The scam you wont notice until it’s too late
Theres no shortage of scams out there, many designed to steal your personal details, most of these are fairly easy to spot if you are a logical, relatively tech savvy person. This particular scam, is much harder to detect and could cost you and your customers thousands.
You could be a victim
Many small businesses assume that they will not be the target of a scam, after all, why mess with you when there are multimillion pound companies out there that would hardly notice a few hundred thousand pounds missing from their account? Well the answer is simple…
You are an easy target!
Unfortunately, small businesses are the perfect target for digital scams, here’s a few reasons why:
You probably do not have an IT department – Large businesses have IT departments, people who’s job it is to keep your systems up to date, safe and virus free. They also implement security procedures to prevent you and other staff falling foul of a social engineering scam.
Your computers security is probably very low grade, or even nonexistent – Let’s be honest, computer updates are a pain, the computer works fine without them anyway? Except these updates often contain patches that cover holes (possible venerabilities) in the previous software versions. Once these updates are released, these weaknesses are now public knowledge, so people who have not updated to the latest software version are even more vulnerable than before.
Also, your antivirus software probably expired at the end of its 30 day free trial didn’t it? To a hacker, this is the equivalent of printing your bank details on the back of your shirt.
Your passwords are weak – This is one people struggle with, your daughters name with the last three digits of your old telephone number is NOT a secure password. Neither is your company name, your surname, the make and model of your car or pretty much anything else that you would actually be able to remember.
This deserves a bit more detail… Firstly, passwords that are memorable words are notoriously easy to guess, Secondly, even if you think no one would guess your password, a computer will happily try thousands of different combinations in a matter of minutes on the hackers behalf, yes there is software specially designed to crack passwords and it works dangerously well. We will talk about how to protect yourself from weak passwords later in the article.
You probably do not have company wide security procedures – Procedures are boring, and most small companies don’t have them. Procedures could include telling staff how to handle emails from people they don’t know, rules about accessing certain websites when on the company network etc. To put good extremely effective procedures in place, it’s worth talking to a professional (thats NOT me by the way). That said, simply not opening files from unknown email senders is a great place to start. You know all those emails you receive that have an “invoice” attached from people you don’t know… They are trying to gain access to your computer, chances are, if you have opened one of those strange attachments, a hacker has access to your computer… Yep, it’s that easy!
You charge you customers large enough amounts for it to be a big win for hackers, but not so big that they will be hunted to the ends of the earth by the police – The thing with being a hacker, is it’s really easy to cover your tracks.
Now theres not really a cut of point when the police “stop caring” but lets face facts, if Barclays gets hacked and millions of pounds go missing, it’s probably going to take priority over a plumber who “thinks he might have been hacked” and lost three grand.
I’m sorry for this, but most small business owners are just not that tech savvy – Again, no offence intended, but would you know if your system is compromised? Most small business owners could have been hacked for years and still not know, all that time hackers can literally be watching everything you are doing on your computer, intercepting every bit of text you type and even watching you on your webcam… scary! This isn’t just a government conspiracy, you could learn how to do this by watching a ten minute youtube video.
Does this really happen?
Yes it does, the reason i am writing this article is because it happened to a client of mine just a few days ago. Luckily, it was nothing to do with Webimpress, it was a hack on the customers independent email servers which are not managed by us.
That said it doesn’t make it any less of a bad situation. The company that fell victim of this attack has five or so staff, most of which are fairly clued up tech users, they deal with some quite large projects (sending a £50,000+ invoice wouldn’t be unusual) they also manage their own Microsoft exchange email server.
Here’s what happened:
This company have a range of customers, many of which are large businesses who have accounts departments, therefore the invoices would probably be getting paid by people who pay invoices for a living and have never met the people who have invoiced them.
The companies main email account was hacked because one of the business owners downloaded an email attachment which allowed the hacker to intercept all text that was typed on the computer.
The next time the director accessed his office 365 account, the hacker was able to see the password that was typed in, giving the hacker admin access to the office 365 account and all of the email accounts associated with it (amongst other things).
Now the hacker can see all incoming and outgoing communications from these email accounts, which is where things start to get really dangerous. Setting aside the GDPR breach, and probably a series of other privacy laws the hacker is actually able to see who they are dealing with, their names, their writing style, their letterheads etc.
Once the hacker had gathered enough information they then copied the companies invoice style, and started writing their own invoices and sending them to customers from the companies email address.
So, the customers accounts department received these invoices in the style, design and even the greeting in the email looked exactly as it would have if it was a real invoice… There was no reason at all for the customer to suspect this was not a real invoice. The only thing that was different about this fake invoice/email was the bank details, they were those of the hacker.
This is thankfully where things went downhill for the hacker…
A touch of luck
Luckily the accounts department at the company who received this fake email was switched on, and decided to query about the change in bank details, many wouldn’t. In fact, if i was the hacker my email probably would have looked a bit like this:
I hope your week is going well.
Thank you for your recent business, please find attached your invoice for the recent work on your property.
Also, we have recently changed our banking details as we have signed new accountants and they suggested xyz bank would integrate better with out new software”
Could this happen to you?
Would your customers question this email? after all, that certainly sounds like a good reason to have changed your banking details.
Luckily, the customer raised the alarm in this case, triggering an investigation leading to the issue being resolved with no real harm done. But this was more luck than anything else, and possibly an experienced accounts department at the other company, but it could have easily gone much much worse.
What would you do?
Imagine if your most recent customer paid your bill to a hacker, who is responsible? Your customer is a victim of a scam and so are you, but your lack of digital security lead to the scam, so in theory…. You would be responsible and therefore out of pocket. The reality is, your bank wouldn’t particularly care, the police will take notes and sound enthusiastic, but the chances are, the money is long gone, and the hacker has cleaned up his tracks and is gone with the wind… And your money…
For most small businesses, it’s not realistic to have an in house IT department but there are a few simple things you can do to limit the possibility of falling victim to a scam like this.
Update your computer
Stop putting off updates, I know they are a pain and mess up your day, but they do include important security updates designed to protect you from potential hack attempts. While email hacks are most likely not going to be stopped by software updates, there are many other types of hacks that are just as easy to orchestrate that these updates would help protect you from.
Use very secure passwords, there are a tonne of password generators online that will create nice secure passwords for you, using a mixture of upper and lower case letters, symbols and digits, and make them as long as possible… The longer the password, the harder it is for software to crack, also using random passwords takes out the opportunity for hackers to simply guess your password.
I understand they are impossible to memorise, luckily i have a trick for that coming up shortly.
Do not use duplicate passwords
So, how many passwords do you use? 1, 3 maybe 4 different variations on the same password? When you sign up to a forum, or buy something online and create an account, using the same password every time you have created a single point of failure.
Many websites are poorly maintained, store passwords in an insecure manner and are massive sources of data for hackers.
Your password is stored on the servers of every website you hold an account with. Passwords are normally encrypted on servers meaning they are hard for a human to decipher, however they can be decrypted and some databases are not even encrypted in the first place.
So if you only use a couple of different passwords, or one password for everything, once a hacker has your password once, they have access to every account you use that password for.
Keeping track of passwords
If you are going to do this properly you are going to have hundreds of passwords, none of which will be memorable – unless you’re a robot.
This is where it’s best to use a password manager, I personally use an app called 1password, which has desktop and mobile apps making it really convenient.
This app will securely store all of your passwords in a way that you can find passwords easily when you need them and even copy and paste them directly from the app, you will never have to remember a password again, it even has a secure password generator. You can find it here: https://1password.com/
This part is quite obvious, but one that comes up a lot, and i mean all the time…
If you get an email from an unknown sender, do not open any attachments and immediately delete the email. Attachments can contain all kinds of nasties that are designed to gain access in one way or another to you computer and your network.
The same applies to links, if you get an email with a link to somewhere you don’t recognise, do not click it!
I am not a huge fan of computer antivirus software, although, it can be pretty useful… It will nanny you a little bit and sometimes slow you down, but it is designed to protect you, find and remove harmful viruses and spyware as well as keep you safe when online. Keep it up to date, let it run its regular scans, and you will be one step closer to security your computer.
Use your brain, if something doesn’t seem right, it probably isn’t. Most of these scams are very simple in nature and are designed to take advantage of the weakest link, oftentimes, that’s the human behind the computer.
Random emails with links requesting a quote, invoices that are not PDFs or look different than usual, dropbox downloads and much more, if it doesn’t look like a normal communication, if the language doesn’t seem quite right, DO NOT get curious, it kills cats, and computers!
This is by no means a comprehensive list of security measures, I am not your guy to answer those questions. I have a keen interest in technology, hacking, security and coding, I love researching these subjects, but it is not part of my business, it’s more of a hobby…Marketing is what I do, and I plan on sticking to it.
That said, if you you follow these above steps you are making yourself a pain in the arse for hackers… When theres thousands of easy targets out there, hackers and scammers would rather go after the weak and venerable. All you really have to do it make yourself less venerable than the next guy, the more security you have the better, but you will never be 100% secure, minimising the risk is the key.
Its worth pointing out, I personally did not deal with this issue, I was involved enough to know exactly what happened and the background behind it. This is also not the first time i have seen this particular technique used, in-fact it’s the third time this year.
In this particular situation my client used an Ashford based IT company who fixed the issue in a matter of hours and secured their systems for the future, I have no affiliation with them what so ever, however I was extremely impressed with their service and had a great chat with them on the phone. You can visit them here: https://www.mpr-it.co.uk As I mentioned, I am in no way connected to MPR IT nor do I get any kickbacks for referrals or recommendations, I simply believe in credit where credit is due.
Thank you for reading, I hope you have found this both insightful and useful.
All the best, Tom