It’s recently been reported that 68 million Dropbox account credentials, including user emails and passwords, are now for sale on the dark web. Even if you’ve changed your passwords, you could still be at risk. Cyber criminals use information gathered from breaches like this to create highly sophisticated phishing scams, which are now on the rise. Earlier this month, a company found more than 70,000 fraudulent emails sent in just one campaign.
I’ve asked Paul Everton, founder and CEO, MailControl to share his insights with us. MailContro is a cyber security startup that protects enterprises from the threats presented by spymail. He previously founded Yapmo and Visible Vote.
Phishing attacks start with in-depth electronic surveillance of you and your company. Cyber criminals gather information from publically-available resources such as Facebook, Twitter, LinkedIn, blogs and websites, as well as through more devious techniques such as embedded tracking code in email, known as spymail. They then use the collected information to create targeted outreach in the form of emails, or even phone calls, in an attempt to steal funds, disable corporate networks, steal sensitive data, and hold you and your business hostage. The industries that are most at-risk include legal, healthcare, and government because of the sensitive information they possess that can be used for identity theft, insider trading, blackmail, etc.
I’ve spent a lot of time thinking about how to protect businesses from phishing attacks in my role as founder of cyber security startup MailControl. These are the steps I recommend you take:
- Be aware of what’s on the Internet: Attackers initially gather insight into both you and your business from online sources. From social media sites to business websites and blogs to spymail (more on that below), an amazing amount of information can be discovered without any technologically advanced “hacking” techniques. It’s important to be aware of this information so you (1) are cautious about what and how you communicate publicly, and (2) don’t give undue credibility to emails that seem private but in fact can be created based on readily available information.
- Create smart data security policies: The Dropbox hack stemmed from an employee’s poor password management. Even though you’ve likely been told this numerous times, passwords are key to protecting your company. Two factor authentication should be used for all sensitive documents including webmail, bank portals, medical websites and HR portals. If the services you currently use don’t offer two factor authentication, then you should consider taking your business elsewhere.
Also, access to sensitive data should be provided on a need-to-know basis. For example, payroll data should only be accessible by certain individuals, not the whole accounting department.
- Use secure fund transfer tools: Last year Ubiquiti Networks sent $47M to hackers’ overseas accounts after they posed as employees requesting the transfer. This is only becoming more common as an increasing number of companies are being tricked into sending company funds to accounts controlled by attackers. Put in place well-defined funds transfer procedures, such as requiring all funds requests to be via a secure banking portal and not email.
- Beware of spymail: Spymail is email with hidden tracking code that feeds its sender information about who opens it, when and how many times it’s opened, whether and where it’s forwarded, and even the physical locations from which it’s opened. Its use is up over 284% since 2013 because it gives the sender even more insight into your company’s operations. Because spymail has only recently come into widespread use, most email systems do not protect against it. Companies should consider adding an anti-spymail solution to stop outsiders from gaining visibility into their inboxes.