Don’t assume that because you are a small business that you won’t be a target of criminal hackers.

You must read this! (Read Time 5 minutes)

Criminal hackers are targeting companies of all sizes today especially small companies.   This is very serious and can happen to your company.  You might have seen the email messages with the attachments that infect your system when opened or have hyperlinks which can take you to nefarious websites. Email add-ons, such as Don't get caught by spear phishersMicrosoft’s Advance Threat Protection, can help protect against those types of email crimes. Those tools can help, but the best thing you can do to protect your company and prevent your employees from clicking on something they shouldn’t is training.   End-users should always be on guard for emails which instruct them to do something which was not solicited by your employee.   For example, if your employee needs to reset or confirm their credentials for an on-line application that they were just trying to sign-in to then they may receive an email within a few seconds of making the request on the website.  On the other hand, an email received asking your employee to verify their credentials that was not solicited by the end-user should be quarantined and reported to the associated on-line site company.

The most diabolical email attack is what is known as Spear Phishing. When criminals plan their crime, they research your company (your website and other public information) and may have even hacked your corporate email system to get the most detailed information on your company’s executives.  Specifically, the CFO and the CEO, for a large company or the finance person and the owner for small company.  The criminals craft a directive email which looks very real, replicating the signature of the CEO/owner and possibly the phrasing used by the CEO/owner extracted from actual emails obtained by the criminals.  Typically, the target of the Spear Phishing email is the CFO/finance person which instructs the CFO/finance person to wire funds to a specific bank account.  The CFO/finance person may even reply back asking for clarifications on the request and all the while thinking they are conversing with the CEO/owner.  A response back to the CFO/finance person confirms the legitimacy of the request which then results in the funds being transferred to the criminals and a crime of larceny.

Be proactive, this diabolical crime is occurring more and more, even your company could be the next target. The most important action you can take is to have a formal training session with your CFO/finance person instructing them on what to look for in emails and particularly those that are requesting funds to be transferred.  First and foremost, check the from email address and make sure it is exact and from your domain. Second, make sure the phrasing and terminology is consistent with the language that the CEO/owner would use.  Lastly, never wire funds without verbal (or better yet…face-to-face) confirmation from the CEO/owner; a second factor of authentication.  Don’t assume that sending a reply email and receiving a response is valid. More than likely you are communicating with the bad actors.

Additionally, it is important to remove any private information from your website or social media sites that provide criminals with specific information on employees; such as their direct email addresses and possibly even their job title.

These basic training instructions may seem obvious, but these types of spear phishing crimes are happening all the time and your company could be next.   After reading this article, make it a point to have the talk with your executive team as soon as possible so they are do not fall victims to these criminals.

If you have questions about Office 365 email security, please feel free to reach out to me at kevin@blueedgeconsulting.com