Being a small business doesn’t make you invisible to criminals on the Internet. You might think that being a smaller entity, serving only a local area, might not drive a lot of malicious attention to you, but it just isn’t the case today.
We have been observing a significant rise in reported phishing attacks from clients, prospects, and local businesses throughout Maryland. In fact, we’re not just seeing this happen in the larger cities, but the smaller, more rural areas as well.
Maryland Businesses are Struggling with a Barrage of Targeted Phishing Attacks
A phishing attack typically works like this:
The user receives an email that looks legitimate. This email could be from a vendor or online service like Amazon, Facebook, Google, Paypal, or a bank. The email aggressively encourages the user to click on a link. The link leads the user to what appears to be a legitimate site (it’s not legitimate) and instructs the user to login with their username and password. Upon logging in, the user’s credentials are sent to the cybercriminal to be used or sold on the dark web.
These emails look real. Here is an example of one that’s spoofing users to share their Paypal credentials:
Phishing attacks use several different tactics to steal information, such as:
The subject material of these emails will often be designed to look urgent. Some of the most common tricks involve:
- Fake invoices, bills, scanned documents, and package deliveries
- Stolen password and account compromised notifications
- Unsolicited file access (like Dropbox or Google Docs files)
- Fake messages and requests on social media
- Email delivery failures
- Legal correspondence
The goal is to gain access to your online accounts, sensitive information, or your money, so cybercriminals will try to get:
- Credentials for social media accounts like Facebook, Twitter, and LinkedIn
- Logins for email accounts like Gmail, Outlook, and Yahoo Mail
- Bank account credentials
- Online retailer accounts like Amazon, eBay, Walmart, and Best Buy
- Other online services like hotel and flight bookings, and basically anywhere you would use a credit card
- Credit card vendors and payment sites such as Paypal, Venmo, Chase, and more
In other words, if the site has a login or accepts credit card payments, ties back to your bank account, or allows you to submit sensitive or personal information in any way, cybercriminals want access to it, and will try to trick you to get it.
Your End Users Can Put Your Business at Risk
Even if business owners are vigilant when it comes to avoiding phishing attacks, the security of your company is only as strong as the weakest link. It only takes one employee to make a mistake and put your data at risk. You must educate your staff to avoid phishing attempts.
Since cyber criminals are targeting small businesses in Maryland, your users are bound to be getting attacks like this. Our clients often report suspicious emails to us. A single employee email address can receive over a dozen phishing attacks each month. Each employee at your office can increase the odds of your organization getting compromised. The best way to protect your data is to ensure it isn’t compromised in the first place. Dresner Group is a Cyber Verify AA Risk Assurance Rated organization, and we can help your business remain secure.
Cybercriminals Know How to Trick Employees
There is a type of phishing attack called Executive Whaling. The goal is to target employees to get access to something more valuable.
Whaling attacks, like typical phishing attacks, look like legitimate emails. These attacks often target employees in HR and accounting departments. The emails are spoofed to look like they come from a manager or executive, urgently authorizing the recipient to transfer money or provide sensitive information.
You really need to ask yourself - if you were to email one of your employees right now and ask them to reply to you with a password or a company credit card, what are the chances that they will respond?
According to the FBI, this type of attack is now a $12 billion scam.
Protecting Your Maryland Business from Phishing Attacks
To avoid getting on the wrong side of Maryland’s Notification Law, your staff needs to be very cautious before clicking links and opening attachments in emails. Here are some steps that need to be taken:
- Carefully hover (don’t click!) over links and see if they go to a legitimate URL. If the email is from Paypal, a link should lead back to paypal.com or accounts.paypal.com. If there is anything strange between ‘paypal’ and the ‘.com’ then something is suspicious. There should also be a forward slash (/) after the .com. If the URL was something like paypal.com.mailru382.co/something, then you are being spoofed. Everyone handles their domains a little differently, but use this as a general rule of thumb:
- a. paypal.com - Safe
- b. paypal.com/activatecard - Safe
- c. business.paypal.com - Safe
- d. business.paypal.com/retail - Safe
- e. paypal.com.activatecard.net - Suspicious! (notice the dot net immediately after Paypal’s domain name)
- f. paypal.com.activatecard.net/secure - Suspicious!
- g. paypal.com/activatecard/tinyurl.com/retail - Suspicious! Don’t trust dot(s) after the domain!
- Check the email in the header. An email from Amazon wouldn’t come in as . Do a quick Google search for the email address to see if it is legitimate.
- Always be careful opening attachments. If there is an attachment or link on the email, be extra cautious.
- Be skeptical of password alerts. If the email mentions passwords, such as “your password has been stolen,” be suspicious.
Visit PayPal’s help pages for more information on how to spot fake, fraudulent, spoof, or phishing emails.
Staff education can go a long way to prevent security issues. Be sure to share this blog with your staff and colleagues to help protect them from attacks. If your business is seeing a lot of spam and phishing attempts it’s time to regain control over your inbox. Don’t hesitate to give us a call so we can help reduce and mitigate the risk. Give Dresner Group a call at (410) 531-6727 today.