535 Connecticut Ave. Suite 104
Norwalk, CT 06854
Empire State Building
350 Fifth Avenue, 59th fl.
New York City, NY 10118

Featured Article

September 11, 2017

Warn Your Workers: Do Not Click on This BBB E-Mail

Many of us are familiar with the IRS scam where malicious emails or callers try to get either payment or password information from unsuspecting users. A relatively newer tactic that is being used by scammers is to pretend they are with the Better Business Bureau (BBB). 

The example below is from an actual email sent to a user today. It states how there is a violation of “The Safety and Health Act.” As you can see, this could easily be mistaken as a legitimate email.

From: James J Huff [mailto:kpenabari.taoh@ndsu.edu]

Sent: Monday, September 11, 2017 11:10 AM

To: Michael XXXXXXX

Subject: Incident:758054649802:395

This email notification has been automatically sent to you because BBB has got a complaint, claiming that your company is violating the The Safety and Health Act.

You can download the document with the explication of abuse by following the link https://bit.ly/XXXX

We also request that you give a short response within 24 hours to us. This message should contain information about what you plan to do with it.

Important notice:

When replying to us, keep the abuse ID "Incident:758054649802:395" unchanged in the subject  line.

BBB

Abuse Department

James J Huff

Obviously the word “explication” is out of place as it is not a common word. But it does exist, and to some readers it could make the document look official.

The challenge with emails like this is they are getting more and more targeted and crafted in a more believable manner.

A scammer, it should be noted, only needs a few clicks out of potentially millions of sent messages for the strategy to pay off. 

This sort of email, when put into context, shows how dangerous things are getting online. You may recall that we recently reported how 711 million email addresses were stolen by hackers — giving them a large number of targets to go after. This is around 11 percent of email addresses. In theory, if you have a company with more than 5 people one or more of you are on the list of stolen accounts.

Couple this with the recent news that only 77 percent of universities, colleges, high schools and other educational institutions feel prepared to handle today’s cyberthreats. In other recent news, credit agency Equifax just leaked the financial records of 143 million people, and a major Canadian university was tricked into wiring $8 million to scammers. So as you can see, this problem is getting worse and will continue to do so for many years to come.

There is no easy solution per se – you can only do a better job of protecting yourself and your business online.

Here are some of the best ways to do so:

1.    Cybersecurity training is crucial.

2.    Auditing and documentation must be performed to ensure systems are secure.

3.    Anomaly detection should be running constantly to detect threats as they emerge.

4.    Penetration testing will show if your systems can easily be reached from the outside. Here is a case where this test might have saved the reputations of two companies from being destroyed.

5.    Finally, network forensics should be used when a breach eventually does occur. The bad guys always seem to get in eventually.

Companies and individuals are at war with hackers, and most don’t even realize it. At the same time, hackers are getting increasingly sophisticated as the above email indicates. They are targeting corporate secrets, extorting companies with ransomware and tricking organizations into wiring money to them. And this is only the tip of the cybercrime iceberg.

If your company is important to you, be sure to consult an expert – an internal one who should be audited by an external organization at least annually or a top MSP or MSSP with enough depth on their team to ensure systems are securely operating.







Comments powered by Disqus

Related Articles