity Theft incident response plan Incident Response Planning Insider Threats Internet Explorer Internet of Things Intrusion Detection Intrusion Prevention IoT Devices IT Budget IT Budgeting IT Compliance IT Infrastructure IT Myths IT Partner IT Policies IT Resource IT Security IT Service Provider IT Services IT Support Juice Jacking Local Admin local admin privileges Lost Devices M365 malware Managed Clients Managed Detection and Response Managed IT Managed IT Provider Managed IT Services managed service provider managed services Manages Services MDR MFA Microsoft Microsoft 356 Microsoft 365 Copilot Microsoft End of Support Microsoft Office Mobile Devices MSP MSP 501 Winner MSP501 Multi-Factor Authentication Network Monitoring Network Security Network Testing Networking New Computer NIST Framework Offboarding Office 365 Outlook Outsourced IT password management Password Manager Password Managers Password Protection password security Passwords Patch Management Patches Patching PC Performance Penetration Testing Personal Data phishing Phishing Attacks PII Proactive Monitoring Processor productivity Professional Tune-Up Public WiFi Push-Bombing RAM Ransomware Ransomware Prevention Recovery point objective Recovery Time Calculator Recovery time objective Remote Monitoring Remote Working repeatbusinesssystems Ring Groups risk assessment Risk Management Risk Tolerance Rock-It VoIP RPO RTO RTO Costs SaaS SaaS Backup Scammers Scams security Security Assessment Security Assessments Security Awareness Training Security Defaults Security Key Security Scans SLAM Method Smart Tech Smishing SMS Social Engineering Social Media Security Software Integration Software-as-a-Service Solid-State Drive Sponsored Google Ads SSD stolen credentials Storage Teams technical support scam technology best practices Technology Budget Technology Infrastructure Technology Management Technology Plan Technology Policies Technology Review Threat Detection Threat Identification Threat Modeling top-performing managed service providers Updates virus VoIP Systems VPN Vulnerabilities Vulnerability Assessment Vulnerability Management Warning Signs Webinar Windows 10 Windows 11 Windows 8.1 Work Computers World Backup Day zero trust policy