The report cites the Internet Crime Complaint Center, which says that
between October 2013 and December 2016, $5.3 billion was stolen through
BEC. Furthermore, ransomware attacks took around $1 billion in 2016
alone.
The report says there has been an overall increase in spam volume, which
is defined as irrelevant or inappropriate messages, since mid-2016.
However, these emails include “macro-laden malicious documents” that can
work around some defense strategies.
Adam Jones is president and CEO of Firefly Technology, a Kansas
City-based IT company that handles those duties for the National
Auctioneers Association. He chimed in to offer some advice on how
Auctioneers can protect their companies from online attacks.
Cybersecurity: Built-in SPAM filters aren’t enough
First and foremost, Jones recommended that Auctioneers stop relying on
built-in spam filtering with their hosted email products. He said
companies of any size need to subscribe to a third-party spam service
that sits between the internet and the mail host. Some examples include
AppRiver, SecureTide, Barracuda and Mimecast.
What about emails that ask the user to click on something?
“First check the actual email address that the email shows as coming
from,” Jones advised. “This sometimes requires clicking on the name at
the top of the message, but it should reveal the full address.”
Jones also said while there are spam emails that either masquerade or
have come from the actual purported sender (e.g. in a hack scenario),
many times, they simply masquerade the name. If the email address does
not match that which you would expect, it can (and should) be
disregarded.
Also, if there is a link in an email, right click on it and copy the
link. Then paste the link into a web browser, but before pressing enter,
check out the link. For example, if someone said they’re sending a link
to a Google Apps file, make sure the address that you’ve copied and
pasted says “.google.com.” If the address is something different, it is
an indication that the link is not safe because it will ask for personal
information or download something that will infect your system.
“As a general rule,” Jones said, “if you are not expecting something
from someone with an attachment, attachments should be viewed
skeptically. If you are suspicious of an attachment, having a
relationship with a knowledgeable IT firm can come in handy as they can
be used as a verification resource.”
Jones said his company utilizes air-gapped computers that they can open
attachments on, which tests for validity without putting their network
of computers at risk.
But what if the user has clicked on something in an email that they
immediately realize could be bad news? Jones said the first step is to
shut down the computer. Then, immediately go to another computer and
change the password to that email account.
“Then, engage IT support to ascertain the severity of what might have
happened,” Jones said. “They will determine if the computer is safe to
continue using, or if it should be wiped, cleaned, etc.”
Another precaution to take is to ensure that the mail server is set to
reject emails that do not match someone’s Sender Policy Framework, or
SPF, record. Jones said this is a system that exists to tell email
systems where legitimate email from the domain name should be coming
from.
There is also the risk of becoming an unwitting spam sender. Nobody
willingly does this, and there are ways to ensure it doesn’t happen at
your company.
Jones recommends enabling two-factor authentication, or 2FA. Popular
hosts like Google Suite and Office 365 support this. Basically, 2FA is a
way to take steps beyond a password to gain access to your account.
Once you enter your password, you get a verification message, which will
come over via text to your phone or through an app on your mobile
device.
“This is essential in today’s climate,” Jones said.
To take it a step further, Jones recommends setting up DKIM (DomainKeys
Identified Mail) verification. This is to prevent email spoofing and
allows the receiver to verify that the email came from the right domain
“This is a more modern version of verification system and can be enacted
with the help of your IT vendor and/or software vendors,” he said.
Cybersecurity: Sending mass emails can be a problem
Also, Jones said to be sure your organization has a proper SPF record
set dictating the servers that might send email@yourdomain.com. An SPF
record is a type of Domain Name Service (DNS), which is an email
validation system that identifies the mail servers that are permitted to
send mail.
“Once set,” Jones began, “recipient servers that are properly set to
reject email based on what is defined in your SPF record would not
receive emails that come from sources outside of those deemed legitimate
senders for your domain.”
Sending out mass emails can also be a problem. Jones said if you’re
sending out emails that don’t require recipients to know to whom the
email was addressed, use BCC (blind carbon copy).
“This can help prevent a scenario in which a recipient of a mass email
gets hacked,” he said, “and the hacker uses that information to send out
spoofed emails to that group purporting to be the original sender.”
Finally, Jones said many people list their email addresses in plain text
on their website. This makes it easy for spammer to “identify the
corporate hierarchy and then attempt to spoof users into actions of many
types, such as wire transfers, login information, etc.” Instead of
using plain text, you can replace symbols with actual words, such as
replacing @ with “AT.”
Users can also safely post their email address as an image.