You may not remember the lyrics from the 1996 Buffalo Springfield hit “For What It’s Worth”.  The fourth verse warns that “Paranoia strikes deep.  Into your life it will creep.”

But hey, it’s dangerous out there! 

Not to life and limb, but the dangers of the Internet are real and pervasive.  So much so that even the savviest among us can end up victims of the tricks and techniques of the most unscrupulous scoundrels in the world.

Phishing, Smishing, Vishing, and Drive-by Downloads

We’ve all become hardened to the threat of clicking on an email attachment from someone that we know but weren’t expecting.  And the effectiveness of “phishing” attacks has decreased dramatically over the past decade as we have learned not to click on a link in an email to reset or verify our account information, no matter how “official” the email may appear.  

Even so, many among us have been caught by the social engineering tactics of receiving an email with a link to a news article or a video of a celebrity, and clicking on it only to be infected by a “drive-by download”.  Often that email containing the link to the malicious site appears to come from a family member, friend, or acquaintance, but truth be told, most likely their account was compromised by one of the techniques we’re talking about.

Yes, just by visiting a malicious website, your computer can be infected with a trojan virus that records all of your keystrokes as you visit your banking, brokerage, and email accounts.  Or worse, you could find that your computer is infected with ransomware that encrypts your files and holds them hostage demanding that you pay a ransom to get your data back. 

But the attack vector, i.e., how these fraudsters gain access to your personal information or deliver a malicious payload to your computer, is not limited to email and the internet.  We’ve all heard the news stories of people receiving a call from someone at the “IRS” demanding payment for taxes owed.  And at least one person was so intimidated by one of these calls that he actually responded to their demand that the payment of several thousand dollars be made via Apple iTunes gift cards. 

Vishing, as it’s been dubbed, is becoming more and more pervasive, especially as it becomes easier for the caller to spoof their caller ID to look like it comes from a legitimate source.  Carry that a step further, and these innovative criminals are now sending SMS text messages (smishing) to our cell phones with the same social engineering approaches that we’ve seen in the email world; urgent calls to action because an account has been compromised, to call a phone number or to click on a link to visit a site to verify your personal information in order to keep the account active, or any of a number of “official” looking messages that require our immediate attention. 

So What Can I Do?

As individuals, any of these events can be onerous.  As a small business, the impact can be devastating, and could mean the end.

But that need not be the case.  There are a number of steps you can take to decrease the probability that your business will become a victim of these types of attacks.

  1. Educate yourself and your employees. Awareness is probably the single most effective mitigation strategy you can employ.  Build your awareness and that of your employees, of the various ways these attacks are carried out.
  2. A touch of paranoia is in order.
    1. Never click on email attachments or links in an email from someone you don’t know, and even if you know the sender, verify that they actually sent the email before taking any action.
    2. Never provide personal or financial information via email, text message, or over the phone. Banks or other companies/agencies do not request that you confirm personal information in this manner.  They already have your information and so should not need you to give it to them.
    3. Know who you are dealing with. It’s unfortunate, but some healthy skepticism is required in today’s environment.  Just because an email or text says that it is you’re your bank or some other entity that you commonly deal with, it does not mean that it is.  If you get an email with a link to your bank for example, open your browser and enter the URL of your bank yourself and then log on and check if there is an issue requiring your attention.
  3. Utilize cloud backup services to create offsite backups of your data. Automate the process so that it automatically initiated on a regularly scheduled basis.
  4. Install the latest malware protection and keep it updated.
  5. Check your bank and credit card statements regularly for suspicious activity.

If, despite all of these prevention steps, you find yourself dealing with any of these issues, please contact us for an assessment of follow up steps we can take.