Cybersecurity for small businesses

Iain Westwood

The impact of data breaches, network hacks or well-crafted phishing campaigns is often reported in the press.  These reports often cover reputational loss and financial cost to the victim that can run into tens or hundreds of thousands of pounds.  But what about the little guy?

Email attacks

Small businesses can often be the focus of specific targeted email-based attacks.  Known as spear phishing, email is sent from what appears to be a trusted sender.  This email could be a request for payment of a fraudulent invoice in an attempt to directly receive money from the business or something more subtle such as embedding links to websites that contain malicious software like key-loggers which can then be exploited to indirectly obtain money by caching bank details or other sensitive information.

Social engineering

Social engineering is another attack vector often used by scammers.  In some cases, fake call centers will contact potential victims pretending to be from Microsoft and convince the victim to allow the scammer access to their computer through software such as Team Viewer.  Once they have access, the victim is vulnerable to exploitation.

Common scams include convincing the victim they are owed a refund, asking them to open their online banking while the scammer looks on remotely.  The victim is then distracted while the scammer transfers money from the victim’s own savings account into their current account.  The scammer will transfer more than the amount they claim to be refunding and then instruct the victim to return the amount overpaid through the use of online gift cards such as Apple Store or Google Play.

Remote access

Alternatively, with remote access, the scammer will run a script or even a basic CLI command such as “netstat -a” to list active TCP/IP connections and show the victim the output claiming the connections listed are connections from hackers and they must pay a fee to have their computer fixed.

What’s the answer?

So, what can be done about all of this?  The primary tool is education. Employees should be taught about these scam techniques, what to out for and double-check that suspicious-looking emails are legitimate before making any changes to payment methods.  If someone is offering a refund for something that hasn’t been purchased, it’s obviously a scam.

There are also technical tools that can help.  A subscription to Mimecast will cut down the number of spam and scam emails received and using a service such as Cisco Umbrella (check out our free trial) can also help when it comes to detecting and blocking unsanctioned applications.

activereach specialises in helping companies, large and small, to implement and secure their networks, as well as detect breaches if they do occur. Call us on 0845 625 9025 or contact us to find out more.