How scammers hook SMBs

[harlan4096]

Common attack schemes targeting SMB employees.

Online scammers are forever trying to trick not only unsuspecting users, but also company employees. Sure, it’s usually far harder to dupe a business than a retiree, but the potential rate of return is far higher in the former case. Therefore, attempts to get SMBs to swallow the bait continue unabated.

Numerous techniques exist, but because scammers are generally a lazy bunch, most cases involve variations on tried-and-true themes. Here are the most common schemes in use.

Types of bait

It’s important for cybercriminals that you not only read their messages, but also react to them: click on a link, open an attachment, pay a bill. To get you to do that, they need to grab your attention.

A notice from the tax service

You receive an e-mail stating that you have not paid a tax in full, and now interest has been added to the bill. If you want to appeal, you’ll have to download, fill out, and submit the attached form. The form contains a macro, though, and as soon as you enable it (most users automatically click “I agree” in pop-up windows), it immediately downloads and runs malware.

Many businesses fear the tax authorities, but it’s important to look fear in the eye — or at least at some of its e-mails so that you can spot the differences between real and fake ones. It’s worth knowing whether your local tax office tends to send e-mails or call people up.

Notifications about pending payments

Paid all your taxes and settled with all contractors? Well done, but you still might get a message saying a payment failed to go through. After that, anything goes — from a request to pay a supposedly reissued invoice to a prompt to go to some strange site.

Antivirus can block a suspicious link, but only your common sense can stop you from paying the same bill twice.

Proposal from a mysterious contractor

Mass sales e-mails are usually sent out fairly randomly in the hope that at least some of them will hit a good target. Scam e-mails that look like mass sales e-mails — but including malicious attachments meant to look like product or service details — do the same.

Security service notification

This scam operates mainly on companies with offices in different locations. Regional office employees often have a fuzzy idea of what HQ staff look like and do.

On receiving an e-mail from the important-sounding “chief security officer” instructing them to install a security certificate, many will comply without noticing that the message came from a bogus address. Install the certificate and they’ve got you hook, line, and sinker.

Consequences of getting hooked

Phishing is conceptually simple — its purpose is to steal your credentials — but e-mail malware comes in different flavors. The most common types are those in the following list.
...

Continue Reading