Hacked! Spam and phish emails stink.
Learn how you can improve your cybersecurity

Small businesses are a prime target for hackers and spam email campaigns.
Here’s how to better protect your inbox, and your business, through cybersecurity.

By James Myers, contributor

Online threats are on a lot of peoples’ minds, even small business owners, as the public learns more about cybersecurity.

Sure, the headlines are about the big companies, like Home Depot and Target, when they get hit, but small businesses often have less security than big corporations. This makes them a prime target for hackers.

So, it isn’t surprising, or shouldn’t be, that cybercriminals are increasingly preying on businesses through what is called a business email compromise, or BEC, because it has become a “highly lucrative threat vector for attackers,” according to Cisco’s 2017 Midyear Cybersecurity Report.

The report cites the Internet Crime Complaint Center, which says that between October 2013 and December 2016, $5.3 billion was stolen through BEC. Furthermore, ransomware attacks took around $1 billion in 2016 alone.

The report says there has been an overall increase in spam volume, which is defined as irrelevant or inappropriate messages, since mid-2016. However, these emails include “macro-laden malicious documents” that can work around some defense strategies.

Adam Jones is president and CEO of Firefly Technology, a Kansas City-based IT company that handles those duties for the National Auctioneers Association. He chimed in to offer some advice on how Auctioneers can protect their companies from online attacks.

Cybersecurity: Built-in SPAM filters aren’t enough

First and foremost, Jones recommended that Auctioneers stop relying on built-in spam filtering with their hosted email products. He said companies of any size need to subscribe to a third-party spam service that sits between the internet and the mail host. Some examples include AppRiver, SecureTide, Barracuda and Mimecast.

What about emails that ask the user to click on something?
“First check the actual email address that the email shows as coming from,” Jones advised. “This sometimes requires clicking on the name at the top of the message, but it should reveal the full address.”

Jones also said while there are spam emails that either masquerade or have come from the actual purported sender (e.g. in a hack scenario), many times, they simply masquerade the name. If the email address does not match that which you would expect, it can (and should) be disregarded.

Also, if there is a link in an email, right click on it and copy the link. Then paste the link into a web browser, but before pressing enter, check out the link. For example, if someone said they’re sending a link to a Google Apps file, make sure the address that you’ve copied and pasted says “.google.com.” If the address is something different, it is an indication that the link is not safe because it will ask for personal information or download something that will infect your system.

“As a general rule,” Jones said, “if you are not expecting something from someone with an attachment, attachments should be viewed skeptically. If you are suspicious of an attachment, having a relationship with a knowledgeable IT firm can come in handy as they can be used as a verification resource.”

Jones said his company utilizes air-gapped computers that they can open attachments on, which tests for validity without putting their network of computers at risk.

But what if the user has clicked on something in an email that they immediately realize could be bad news? Jones said the first step is to shut down the computer. Then, immediately go to another computer and change the password to that email account.

“Then, engage IT support to ascertain the severity of what might have happened,” Jones said. “They will determine if the computer is safe to continue using, or if it should be wiped, cleaned, etc.”

Another precaution to take is to ensure that the mail server is set to reject emails that do not match someone’s Sender Policy Framework, or SPF, record. Jones said this is a system that exists to tell email systems where legitimate email from the domain name should be coming from.

There is also the risk of becoming an unwitting spam sender. Nobody willingly does this, and there are ways to ensure it doesn’t happen at your company.

Jones recommends enabling two-factor authentication, or 2FA. Popular hosts like Google Suite and Office 365 support this. Basically, 2FA is a way to take steps beyond a password to gain access to your account. Once you enter your password, you get a verification message, which will come over via text to your phone or through an app on your mobile device.

“This is essential in today’s climate,” Jones said.

To take it a step further, Jones recommends setting up DKIM (DomainKeys Identified Mail) verification. This is to prevent email spoofing and allows the receiver to verify that the email came from the right domain

“This is a more modern version of verification system and can be enacted with the help of your IT vendor and/or software vendors,” he said.

Cybersecurity: Sending mass emails can be a problem

Also, Jones said to be sure your organization has a proper SPF record set dictating the servers that might send email@yourdomain.com. An SPF record is a type of Domain Name Service (DNS), which is an email validation system that identifies the mail servers that are permitted to send mail.

“Once set,” Jones began, “recipient servers that are properly set to reject email based on what is defined in your SPF record would not receive emails that come from sources outside of those deemed legitimate senders for your domain.”

Sending out mass emails can also be a problem. Jones said if you’re sending out emails that don’t require recipients to know to whom the email was addressed, use BCC (blind carbon copy).

“This can help prevent a scenario in which a recipient of a mass email gets hacked,” he said, “and the hacker uses that information to send out spoofed emails to that group purporting to be the original sender.”

Finally, Jones said many people list their email addresses in plain text on their website. This makes it easy for spammer to “identify the corporate hierarchy and then attempt to spoof users into actions of many types, such as wire transfers, login information, etc.” Instead of using plain text, you can replace symbols with actual words, such as replacing @ with “AT.”

Users can also safely post their email address as an image.