Could your business afford to lose £100,000? We don’t know of many SMEs who easily could, especially in the current climate, where the global pandemic has created extra expenses and minimised income streams in plenty of cases. By layering a few simple, inexpensive, or even free security measures, you can slam the door firmly in the faces of cyber criminals looking to take advantage.
First of all, let’s take a look at a real scenario from the experience of a local business who were scammed out of £100,000, which all started with a spearfishing attack.
What is a spearphishing attack?
A spearfishing attack, is when login credentials are gathered by means of a fake login page. In our example, the victim found himself on a login page which looked legitimate, mirroring the real login page he would usually use, but in actuality it was being used to send his username and password straight to the scammers.
The criminals then didn’t do anything straight away. They monitored the victims’ inbox for six months in order to determine if his was the right inbox to use to carry out their plan, and it turned out that he was. In that time, they analysed the language, the nicknames he used for people, and they learnt who authorised what within the company. Only when they were confident that they had all the information they needed did they make their move.
They found an email relating to a financial transaction, doctored it with their own financial details, let it loose, and £100,000 was paid into the wrong account.
How to prevent being scammed with cheap or even free cyber security features.
How to prevent being spearphished
First of all, we’ve written about security before and the importance of layering security measures to give your business the best chance of protection. And this example is great for showing what that might look like.
First of all, we want to do everything we can to prevent the spearphishing.
For Office 365 users, there is something called Advanced Threat Protection which you can add to your mailboxes. This checks links for threats in real time, which means if you visit a website one day and it’s fine, but they get hacked overnight, if you go to click on the same link the next day you will receive a warning. Advanced Threat Protection won’t remove the risk of threat completely, but it’s the first line of defence. In our example, this could have alerted the victim that the website he was about to visit wasn’t legitimate.
The second line of defence here, is DNS filtering. This compares links with a catalogue of known phishing attempts which is kept up-to-date. That combined with the Advanced Threat Protection, provides a good amount of security.
But what if someone still managed to slip through the net?
Office 365 saves the day again with multi factor authentication (MFA). And the really wild thing about this is that it’s completely free. That’s right, if you already have Office 365 – which most businesses do – you can enable MFA at no extra cost.
MFA means that when you login, as well as your username and password, you also need to enter a code which is usually sent to, or generated by an app on a mobile device. So even if someone elsewhere had your username and password, they wouldn’t be able to login without that extra code as well. This would have stopped our scam example in its tracks.
So there we have it. Three simple things which are either free, or pretty inexpensive, could stop your business from losing £100,000. It really is a no brainer!
If you’d like us to take a look at your data security setup as it is at the moment, and recommend any changes to stop something similar from happening to you, give us a call on 01732 617788 or drop us an email to [email protected]. We can chat about what you need, and how you might get the best out of it for your business. Got a jam-packed schedule? Book an appointment with Jon Cross here. We don’t want anyone to lose their money to scammers, when the fix can be so simple.