WHAT YOU—AND YOUR EMPLOYEES—NEED TO KNOW TO KEEP YOUR BUSINESS INFORMATION SECURE
Education is a key part of an effective cybersecurity strategy. And while cybercriminals are always finding new, more sophisticated methods to target businesses, many cyberattacks and scams fall into one or more of a handful of broad categories. Familiarizing yourself with them will give you a sense of your vulnerabilities. In the case of some scams, knowledge can help you and your team recognize attack attempts before unwittingly giving a third party access to your network or transferring money to a fraudulent account.
Here’s an overview of some of the most common business scams.
Business email compromise scam
A business email compromise (BEC) scam uses email to impersonate a trusted source: a company or executive, a long-time vendor or a representative of the government. Commonly, a BEC will attempt to persuade the recipient to transfer money to the fraudster’s account with a fake invoice or an “update” of direct deposit information. Occasionally, a BEC will target sensitive information. Because BECs often come from legitimate email addresses, the key to recognizing them is often the strangeness of the request or the unusual language in the message.
Malware, short for “malicious software,” is surreptitiously installed on your computer, often to steal or destroy data. Ransomware, viruses, worms, spyware and trojan horses are all examples. Malware can install itself when you download compromised software or email attachments. Regularly updating and running anti-malware software can prevent malware downloads in the first place, then destroy any that have made its way into your system.
Ransomware uses encryption to keep you from accessing critical data on your own computers. The cybercriminals demand a ransom be paid in exchange for sending you the encryption key to release the data they’ve held hostage. The FBI warns against paying the ransom, as it encourages future attacks and does not guarantee the return of your data. Instead, contact your local FBI field office.
A phishing attack is an attempt to trick the victim into handing over sensitive information. Often phishing scams use malware or emails with links to “spoofed” (impersonated) websites, where you are requested to “update” or “verify” your online account information by typing your username and password into a convincing login form. To avoid falling for a phishing scam, treat any email or pop-up asking you for username or password with suspicion. Legitimate companies don’t usually act this way. Instead, open a new browser window and type the URL of the site you’d like to visit in the address bar. If the message is legitimate, you should expect to see it when you log into your account.
A password attack attempts to gain access to a system or network by cracking a password directly. Unlike phishing scams and malware attacks, password attacks typically do not rely on the victim to download malware or unwittingly transmitting the targeted data or money. Instead, the cybercriminal runs password-attacking software until it identifies a password that works. “Brute force attacks” and “dictionary attacks” cycle through word and character combinations until they hit upon the right one. You can guard against these kinds of attacks by choosing strong passwords and using multifactor authentication, which asks the user not only to input the password but to input a one-time code sent to the user’s phone.
Distributed denial-of-service (DDoS) attacks
The goal of a distributed denial-of-service (DDoS) attack is to disrupt service to a network. By overwhelming the targeted machine with a high volume of data or traffic from multiple hijacked computers, a DDoS attack prevents users from accessing emails, websites, online accounts and any other services that rely on the network. While the end targets are often large corporations and governments, anyone’s computer may be commandeered to participate in the attack, often without the user ever knowing. Because the attack is “distributed” among several computers, there is no single source the victim can block to stop it. Defending against both DDoS and single-origin DoS attacks involves sophisticated network protections. Consult your IT vendor for more information.
The methods cybercriminals use to breach your security are varied, and they’re changing every day. A good defense involves following cybersecurity best practices and assessing your organization’s unique vulnerabilities. For more information, and to keep up with the ever-advancing world of cyber attacks, visit the Federal Trade Commission’s cybersecurity page and the Internet Crime Complaint Center.