Business operators are again being warned about the dangers of cybercrime, after email security provider MailGuard uncovered an email scam that imitates the Federal Circuit Court of Australia.
MailGuard chief executive Craig McDonald told SmartCompany his team detected what the believe to be a “fast-breaking” attack, with a wave of fake subpoena emails disguised as coming from the court asking recipients to download a zip file containing ransomware.
“Phishing attacks like the subpoena email purporting to be a brand have a 25% click through rate,” says McDonald.
Cybercrime is estimated to affect nearly 700,000 Australian businesses and according to Stay Smart Online, 60% of cyber attacks target SMEs, leading to costs including disruption to the business, and loss of information, revenue and productivity.
According to the Australian Competition and Consumer Commission, scam activities have robbed small businesses of $1.6 million in the past six months, with ransomware being one of the biggest culprits.
McDonald says attacks involving ransomware are getting more sophisticated and harder to detect.
“In the last six months, emails coming through purporting to be a known brand have become a lot smarter and sophisticated to the point [cyber criminals] are doing a lot of testing before launching a larger scale attack,” says McDonald.
“In the last 18 months, it has been ramping up.
Scams involving ransomware typically ask users to open a website and enter credentials, such as an email address, says McDonald.
“In the background, all the files on your computer and networks will become encrypted so as a company, you will not have access to those files and you’ll need to pay a ransom to get a key to un-encrypt those files,” he says.
“If a SME is impacted by an email like this, there’s a 60% chance that within six months, the business will be no longer.”
Recently, the ACCC itself fell victim to a malware scam, with several businesses receiving fake emails from the watchdog that claimed official complaints has been made against them.
Within these emails was a zip file disguised as a pdf link, which appeared to be the infringement notice.
“Fortunately, no money has been reported lost from these particular scams to Scamwatch yet. The emails are easy to spot as fakes and you can avoid falling victim by checking the email address of the sender before clicking on any links,” said ACCC acting chairman Michael Schaper at the time.
McDonald adds that nine out of 10 businesses globally will be affected by criminal intent emails, phishing or spear phishing.
Spear phishing is when a cyber criminal sends an email to an executive in a business pretending to be another executive and asking to transfer funds.
Protecting your business
“The key thing for business is that [cyber security] is an economic issue not an IT issue,” says McDonald.
“Owners need to focus on if the business was disrupted what the survival rate will be and take certain steps to address that.”
Here’s McDonald’s five tips for protect your business.
1: Automate security updates
Though small businesses may have restricted budgets, McDonald says cyber security must be a priority.
“Make sure that all of the current security applications are up to date and kept up to date automatically,” McDonald says.
“That seems to be one of the key things that people forget to do.”
2: Don’t click too fast
“If in doubt, don’t click,” he says.
McDonald recommends keeping an eye out for abnormal or suspicious behaviour, language and requests in emails.
“Potential fraud emails are very hard to detect,” he says.
“Don’t be so quick to click on things.”
If a bank is unlikely to ask you to key in private information via email, don’t do it.
“Don’t click on the URL in the email, go to the normal banking portal and go from there,” he says.
3: Backup your files so you don’t get held ransom
Having a live back-up of all systems can reduce some of the damage from ransomware attacks, says McDonald.
Though the business may lose out from having to reinstall everything, he says the cost will be far less than having to pay a criminal ransom money to get back the files and data.
4: Invest in professional security
Small and medium businesses can also pay for software to add an extra layer of protection to prevent attacks hidden in the hundreds of emails coming in to their inboxes everyday, McDonald says.
5: Take out cyber insurance
McDonald says businesses that carry out any activity online need to consider how much disruption from an attack the business could withstand, what kind of measures they can put in place for protection and what other things they can set up to mitigate the risks of ransomware.
Even though cyber insurance can’t prevent attacks, he says it may well save the business from imploding if something happens.
“It can at least help get backup and recoup some of the losses,” he says.