Recently, our team was alerted to a suspicious email that appeared to be coming from an employee. It looked exactly it should, with the correct signature and other telltale marks of an internal email. But this email was not created or sent by the individual and the concern was immediately referred to the system administrator. Now that we are aware of this threat, we can flag any email that doesn’t seem quite right being sent from our internal team.
Data Theft is Big Business
Scammers are becoming more skilled in putting together a convincing email that makes it look like someone in your company has sent it. In fact, they only need about four or five pieces of personal information to make it seem believable. Scammers get access to your digital data by installing malware onto your system, then sending out crawlers to scan and record your files and exchanges. These may sit dormant for months as the program learns more about you. They can even record your email traffic to mimic how you would speak and what you and your colleagues talk about to provide context. Gone are the days of dead giveaways in emails like misspellings and incorrect branding. Now scammers are able to create emails so realistic even Gmail and Microsoft can’t distinguish them as spam.
As we digitize more and more sensitive information and data increases in value, these attacks show no signs of stopping. There is a hacker attack every 39 seconds, and the average cost of a data breach in 2020 will exceed $150 million. Many companies operate their technology in a connected network. A scammer can cast a botnet across the entire system, increasing data gathering and causing disruptions. Attacks don’t just affect the company, but can be harmful to customers, clients, vendors, and other organizations. The responsibility to manage and block threats cannot fall solely on the IT department or management but must be a company-wide effort at every level.
Check the Health of Your Systems
Consider these points when reviewing your information risks:
- When was the last time your technological systems had a health check-up?
- Who has administrative rights to your systems and how can they ensure quality control?
- How can you limit access control to data, equipment, and the network so it is only used by a specific number of people?
- If there is a concern and the main person responsible is out of the office or the position is vacant, who should be contacted next?
- Does your team have the proper training and awareness to recognize a suspicious email?
- Is any of your third party software operated by foreign vendors? How do you vet vendors to make sure they are safe?
If you’re interested in getting your team talking about digital risks, give our Information Security Marco Programs a try!