Many of our clients have reported recent messages from individuals claiming to have intercepted their username and password. These emails often state they have been watching and recording your screen activity and webcam.
Businesses around the world are being targeted with a cyber-attack that sends victims a fake invoice that looks real enough to fool to most people. It is based on an old scam that used to see invoices faxed or mailed to the victims and now it has made its way into the digital world and instances are on the rise.
You may have already seen some of the less effective attempts – an email advising your domain is expiring (except it’s not from your host and your domain is nowhere near expiration) or others that describe a product or service you would never have purchased.
The new attacks though are much more advanced as they look completely legitimate and are often from contractors and suppliers you actually use. The logos are correct, spelling and grammar are spot on and they might even refer to actual work or products you regularly use. The senders name may also be the normal contact you deal with at that business as cyber criminals are able to ‘spoof’ real accounts and real people. While it is worrying that they know enough about your business to wear that disguise so well, a successful attack relies on you not knowing what to look for.
Here are two types of invoice attacks you may receive:
1) The Payment Redirect
This style of fake invoice either explicitly states that the payment should be made to a certain account (perhaps with a friendly note listing the new details) or includes a payment link direct to a new account. Your accounts payable person believes they are doing the right thing by resolving the invoice without bothering you and unwittingly sends money to a third party. The problem may not be discovered until an invoice from the real supplier comes in or the transaction is flagged in an audit. Due to the nature of international cyber crime, it’s unlikely you’ll be able to recover the funds even if you catch it quickly.
2) The Malware Link
Rather than an immediate cash grab, this style of attack asks your employee to click a link to download the invoice. The email may even look exactly like the ones normally generated by popular accounting tools like Quickbooks, Xero or MYOB. Once your employee has clicked the link, malware is downloaded to your systems that can trigger ransomware or data breaches. While an up-to-date anti-virus should block the attack at that stage, it’s not always guaranteed (especially with new and undiscovered malware). If it does get through, the malware quickly embeds itself deep into your systems and often remains silent until detected or activated.
How to Stay Safe
Awareness is key to ensuring these types of attacks have no impact on your business. As always, keep your anti-virus, firewalls and spam filters up to date to minimize the risk of the emails getting through in the first place.
Secondly, consider implementing a simple set of procedures regarding payments. These could include verifying account changes with a phone call (to the number you have on record, not the one in the email), double checking the invoices against purchase orders, appointing a single administrator to restrict access to accounts or even two-factor authorization for payments. Simple preemptive checks like hovering the mouse over any links before clicking and quickly making sure it looks correct can also help. If anything looks off, hold back on payment / clicking until it has been reviewed. Fake invoices attacks may be increasing, but that doesn’t mean your business will become a statistic, especially now that you know what’s going on and how you can stop them.
We can help increase your security, talk to us today. Call us at 08 8326 4364 or on firstname.lastname@example.org
Every employee shares one inescapable flaw that is putting businesses at risk – they are human.
Up to 59% of data breaches can be traced back to something an employee did or didn’t do, which helped create a security incident or cyber-attack.
To help prevent security issues build security awareness and respect into your company culture, so that maintaining digital security becomes as simple as making a cup of coffee.
Use complex passwords: Every employee, including management and owners, need to use an alphanumeric password that they haven’t used before. Password managers can assist with making sure they’re never forgotten.
Verify unknown identities: Not familiar with ‘Jenny from Accounting’ who has called to ask for sensitive information? Double check the callers identity and access permissions before releasing any information. Hackers love to play on our desire to help other people.
Encrypt by default: People regularly transfer data to a laptop, USB drive or smartphone so they can work offsite. Unfortunately this equipment can be easily stolen or lost. Set operating systems to encrypt data by default, so that it becomes useless in the wrong hands.
Protect portable devices: Laptops, mobile phones and other portable devices should always require a password and be set to auto-lock after a short period of time. Never leave them unattended in cars, buses, restrooms etc, and if travelling by plane take them on-board as carry-on luggage.
Set personal usage rules: Many businesses block productivity-vacuums such as Facebook and other websites but what are the rules regarding games, video streaming or shopping? Can users install their own software? When business devices are used for personal usage, security tends to slide which results in unintentional malware installation. Also don’t let the employees spouse or children use any company device.
Educate often: People often fall into the “it won’t happen to me” mindset. As security threats change regularly have a quick five minute discussion once a month to remind staff that you always need to be vigilant.
Some things to discuss with staff are:
- Links in emails – Hackers often send emails that look like they are from your bank, phone company or similar. Be sure to check the link by hovering over it with your mouse. This method of attack is known as ‘phishing’.
- Tech scam popups – Be on the lookout for popups advising that your computer is infected and you need to call a phone number or download software.
- Email attachments – Never open an unknown attachment and even from people you know and trust. If you are not expeciting an attachment from the sender always contact them to confirm and scan for malware before opening.
If you need help implementing better security practices in your business, give us a call on 08 8326 4364 or via email at email@example.com
If your computer had a security problem, you’d want to know about it ASAP, right?
Before your important files are corrupted, your photos lost and your digital life destroyed. Even thinking about gives me the shivers.
Tech scammers know we’d be lost without our computers, and that we don’t always know what’s going on behind the screen – which is why they’ve been able to swindle millions from every day people across the world.
The scam goes like this:
One day out of the blue you receive a phone call from someone with a heavy accent (usually Indian) saying they’re from Microsoft (or some other company) or worrying pop-up appears on your screen, saying your system has been infected with a virus.
To fix the problem, the caller or the pop up says you to download some support software, which they’ll give you a special link for.
A technician then uses that software to gain access to your system and make it appear your system is riddled with viruses. Flashing screens, mysterious diagnostics whizzing by, fabricated errors…they’ll do or say anything to make you panic. They’ll even go as far as claiming your system has been infected with illegal content and if not corrected you will face criminal charges.
Demands for credit card information follow soon after. Once the card details are provided, they simply stop fiddling with your system to make it seem the problem is fixed. To continue the scam, they’ll soon access your system to recreate the problem, this time offering a ongoing paid subscription for ongoing protection.
What To Do If You’re Targeted By A Tech Scam
1. Don’t taunt them. Just hang up. Right now you’re only a phone number in their system and they’ll move onto the next – if you give them cause to target you personally, you may find yourself in a dangerous situation.
The real Microsoft will never randomly call people like this. Ever.
2. If a pop-up appears, immediately run an anti-virus scan. Don’t click the pop-up or call the number.
What To Do If You’ve Already Been Scammed
It’s okay. It feels horrible, but you’re not alone and the situation can be corrected.
Call your financial institution and have the charges reversed and your card reissued. It’s easier than you might think and helps the authorities locate the scammers.
Then give us a call on 08 8326 4364 (or firstname.lastname@example.org) and we’ll make sure they no longer have access to your computer.
What is a Phishing Attack
Phishing is an attempt to trick you in giving out personal information such as bank accounts, passwords and credit card numbers.
They work by someone contacting you pretending they are from a legitimate business. They then ask you to provide or confirm certain confidential information.This contact can come in a variety of formats such as email, social media, phone call or text message. The messages are designed to look genuine and often use copied logos and branding from the legitimate company.
Once the scammer has this information they can then use this to carry out fraudulent activities such as emptying your bank account or using your credit cards.
How to Avoid a Phishing Attack
Some tips to help you avoid a phishing attack are:
- Don’t reply to any suspicious looking emails or messages that ask you to confirm or update any information about your account whether they are from a coworker, finance company, friend, bank etc.
- Don’t click or visit any links contained in suspicious emails or messages. Even if the website looks legit it will most likely infect your computer or do something worse.
- Legitimate businesses, organisations and government departments will never send you a message to ask for your login information or sensitive personal information. If in doubt ring the organisation in question but don’t ring any numbers listed in the suspicious message.
- Ignore emails that try to convey a sense of urgency and / or are requesting you to “Verify your account” right away due to ‘security issues’, ‘suspicious activity’ or ‘failed login attempt’ or the like.
- Do not copy website links from suspicious messages and paste them into your web browser.
- Never open or save any documents or attachments that come from possible spam and / or virus mails.
- Never send confidential information about any of your accounts in an email.
- If you’re unsure or suspicious about an email from a ‘friend’ or ‘colleague, call them (ie don’t respond to the suspicious email) to see if that really was a legitimate message.
Further information is provided at the Australian Government’s Scam Watch website – http://www.scamwatch.gov.au/