Nerds On Site

4 Ways Cyber Criminals Attack Small Businesses (And How To Avoid Becoming A Victim)

Cybercrime is on the rise, and there is an increasing number of cyber attacks on small businesses. In fact, according to Verizon’s 2019 Data Breach Investigation Report, 58% of malware attack victims are categorized as small businesses, with over 70% of cyber attackers deliberately target small business
There are a number of ways attackers can get you, and awareness is the first step in protecting your business against these attacks. 
Learn about four of the most common cyber-scams targeting small businesses, how you can identify them, and how to avoid becoming a victim.

1. Executive Email Hijacking 

What Is Executive Email Hijacking?

Email hijacking is a form of a man-in-the-middle attack where the hacker compromises and gains access to a victim’s email account. The attacker then proceeds to “eavesdrop”, silently monitoring the communications between the hijacked party and their contacts. 
These attackers secretly collect sensitive information, including account passwords, and patiently wait for an opportune moment to take advantage of this information. 

How They Get You

Email hijacking is usually carried out through phishing scams. The attackers dupe victims into giving up their credentials by sending them to fake login pages or tricking them into installing a keylogger malware. 
This becomes especially problematic when the hijacked email is that of a company executive. As an individual with higher authority, employees are quick to carry out instructions from emails that appear to come from one of the higher-ups. 
These criminals have become so sophisticated, they may even monitor the CFOs calendar. They watch for a time where the CFO is unable to access email (such as when they are on a flight), and plan their attack for that time. This tactic is used so the target is unable to quickly verify the phony instructions.

How To Avoid Becoming A Victim

There are several ways to reduce the risk of phishing and email hijacking. The best way is to strengthen your authentication by using Two-Factor Authentication. 
This requires users to have a secondary token (such as a mobile device or a physical key) in addition to the password when signing into the account. Passwordless Authentication is an even more secure option.
Aside from using two-factor authentication, here are a few other ways to guard against phishing scams and email hijacking:

  • Make sure your operating system, antivirus software, and browser are up to date. This will ensure you have the latest security updates installed on your computer. 
  • Always be suspicious of emails asking for sensitive information. Your bank would never ask for your account information. They already have it.
  • Never respond to an email request for personal information. If you ever need to provide personal information (like a credit card number), be sure to use a secure, trusted website (look for the padlock icon and “https” in the browser address bar).
  • Beware of phone phishing scams. If someone requests personal information on a phone call, be sure you initiated the call.
  • Never follow the links in an email you suspect might be phishing. If you are unsure about a link you receive in an email, hover your cursor over it. If the link text doesn\’t match the link address, do NOT click it. 


2. Wire Fraud

What Is Wire Fraud?

Wire fraud is a type of financial fraud that normally occurs over the internet or by phone. 
It usually begins with a phishing or Business Email Compromise (BEC) attack. This is when a hacker tries to access sensitive information through fake emails, internet links, or phone calls. One click could be all a hacker needs to get into a user’s computer system and email accounts. 
The attacker might send an email pretending to be someone that the recipient knows, such as a trusted partner or vendor. They then request usernames and passwords to corporate networks, a list of employee email addresses, or the names and email addresses of current clients.
Once into a victim’s compromised system and email account, the thief is well-positioned to send out a timely email to request the fraudulent wire transfer.

How They Get You

Usually, an email is sent from who appears to be a trusted individual. Often it contains instructions for a wire transfer, and includes messaging about urgency so targeted individuals act quickly.
Real estate is a popular industry for this type of cyber attack, with many real estate companies becoming a favourite target of cyber criminals. Real estate transactions involve multiple parties sending large amounts of sensitive information back and forth, providing multiple entry points for cybercriminals. And since there is no federal law requiring real estate companies to implement information security programs—like those mandated for banks and hospitals—companies in the industry are left vulnerable.
In the case of real estate, the email will appear to come from a trusted party in the transaction (such as the buyer’s agent, the attorney, or the escrow agent). Often it contains instructions for the wire transfer for the down payment or closing costs. It could also say that the deal could fall through if the transfer isn’t made immediately, resulting in the victim wiring the money to the thief’s untraceable account.

How To Avoid Becoming A Victim

While there is no perfect security solution out there (attackers always seem to be one step ahead), there are measures you can take to minimize your exposure to these attacks. 
Implement a policy of never sending a wire based solely on an email, and always arrange to meet in person to share important details of transactions. Always verify wire transfer instructions on the phone. 
In addition to taking these steps to prevent wire fraud, here are 6 other tips to reduce the risk of becoming a victim:

  • Don\’t click on hyperlinks in emails, especially if it is from an unknown sender.
  • Look at email addresses, not “from” names. Spoofed emails can use slight variations of your contacts\’ email addresses. Look carefully.
  • Only enter your login credentials in a site URL that starts with ‘https’. This protocol ensures the site is secure and will encrypt your information.
  • Be suspicious of aggressive language in an email. Some try to imply a sense of urgency to provoke hasty reactions. Think: would your agent or attorney really use that language?
  • Don’t enter sensitive information in a popup window.
  • Never conduct business over public Wi-Fi networks.

3. Ransomware

What Is Ransomware?

Ransomware is a particular type of malware. Once a computer or device becomes infected with ransomware, attackers can encrypt files so they become inaccessible. The attacker then demands a ransom for the release of this data. Users are given instructions for how to pay a fee to get the decryption key. 
In another variation of malware, called leakware or doxware, the attacker threatens to publicize sensitive data on the victim’s hard drive unless a ransom is paid. 

How They Get You

Most commonly, ransomware ends up on devices by phishing scams. 
Once the links in the phishing email are clicked, they can take over your computer, especially if they have built-in tools that trick users into allowing administrative access. Some other, more aggressive forms of ransomware, like NotPetya, exploit security holes to infect computers without needing to trick users.

How To Avoid Becoming A Victim

Education is key. Over half of cyber attacks come from inside an organization. Some are launched by malicious employees, but 25% of these attacks are the result of an employee leaving the company vulnerable by mistake—such as by opening contaminated email attachments, pop-ups, or links. Educate your employees on common cyber security threats, and teach them tips for following good cyber security practices.
Beyond educating your employees, here are 4 other things you can do to reduce the risk of ransomware attacks against your company:

  • Back everything up. Always have a secure backup of all your data. Use cloud sharing or an external hard drive (or both). 
  • Ensure passwords are secure. Make them as unique and hard to guess as possible. Update them often and avoid using the same password on different platforms. Use two-step authentication where possible.
  • Install antivirus and anti-malware protection. Anti-malware is an added layer of protection against Trojans, spyware, adware and ransomware while antivirus software gives protection against more specific types of viruses. The two can work together to better protect your systems.
  • Update software regularly. When updates become available, install them immediately. They often include security enhancements that will better protect your systems. Outdated software can be an “easy in” for cyber criminals.


4. SMiShing Scams

What Are SMiShing Scams?

While phishing scams use email to target victims, SMiShing scams approach the target by text message. They involve messages asking to verify information of some sort, appearing to be from important services like a bank, credit card company, or even the phone service provider. 

How They Get You

SMiShing messages might say there is unusual activity on an account, and the credit card or bank account will be charged unless the message is replied to. The message will usually convey a sense of urgency, a trick designed to make the target act more quickly. 
The attackers will try to get as much information as possible by asking for:

  • Social Insurance Number
  • Credit or debit card number
  • Postal code 
  • Bank account number 
  • Name of the bank or credit card

How To Avoid Becoming A Victim

Protecting yourself from SMiShing scams involves using the same caution and vigilance with your text messages that you do with your emails. There are also a number of precautions you can take specific to how you use your mobile devices:

  • Watch out for odd-looking numbers. Email-to-text services often list \”5000\” or other strange numbers. Scammers are likely to hide their identities by using email-to-text services so that their actual phone numbers are not revealed.
  • Be wary of texts from your bank. Most banks don\’t send text messages because they don\’t want people to fall for SMiShing attacks. If they do send texts, find out what number they use to send them so you know they are for real.
  • Enable the \”block texts from the internet\” feature if available. Most spammers and SMiShers send texts through an internet text relay service, which helps hide their identities. Many cell providers will let you turn on a feature that will block texts that come from the internet.

Protect Your Business Against Cybercrime

There are a number of ways cyber criminals try to scam small businesses. Recognizing how they do it is an important step in protecting yourself (and your company) against their attacks. 
Your best defense is using the services of cybersecurity experts. Our local Nerds at Nerds On Site provide full security assessments to protect your company and stay a step ahead of the cyber-scammers.

Scroll to Top