By: Adam Boyle, Business Account Consultant
Data is both the lifeblood of 99% of businesses today, and a valuable commodity for cyber security attackers.
Phishing and password attacks aren’t the only way hackers try to get to your company’s information. Sometimes they simply call and convince you to give it to them without realizing what is happening.
A local business recently received a call from a person claiming to be a member of the QuickBooks support team. The hacker was connected to an employee in the accounting department.
The caller told the employee that they noticed an issue with the business’ QuickBooks system and needed access to their computer to make the necessary fixes. To do this, the caller told the employee to visit a specific web address, which the employee did, giving the caller access to the employee’s computer. The phony QuickBooks caller was able to get into the business’ security protocols and remove nearly every security measure they had, which left the business unprotected.
Unbeknownst to the employee on the phone, the undercover attacker then exported all their QuickBooks information off-site, including client names, addresses, credit card information, and social security numbers. The caller deleted all the information locally and encrypted it, then told the employee the problem was fixed and got off the phone. The employee was none the wiser. A short time later, the office received an email from the attacker letting the business know what they had done: the attacker now had the business’ information and it was no longer on the company’s site. As proof, they screenshotted some of the information they’d stolen and demanded the business pay a certain amount of bitcoin for the return of the client information. Bitcoin is a common demand in ransomware because it is untraceable.
The business called Networks Plus to explain what happened and ask for advice on what to do. The good news is that the business had invested in an off-site backup service with Networks Plus, so they were able to restore the data that was lost.
The bad news is that the damage was done; the bad guys had their clients’ information and the cleanup from the attack was extensive. The business had to notify clients of the breach, handle certain legal requirements as a result, and the incident delivered a blow to the business’ reputation.
The first, and arguably most important, step to cyber safety is to prioritize employee education. Unfortunately, the #1 target of any cyber attack is employees. This makes employee education a key component of any business’ cyber safety. It’s so important, we even wrote a blog about why companies should make education part of their cybersecurity strategy. (Check it out.)
Knowledge is power. In situations like this one, the employee should have told the caller that before they did anything, they were going to verify with the caller’s company (i.e. QuickBooks) that the call is legitimate. The employee should have called QuickBooks directly to confirm. Most of the time, companies like QuickBooks will not reach out to a business directly about an issue. Generally speaking, users need to call them when an issue is detected.
It’s also important to understand the security measures your business has in place and what they do. Because this particular example was not of a software attack, it would not have been noticed by antivirus software, which is what this business had. This type of attack is known as spear-fishing: a targeted attempt to steal sensitive information through voice solicitation.
The attacker knew they wanted the accounting department and that they wanted to use QuickBooks as their point of entry. This type of attack is difficult to protect against. Other than employee education, your best bet for protection may be Advanced Endpoint Security. This software offers real time threat detection and response by learning user behavior. In the example above, the advanced security software would have known that this particular employee does not usually get into security settings and it would have stopped the action once it detected security protocols were changing. This red flag would have sparked a call from Networks Plus and could have prevented the attacker from exporting client data.
Don’t get stuck in the trap of thinking your business is too small or that something like this couldn’t happen to you. We see small businesses get hit all the time with things like this. Five to ten years ago, hackers were targeting big companies, but those companies are better guarded. Today, hackers realize smaller businesses may not have the budget to protect themselves against this kind of attack, making smaller businesses an easier target.
Another lesson learned from this experience is to make sure your data backups are sufficient. Had this company not had a best-practice solution in place, the damage inflicted would have been even worse since there’d have been no way to retrieve up-to-date data. It’s important to verify that you’re saving and backing up current information.
For businesses that aren’t sure what protection they have or if current protections are adequate, I recommend a free security best practice assessment.
Call Networks Plus and we’ll discuss your current structure, strategy, and worries, etc. After that conversation, we can make recommendations for what we believe the business could or should be doing. From security awareness training for office staff, to layered security and data backups, to Advanced Endpoint Protection, Networks Plus offers a wide range of ways to help keep your business and its data safe and secure.