Businesses Beware OF Fake Meeting Requests

by

Hi,

Important that we meet discuss speerfishing attacks over business comunicatons. We need to make plan about this IMMEDIATELY. Please click on the link [uurl.callender.com] to make an appointment with IT for quick tutorial.

Regards,

IT

There are several things wrong with this email, and hopefully, you noticed them. All are red flags you can look for to avoid fake meeting requests or calendar-invite scams.

Business Email Communication (BEC) scams are not new. For example:

  • Facebook and Google suffered a $121 million BEC scam.
  • Ubiquiti lost $46.7 million to an attack.
  • Toyota transferred $37 million to crooks in a BEC snafu.

In 2020, BEC attacks were the most lucrative scam. The US estimated cybercriminals made over $1.8 billion with this approach. Beyond money, falling victim to a BEC attack also costs your business time and reputation. Here’s what to look for and how to protect against BEC scammers.

How BEC Scams Work

With many more people working from home and meeting virtually, there’s been an uptick in BEC spearfishing attacks.

On Gmail, the bad actor needs only your email address to send an invite that adds to your calendar by default. Then, you might click on what appears to be a meeting link, which actually takes you to a malware site.

Zoom has also become an attack vector. You get an invite to a meeting that asks you to login into Microsoft Outlook. You’ve done it so many times before, except this is a fake login page, and it’s set up to steal your access credentials.

How to Protect Against BEC Scams

Educate your users. As with any other type of email scam, users need to learn to be careful about the links they click. Some indicators to look for, which you can see in our opening example, include:

  • spelling mistakes;
  • urgent appeals;
  • poor phrasing;
  • suspicious links.

Email addresses, links, and domain name inconsistencies are more bad signs. Plus, be wary if something seems too good to be true (a free laptop?) or is an unusual request (transfer $1 million from the CEO’s account).

Google Calendar users can go into General settings, then Event settings, and switch off “Automatically add invitations.” Instead, select “No, only show invitations to which I have responded.” Also, under Events from Gmail, you can stop calendar events auto-generating based on your inbox. Keep in mind, though, that you’ll also be blocking legitimate events.

In these days of the hybrid workforce, we’re used to clicking on links from Zoom, Google Docs, and Microsoft Office as part of our daily workflow. The cyber bad guys know this and are taking advantage of it. Unsubscribing from email lists, keeping your email private, and reporting spam to IT can all help.

Your business might also benefit from working with a managed service provider to use a third-party spam filter. Our experts can also review your cybersecurity posture and identify areas to improve your defenses.

Contact us today at (515)422-1995

SMBs Can Become a Weapon in Cyberwarfare

by

Headlines today highlight Ukrainian tragedy or North Korea testing missiles. It can seem far away from your business, yet battles are being fought online, too. Your small business’s IT systems could be weaponized for cyberwarfare.

That statement may surprise you. You’ve heard of cyber targets such as:

  • critical national infrastructure;
  • election and voting organizations;
  • military databases;
  • government communication outlets.

In the days preceding Russia’s attack, 70 Ukrainian governmental organizations were hacked. Messages in Ukrainian, Russian, and Polish warned people to be afraid and expect the worst.

But, why would someone want to target your small business as part of their cyberwarfare? You may be only a stepping stone to help the attackers achieve their larger goal.

How your business can become a target

You could be the victim of a supply-chain or leap-frog attack, or you might have a business partner who is also an accountant to a defense contractor, or your business might be providing heating and air conditioning maintenance to a utility. That connection makes you interesting to hackers.

Attackers use you as a pawn in digital warfare. They expect you have fewer defenses than the highly funded end target, so they infect your network to facilitate their attack. They might send a fake invoice from your business to the target, one that is laden with a malicious payload. The client, trusting your credibility, opens the malware. From there, the attacker has access to the information they were seeking from the outset.

How to shore up your defenses

Increase your cyber vigilance. Don’t think that you are too small to be a target. Instead, create and maintain a cybersecurity plan. Follow best practices to keep your systems resilient, and ensure you have the proper protection in place.

This type of attack often leverages software vulnerabilities, so make sure that all your systems are up to date and patched, leverage antivirus tools, and stay current on the latest threats you should protect against.

Also, remind your employees about the importance of good cyber hygiene, the humans who work for you are often the weakest link. They don’t mean to cause any damage, but they click on that phishing email or go to that website with malware downloads embedded.

Multifactor authentication can also help you combat hacker access. Even if the bad actor does get a user’s credentials, they still need an approved device to get in. This makes it much more difficult to compromise your network.

It’s also a good idea to establish ongoing monitoring of any security events and install remote access controls. Geo-fencing can restrict certain foreign IP addresses, and Certificates can validate trusted computers that remotely access your systems. Then, use the data from those tools to identify any suspicious activity.

A managed service provider (MSP) can help with any of these defense tactics. We don’t want to see you turned into an unwitting weapon in someone’s cyberwarfare. Contact us today to learn more about what we can do to help reduce your attack surface.

Reach to us today at (515)422-1995.

Think Before Sharing That Link

by

Learning to share is an important early-life skill. Now, you’ve mastered it, and you’re out in the workforce. Happily, digital technology makes it much easier to share business files, but that doesn’t mean you want to do so willy-nilly. Consider these best practices for sharing with both internal and external users.

Cloud sharing makes it simple to share presentations, spreadsheets, documents, and other files. In OneDrive, Dropbox, Google, you can simply click on that document and click “share.” The link is created, and you can copy it into an email, or you can use a pop-up email from the software you’re working in at that moment. That done, you can move on to your next “to do” without thinking about it any longer.

Maybe not.

Unless you’ve set that link to expire, you’ve shared endless access to that file. Plus, you may have set the file up so that anyone with the link can open the file. You may even have given everyone with the link editing permission for that file, which means they can change the data or delete it. That’s today, tomorrow, weeks, months, or even years from now.

Think about that link before you share it. You may not intend that external contractor to have continued access to that presentation. You may want only an internal team member’s input before a client pitch, not in perpetuity, even after they’re no longer involved in that project.

Best practices with shared links

The problem compounds if you share folders. You might start out with a few files in that folder – the ones you wanted to let your client contact see – but, as time goes on, you add more files to the same folder. Do you want that client to be able to see all those files? Forever? Think about this before sending a shared link with broad permissions.

Yes, “anyone with the link can view” links are useful. They can help when you don’t know everyone’s email, or you don’t know everyone (internal or external) who will need access to a file. Still, it’s best to take the permission-based route. Allow only people with emails you know to access that file. You might set the default in your link sharing to “only people in your organization.”

Think twice about whether you want to make them editors, too. Remember that gives them the right to modify and delete that file. You might want only their eyes on the content, so limit what they can do to viewing only.

It’s also a good plan to set your links to expire. This stops the other person from continuing to access the files long after they need to do so. For confidential, sensitive data, choose a shorter expiration date; otherwise, you might go with a month. If the person needs access again after the link expires, you’ll be able to let them in again, but you’ll know you’re doing so.

Worried about unauthenticated access to your files, folders, or software and systems? Work with a managed service provider to enhance your security posture. Our experts are here to help. Contact us today at (515)422-1995.

Psst… What’s Your Master Password?

by

All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

  • My_Fave_Person_is_My_Fish_761
  • Mytrip-2-Paris-Was-Magnifique
  • YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity

Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (515) 422-1995!

Could the Business You Work for be More IT Savvy?

by

Working for a small business, you can be asked to wear many hats. Even if one of your many roles is not IT, you may need to speak up about your business technology or cybersecurity.

It’s easy to think cybersecurity is someone else’s responsibility, but IT may not be getting the attention it deserves, and that could be damaging to the business, your career, and your identity.

A data breach can destroy a business. Cybersecurity Ventures estimates that 60% of small businesses close within six months of a breach. It’s easy to calculate why. In Ponemon’s annual Cost of Data Breach report, the average cost was $161 per record. That adds up. If you’re at a business that can’t recover, you could be out looking for work again.

Of course you care about your customers. You don’t want their personally identifiable information (PII) getting out to criminals. But their information isn’t the only thing at risk. Your employer has a lot of PII about you, too. They’ll have your name, address, salary amount, and bank account details. Plus, they may have health information related to your benefits. They probably also have copies of your government identification.

Not only about protection, prevention

If your business tech is out of date, you’re at greater risk of cyber vulnerability. But improving IT isn’t only about protecting data and preventing downtime. Having the right technology to suit your business can also help you be more productive. Speaking up about IT could see the business improve, grow, and gain resiliency.

Working with a good MSP can help both you and your business:

  • If your company isn’t as protected, IT experts can help with data security or backup and disaster recovery.
  • Frustrated by network failures, lagging conference calls, or error messages? Trust the MSP to make sure the business technology is up to the task.
  • When the devices you’re working with aren’t doing what you want them to do, the MSP can suggest the right tools for the job.
  • Feel like you’re wasting time on repetitive or mundane tasks? An MSP partner could help you embrace automation. Allow machines to take on the routine and leave you free to focus on the more challenging and innovative work.

A slow system is painful to use. Having to wait even a few minutes for a computer adds up over a 40-hour work week. Worrying about the security of your data doesn’t help your focus at work either.

You don’t have to be an IT expert to understand that there is room for improvement with your technology. Connect us with your employer to schedule a consultation for your business needs!

Contact us at (515)422-1995.

Ransomware a Risk for You, Too

by

Ransomware headlines focus on interrupted hospital services or downtime at several major brands. But ransomware can just as easily infect your home computer.

When you’re a victim of ransomware, you aren’t able to do anything on your computer. Cybercriminals encrypt your files and demand you pay a ransom to unlock your device. They’ll ask for cryptocurrency in return for the encryption key.

You may think the bad guys wouldn’t care about your residential system, but you’d be wrong, especially now. Think of all the people at home connecting remotely to business networks. Plus, kids make a weak link as they don’t fully understand the risk.

Many residential antivirus solutions aren’t up to protecting your computer from ransomware.

How to prevent home ransomware

Ransomware in residential homes may not grab headlines, but it’s still going to be big news at your house. Any computers connected to that network with the ability to save to one another could be infected.

The biggest issue with malware of any kind? Your devices may be infected and you might not even know it. Get a cybersecurity solution for your home that looks where you can’t. A good antivirus software that supports anti-ransomware uses machine learning. Artificial intelligence (AI) reviews a database of known threats before running new files on your computer. This helps detect and block any malware before it executes.

Some antivirus software whitelists certain computer folders such as “My Documents,” making it possible for only trusted applications to write to that folder.

You’ll also want to have a good backup. If you’re working on a novel in your spare time, keeping the family photos on your desktop, or developing an in-depth family genealogy, for instance, don’t risk losing access to any of these. Instead, make frequent backups and keep them separate from your network. This can help preserve your personal data in the event of a malware attack.

Always be on the lookout

Phishing is the top way ransomware infiltrates computers. So, talk to all home network users about the need for vigilance. Cyber bad guys are doing a much better job these days of mimicking reputable companies. A phishing email will look like it is coming from a trusted website. They will have worked hard to gain your confidence to open the message and click on their link.

Caution everyone, especially kids, against clicking on links or downloading attachments, especially if the email is making an urgent or emotional appeal.

You can also stay safe by taking care of what websites you visit. It’s hard enough to determine if an email is legit, but now you need to be wary of where you go online? Yes, it’s true. One type of ransomware gets you to download and install the software, while another installs it without you knowing when you visit an infected site.

Steer clear of top culprits such as gambling, pornography, and pirated video sites. When online, look for the lock icon before the domain name: that indicates encrypted Web traffic. And avoid clicking on any download links on the sites you visit.

Want to remain ransomware-free? Our IT experts can help you take preventative measures. We’ll also make sure that your antivirus software is doing what you want it to do. Contact us today at (515)422-1995

How to Prevent Password Spraying Attacks

by

Bad cyber actors are what the kids these days would call “try hards.” They do everything they can think of to get into your accounts. One tactic is password spraying. In case you don’t know about it, this article gives the basics and shares strategies to prevent this type of attack.

You’re probably familiar with hackers trying many different password combinations with the username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.

This brings us to password spraying. The cyber criminals have found a way to get around the-three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.

Think how easy this could be. Your company database is online for people to contact your employees. The bad actor takes john@yourcompany.com, jane@yourcompany.com, jamal@yourcompany.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.

“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.

The brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.

What to do about password spraying

The most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! Do you think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the “123456” password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.

So, prefer more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords.

IT administrators can also force users to change passwords at their first login to new applications. NIST further recommends checking every new password against a breached password list.

Multifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app.

It’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.

Put password best practices in place

Keep your business secure with the help of a managed service provider. We can spearhead the installation of lockout policies and other security measures. Our experts also stay current with the latest vulnerabilities to proactively protect your organization. Call us at (515)422-1995.

Turn Your Tablet into a Child-Friendly Device

by

Tablets are convenient, light, and portable. Maybe you got a new one during the holiday, or your old one needs replacing. You can feel better about moving to the new device if you turn the old tablet into a child-friendly device. Here’s how.

Before giving your tablet up, clear your browsing history, emails, and banking details. In Android Settings you can use the Clear Data feature, whereas on iOS, you go to General in Settings to Reset and choose Erase All Content and Settings.

Purchasing a new, sturdier case can help protect the tablet from the wear and tear of being a kid’s go-to device. A waterproof case is a must for the juice-box-aged user. When selecting a protective case, keep in mind that you want sturdy but also lightweight. A screen protector is also a good idea. Little people have lots of sticky things in their hands after all.

You’ll also want to set up a child safety lock. This allows you to lock the screen by setting a PIN in the settings. On Apple and Android products, you can choose the app your child can use and lock the screen. If they want to switch apps or access anything else, they’ll need you to enter the PIN to do so.

There are many special apps for kids you can download these days. Before gifting the device, download some educational and entertainment apps for them. Common Sense Media can be a useful resource to help you find appropriate apps for the right age. You might also visit Zerotothree.org. Their E-AIMS model helps you choose Engaging, Actively Involved, Meaningful, and Social content.

When can kids turn on tablets?

There’s a lot of debate around what is an appropriate age for a child to use electronic devices. Typically, the recommendation is to wait until your child is at least preschool age. By age three, many children are “active media users” enjoying educational electronic content.

Between the ages of 4 and 11, the child will be able to engage more with the tablet, but they should be supervised. Adults need to monitor activity, co-view, and ask questions about the games or content to encourage digital literacy.

Regardless of the age of your tablet user, it’s always best to start out by talking through the rules for the device. You’ll want to help your little techie learn how to use this tool safely and responsibly.

Need help getting your tablet ready to gift to a young user? We can help. Our tech experts are also here for any tablet repairs you might need. We can offer remote support to get you (or your child) up and running again on that tablet. Contact us today at (515)422-1995.

How to Spot Email Spoofing

by

The number of emails we get daily can be overwhelming. We could be excused for not looking at them all closely – well, almost. Except that not taking care to review emails for signs of spoofing could be a real risk to your business. Learn about email spoofing and how to avoid it in this article.

First, what is email spoofing? Don’t confuse this with the foreign prince’s plea for money. Email spoofing is much more nuanced; it’s still a cyber bad guy at work. They try to get you to download malware, enter personal credentials, or give money. Yet now they are mimicking a reputable company or source of an email. The email will, at a hurried glance, appear to be legitimate, and that’s how it works. The spoofer takes advantage of our lack of attention to accomplish their aim.

With email spoofing, the scammer tries to trick you into thinking they are a source you recognize. This might be a supervisor, a colleague, a vendor, or some other entity you work with regularly. Their goal is to get you to take an action you would not otherwise do.

The email will usually look convincing. The would-be attacker will duplicate design elements and mimic the sender’s style. So, you need to be aware.

How to Identify Email Spoofing

There are several signs to look for to identify a spoof email. First, you’ll want to check the email header information. This is a good place to look for tracking information about the message.

To view headers:

  • In Gmail, open the email you want to check headers for. Next to Reply, click the three dots and choose “Show Original”.
  • In Apple Mail, open the email you want to see headers for, and click View > Message > All Headers.
  • In Outlook, open the email you want to check, and then click File > Properties.

Check to see:

  • if the “from” email address matches the name of the person displayed as the sender;
  • that the “reply-to” address is the same as the sender or the site that the email purports to be from;
  • that the “return-path” is the same as the reply-to – you don’t want to think you are replying to “John Doe” when your response will go to “Scammy McScammer”.

The email header is a good starting point, but you’ll also want to ask yourself about the content of the message. If you weren’t expecting a message from that individual or organization, think twice. Also, look out for spelling or grammatical errors. A difficult-to-read message could indicate an unsolicited email from someone with a limited grasp of English.

If the email is pressuring you to act quickly or making an emotional plea for you to do something, be wary. Scammers often rely on urgency or our desire to help. That’s how they trick people into clicking on links or open attachments.

Better Safe Than Sorry

If you aren’t sure about an email’s legitimacy, slow down. Before you act, go to your contact list and send a direct message to that sender’s address to confirm the request. Or call the sender or company the sender apparently represents to verify that the email is a real one.

A managed service provider (MSP) can help you better manage email safety. Ask our IT experts to help set up email filtering and monitoring to avoid malware infection. Learn more today at (515)422-1995!

3 Reasons to Avoid Signing in With Facebook or Google Accounts

by

Nine out of ten times today when you visit a website you’re asked to sign in. To add convenience, many sites offer the ability to sign in using a Facebook or Google account. Sure, it’s simpler, but this article will share three key reasons why you might want to avoid this easy route.

It’s estimated that we each have an average of 100 passwords. That’s a lot to remember, especially as we need unique logins for every site to lower our risk of cyberattack.

At the same time, every website wants us to set up an account. It helps them get to know their users. This can help them to target marketing and product development efforts. They might also share the information with third parties as another source of income.

Still, the website wants to keep its users coming back, so they allow you to sign in with Google or Facebook accounts to streamline the process. Weigh the value of that added convenience against these three considerations.

#1 Youre giving away more data

By using Google or Facebook to sign in on other websites, you are giving the sites greater access to information about you. Now, they not only know what you do on their sites, but you’re also allowing them to build out their picture of you with data insights from the shared sites.

Google and Facebook have powerful tools to dig deeper into your online activity, and other websites can also extract data from your Facebook and Google accounts. If you don’t read the privacy policies, you may not know what sensitive data the platforms share.

#2 You could lose access

You may join those who are deciding to quit Facebook or leave Google in favor of another platform. If you do so, and you have used that account to access other sites, you’ll have to create new logins.

Even if you’re not ever going to do away with your Facebook or Google account, you could still lose access. If there’s a major outage at one of those two sites, you won’t be able to log in at any of your connected sites either. The other websites won’t be able to authenticate you until Facebook or Google is back up and running.

#3 Your attack surface gets bigger

If you have one, unique login credential for a website, you risk your data there only if that site gets hacked. However, if you use Facebook or Google login, and bad actors compromise that account, they can access any shared sites.

Think of it like dominos. The Facebook or Google account is the first to fall, but all those other accounts you “conveniently” login to using those credentials will come tumbling down soon after. Don’t think the attacker won’t bother looking for other connected accounts. All they have to do, once they breach one account is go into your settings to see what you have connected.

Social media accounts are also a prime target. Don’t believe us? Bet you’ve seen a post from a Facebook friend (or ten) telling you to ignore strange activity due to a hacked account.

Protect your online identity

Account compromise is a top cause of data breaches worldwide. Protect your online identity by following best practices for cyber hygiene.

Need help with password security? Our IT experts can set you up with a password manager or provide other online security help. Contact us today at (515)422-1995!

Click to see our BBB Report

FOLLOW US

VISIT US

Privacy Policy