Martin Daks//February 13, 2023//
From Black Friday online sales, which brought in a record $9.2 billion in 2022, to Super Bowl Sunday marketing and beyond, businesses have embraced e-commerce. But holiday and event-driven shopping seasons are also a bonanza for cybercriminals, who keep finding new ways to fleece consumers and businesses who’ve let their guard down amid the excitement.
Cyber threats are always around, but scams and targets change based on what’s expected to have the highest success rate, according to WilkinGuttenplan partner in charge of technology Tom Hasard. “The holidays are a peak time for transactional fraud, including fake purchase notifications, scam offers, and other consumer targeted attacks,” he said. “Spring usually brings with it tax-related fraud, such as ID theft to file false returns, fraudulent tax offers, and attacks targeting tax forms like W2s. World events, new trends and social media can all drive targeted phishing attacks, hoping that victims will be more likely to engage with something relevant.”
Email-based attacks are “by far the most common, attacks,” he noted, “typically targeting a user’s credentials to then compromise other systems or data. Most modern malicious code is targeting common vulnerabilities to either deploy ransomware or provide attackers with remote access to the compromised systems.”
Phishing attempts, when criminals send emails or other messages – which look like they’re from reputable companies – in order to induce individuals to reveal personal information, such as passwords and credit card numbers, “are the most common cause of cyber incident in our experience,” he added. “Most attacks are focused on trying to get access to data by stealing credentials. A more traditional network compromise is less common, but typically starts in a remote access environment like a VPN [virtual private network] or remote desktop.”
To illustrate the point, Hasard pointed to a WilkinGuttenplan insurance industry client located in central New Jersey, “which needed help becoming more secure. We provided phishing awareness training and testing, and our baseline phishing test had almost a 70% click rate on our ‘hacker-type’ test messages. After the training was complete, the click rate was below 5%.”
Almost any kind company, or individual, can get snared by a phishing attack. About a week before PCH Technologies onboarded a New Jersey-based company in the construction industry, “the company suffered a fraud incident,” according to PCH Chief Security Officer Mark Moore. “Their then-current security vendor had sent over an encrypted password list, but an employee at the targeted company got snared by a phishing scheme and the cybercriminal was able to use that password list to breach their systems.”
The company contacted PCH after discovering a “large fraudulent payment had been made from its bank account, and we immediately upgraded the security services, while remediating any issues we spotted. We then spent time with the new client, educating them about important cyber-hygiene processes.”
Cybercrime tends to spike whenever there is a major holiday or other kind of event that draws people’s attention away from other activities, he added. “As an MSP [managed services provider], we see threats year-round, but they do seem to peak around holidays, championship sports games, and other big events.”
One simple solution, according to Moore, involves “Using phishing resistant MFA [multifactor authentication] and having unique passwords for all of your services” — but that “can be frustrating to do because there are so many sites and therefore, so many passwords to develop and remember. Instead of skipping out, however, a password manager can help by automatically generating and securely storing long, unique passwords for all of a user’s online accounts.”
Other approaches, like a Single Sign-On, can let a user reduce the number of their passwords without compromising the security of their accounts. “Often used by businesses, an SSO enables users to securely log on to multiple applications and websites with a single password,” he explained.
The challenge, added Moore, “is getting people to take the threats seriously. They may think their business is too small to be a target, but in fact many criminals are happy to diversify their revenue streams by hacking into multiple, smaller business accounts that tend to be less protected than those of large companies. That’s one of the reasons it’s important for business owners to have ongoing conversations with their MSP [managed service provider] about cyber risks and how to defend against them.”
Any time people are using their devices outside of the office, during holidays or – since the pandemic, working from home – “We do see a spike in fraud and related threats,” according to Rahul Mahna, an EisnerAmper partner who leads the firm’s Outsourced IT Services team. “We find that a common characteristic, linking about 80% to 90% of the incidents, is that the victim unintentionally or otherwise did something wrong, like clicking on a link or downloading a file without verifying whether it came from a legitimate source.”
In a recently completed EisnerAmper survey of more than 110 executives of small- to medium-sized businesses, “75% said external cyber threats were their primary concern, with 71% citing employees’ unintentional actions as the second-most common threat,” Mahna added. Budget-constrained SMBs in particular are often vulnerable, he noted.
Recently, he said, an employee at a 30-person business got tricked by a phishing attack, and the cybercriminal was immediately able to shut down every employee’s computer, while demanding $50,000 in Bitcoin as ransom. “The owner refused to pay it and our team, along with the FBI, was called in,” Mahna said. “While the FBI tried to track down the attackers, we successfully rebuilt the client’s system and records. Then we engaged the employees in some serious cybersecurity training.”
The main message is to be suspicious, he said. “If an email or other communication comes in – supposedly from a vendor or other person – directing accounts payable to send payments to a new account, for example, call the supposed sender to confirm the request, and ask them the reason for the change. And if a rush request for an unusually large payment comes in to the CFO, for example, call or email them directly to confirm it. Finally, do not respond to the phone number or email on the request itself — instead, use a trusted number or email that has proven to be reliable in the past.”
Cybersecurity is a never-ending challenge, but it’s one that Mahna and other professionals pursue with gusto.
NJBIZ asked Withum Vice President of Cybersecurity Julie Tracy to walk us through the minefield of digital security issues. A condensed and edited version of the conversation follows:
NJBIZ: What kinds of common cyber-threats are you seeing?
Tracy: There are two types of threats that I am seeing more of recently. The first is phishing email attacks. I know, we always say phishing. But this is a very targeted phishing attack. Threat actors are pretending to be someone in the c-suite and asking for an accounts payable report. If the threat actor is able to get the accounts payable report, they will go and purchase domain names one character off from real vendors their target company uses (that are also on the accounts payable report), and the threat actor will use this new domain to send an email to the target company, stating that their bank information has changed, and it needs to be updated prior to sending their next electronic payment. If this is successful, the threat actor has then diverted legitimate payments to accounts under their control.
We have seen threat actors have a fair amount of success with this type of attack. This attack methodology can lead to significant financial losses for organizations.
The other area where we see attacks is Application Programming Interfaces (APIs). This is how attackers were able to breach T-Mobile recently. Implementing appropriate security around the APIs you have in use within your organization is important and often overlooked.
Q: What are the most common ways that small- and medium-sized businesses get hacked?
A: A lot of small- and medium-sized businesses do not consider themselves a target for hackers and as such do not allocate proper resources (budgeting) to secure their organizations. I was just talking with a medium-sized organization and their IT director stated that their management did not believe they were a target for hackers. I was shocked because (even though this business is not a bank) it controls access to millions of dollars of their customers’ funds.
Small- and medium-sized businesses are typically victims of phishing emails that lead to ransomware or business email compromise. Not implementing things like security awareness training for all employees, the consistent use of multifactor authentication, understanding the power of good password hygiene, and limiting the access employees have with their user IDs are all simple things that can lead to compromise.
Q: What are some best practices to avoid being hacked?
A: We call it basic cyber-hygiene:
Cybersecurity is not a one size fits all nor is it a one a done solution. What works for one organization may not be the best solution for another. Cyber threats constantly change, your own environment changes and because of that your cybersecurity program needs to change and adjust to ensure it is appropriate to your current risk. Having an outside expert evaluate your cybersecurity program is a huge help and should not be viewed as a threat by an organization’s IT department.