If your mom/grandma/best friend/biggest client sent you this email, what would you do?
Hey, I got this attachment from Aunt Bette and it won’t open for me – could you see if you can open it?
Would you open the attachment? No really, think about it – not as if you’re reading a blog about cyber attacks, but as if you’re amidst the hurried moments of life checking emails and texts while waiting in line somewhere. Would you click it without even thinking, just wanting to see what the problem is with the attachment?
Many of us would. It was from your biggest client, and you want help if you can, right?
Recognizing social engineering
One wrong click is all it takes to become a victim of a cyber attack, and it happened to my agency (more on that in a moment). The “bad actors” (a term common in the cyber attack space that I learned after all this happened to us) out there can “spoof” or trick you into thinking that an email came from someone you know and trust. Worse yet, maybe they’ve already hacked into that person’s account and they’re about to drag you into their web.
Social engineering attacks are the most common attack on small businesses. Social engineering refers to a wide range of tactics that rely on human error rather than vulnerabilities in systems. Hackers employ social engineering to trick users into giving money, providing sensitive information, or installing malware on their computer systems. It is estimated that 90-95% of breaches that occur in small businesses are from social engineering.
Preventing attacks at your agency
If an employee of yours gets an email from you asking to urgently pay an overdue invoice they aren’t expecting, will they do it to avoid risking their job? It’s all about the trick – it will look like it’s coming from you. Do you have processes in place to help prevent an employee from sending $2500 to a bad actor thinking they are following your instructions?
While our agency will likely never know the exact sequence of events that made our attack possible, we do know a little about it. We believe that a user clicked an attachment thinking it was from someone she knew, but backed out of it in a hurry to an appointment and planned to look closer later.
But by then it was too late. Shortly after she left that day, our team started getting weird emails,which were reported immediately. Our swift action in recognizing what might be going on helped us prevent a huge problem. We had the incident investigated by professionals and analyzed to make sure we had not put anyone in harm’s way. Luckily, investigation revealed we did not, but it cost a few thousand dollars to find that out (still much better than a few hundred thousand if the attack had run its course for longer).
Working with cyber carriers
We learned a lot from the attack and came out stronger after. I can’t implore you enough – reach out to a true cyber carrier today to:
- Insure your agency against cyber attacks
- Improve your business practices and prevention measures
- Educate your team on professional cyber training methods
- Offer cyber coverage to every account, personal and commercial
Implementing preventative measures at your agency
Talk to your team to educate them on social engineering. Tell them to listen to their gut if any warning bells go off – don’t ignore them!
If an email doesn’t sound like the person it’s from or has unexpected instructions, call them tocheck (don’t respond to the email, as you could be corresponding with the bad actor). If you weren’t expecting an attachment, don’t click on it to see what it is. Again, call to ensure the correct person truly sent it to you. Don’t forget to look at the actual email address the email is coming from, not just the From name – a bad actor can easily put the name of someone you know on their own email address.
Put a plan in place for what you want your staff to do if any suspicious emails come in. Develop and educate on a plan for what should be done if someone does click on something suspicious – the speed of your response to incidents is vital.
Make sure your team knows you will never ask them to send money, pay an invoice, or buy anything online via an email alone. Be sure they watch even expected vendors for changes or shifts, because bad actors could try to act like someone you already do business with. They should never click on a link in an email to update a password or other information on a site or application – always go straight to the site and do it from there to ensure you’re not giving your credentials to a bad actor.
Arming your agency and clients against attacks
It is estimated that only 17% of small business have cyber insurance, and that 60% of small businesses go out of business within six months of a cyber attack. Get processes for prevention and education in place for your agency as soon as possible, and then help your clients do the same.
Help fight back – arm and educate today.
Board Member – PNW Insurance