advertisement

Cyber criminals target employees to get their bounty

It seemed normal enough.

The employee in accounting received an email from the company CEO. The message said he's authorized a $15,000 payment to a vendor, and sent a link to set up an electronic fund transfer to the vendor's bank account. The employee, on a casual glance of the message, had no reason to doubt its authenticity and completed the transaction as requested.

It wasn't until weeks later that the employee learned through a routine audit that no such vendor existed, nor had the CEO actually sent the email authorizing the purchase. Further investigation by the IT department found the email had come from an outside source, spoofing the CEO. The link led to an untraceable foreign account.

The company was a victim of a hacker.

While cybercrime is not a new phenomenon, it continues to grow dramatically as the internet connects us globally and hackers become more creative and daring. And while headlines tout major hacks of large and global organizations - like the recent hack of emails from the Democratic National Committee - experts warn that no business is too small for cyber criminals.

"They are one of the most common security challenges that smaller companies are facing," said Jim Burke, COO and vice president of Links Technology in Schaumburg. "They try to get passwords, credit cards and other information they can use for false identity, and they'll use any communication that they can to steal."

Billion dollar industry

Cybercrime increased 19 percent in the U.S. during 2015, according to a study by the Ponemon Institute and sponsored by Hewlett-Packard Enterprise. The report notes all industries are vulnerable to hacker attack, to different degrees. Last year, financial service, utilities and energy firms experienced higher cybercrime costs than those in health care, automotive or agriculture industries.

Total losses in the U.S. were $1.07 billion in 2015, according to the FBI's annual Cyber Crime Report. The report ranks Illinois fifth in the nation in the number of victims of internet crime, with losses totaling $33.3 million.

The FBI report notes the biggest trends in the past year have been business email compromise - where hackers spoof a company official to elicit fraudulent wire transfers to their accounts - and ransomware, in which a downloaded program encrypts the business' information and demands a ransom to unlock that data.

That's why local experts say no matter how big or small your business, you need to worry about hackers.

"Your typical small business is not going to get

Continued on Page 26

targeted for the content of their email, intellectual property or as a newsworthy subject," said Steve Banke, CEO of 3Points LLC in Oak Brook. "Criminals that are coming after small businesses are interested in their money, not their information."

Weakest link

Today's hackers know firewalls, data encryption, virus scanners and other network protection systems have become more difficult to crack. That's why they're relying more on the human factor to get into your company.

Hackers are turning to social engineering to find targets, using phishing techniques to get an unsuspecting employee to respond through clicking on a link, either through an email or while browsing legitimate websites. Banke notes that an employee clicks on that link, the hacker can obtain information that can eventually be used to enter the company's network.

"If they respond, the hacker can learn a bit more about that person," Banke said. "They can check a Facebook or LinkedIn page and develop a profile of the individual they are targeting. They then become the point of access into a company's network."

Burke also says hackers can find key staff information on a company's website, then very easily determine an email domain. "It doesn't take that many number of tries to figure this stuff out," he said.

Once the hackers have a target, they rely on that person to momentarily let their guard down.

Getting in

Business email compromises - spoofing the executive to move money into an outside account - works because employees assume the name in the "from" box is legitimate. Both Banke and Burke note that simply hovering over the name with your cursor can reveal the true source, and that can be tricky because the hackers' address may be very close to the company's actual server address (@compaany.com, as opposed to @company.com).

The same holds true with ransomware, which often comes in emails that seem to look like they are from legitimate vendors or customers. The emails contain a link that launches a virus which encrypts the business' data, then demands a ransom for a key to unlock the information.

Ransomware is a serious threat especially to a small business, according to Deb Reiter, CEO and chief technology adviser of CMIT Solutions of The Tri-Cities in Batavia. She cited a recent report from software giant Cisco Systems that states $34 million is paid to criminals through ransomware annually, with the average ransom being around $300.

"It's not chump change, but it may not be a lot of money to a business owner," she said. "But the hackers know what they're doing, and if they get half the people they're targeting, it's a lot of money."

Banke adds that while the ransom may not be large, the cost of your business coming to a halt during the transaction can add up significantly.

A third type of infection is the "Man in the Middle" software. It infects a computer the same way as ransomware, but it plants a keystroke tracker into the computer that monitors what is being typed and relays the information back to the hacker.

"The Man in the Middle watches for particular keywords, like a bank name or the word bank," Banke said. "As soon as that occurs, it captures all the keystrokes and sends it a to person who can start using it. A hacker could be into your bank account within 30 seconds."

More than money

While ransomware and other hacks are targeting your cash, the other real cost of cybercrime is the disruption of your business. Business disruption represents the highest external cost, according to the Ponemon Institute study, accounting for 39 percent of total costs of crime.

"Small business owners can have a misconception that 'I'm so small, who'd be interested in me?" said Banke. "But they're interested in you for just $400 because they're hitting 1,000 $400 targets every week, and that $400 they're after could cost you $4,000 to $5,000 to recover from."

All agree the best defense is making sure your employees are educated on the dangers of hackers. The level of education can go from running training and update sessions to adopting company email and internet use policies.

"It's really about user training," said Reiter, noting any employee education needs to be ongoing. "By giving your people the information they need in order to detect phishing, you can protect yourself."

Above all, stress the need to have a secure IT network and policies in place, whether its through an in-house department of through a reliable IT company. The risks far outweigh the costs of a secure network.

"Our question to business is how long can you afford to be down and stay functioning as a business without the information?" Banke said.

Burke adds: "You have to make sure you're protecting your information. That's your lifeblood."

Deb Reiter
Steve Banke
Jim Burke

Fraud or legit? 10 tips to check email

Jim Burke of Links Technology in Schaumburg offers 10 tips employees can use to check is an email message is legitimate or a potential hack:

<h3 class="leadin">1. Don't trust the display name: A favorite phishing tactic is to spoof the display name of an email. </h3>

<h3 class="leadin">2. Look but don't click: Hover your mouse over any links embedded in the body of the email. If the link address looks weird, don't click on it.</h3>

<h3 class="leadin">3. Check for spelling mistakes: Brands are pretty serious about email. Legitimate messages usually do not have major spelling mistakes or poor grammar.</h3>

<h3 class="leadin">4. Analyze the salutation: Is the email addressed to a vague "Valued Customer?" Legitimate businesses will often use a personal salutation with your first and last name.</h3>

<h3 class="leadin">5. Don't give up personal information: Legitimate banks and most other companies will never ask for personal credentials via email.</h3>

<h3 class="leadin">6. Beware of urgent or threatening language in the subject line: Invoking a sense of urgency or fear is a common phishing tactic.</h3>

<h3 class="leadin">7. Review the signature: Lack of details about the signer or how you can contact a company strongly suggests a phish.</h3>

<h3 class="leadin">8. Don't click on attachments: Including malicious attachments that contain viruses and malware is a common phishing tactic.</h3>

<h3 class="leadin">9. Don't trust the header from email address: Hackers will not only spoof brands in the display name, but also spoof brands in the header from email address.</h3>

<h3 class="leadin">10. Don't believe everything you see: Phishers are extremely good at what they do. Just because an email has convincing brand logos, language, and a seemingly valid email address, does not mean that it's legitimate.</h3>

Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.