“URGENT NOTICE: Your Microsoft billing statement is ready.” That’s what my email said on a recent Tuesday morning.
My inbox was packed to the gills with an evening’s worth of unread emails.
There was an RFP for network security services, client correspondence about a PCI audit and, there between an employee’s time-off request and a candidate résumé, was the scam.
I was so busy, it almost got me.
Debbie Banko
“Your Microsoft billing statement is ready.” I clicked the email, thinking, what now? The sender information was there (“Billing Administrator”) but the body of the email was blank. There only was an attachment called “Invoice.html.”
I almost clicked it due to sheer curiosity, coupled with the urgent need to get through my inbox and on with my day. But something stopped me. I remembered my user security training, perhaps the most important part of which is the idea that you need to slow down, wait and think, especially when you come across something suspicious.
This, it turned out, was more than suspicious. This was part of a common body of scams known as Business Email Compromise (BEC).
The FBI website calls BEC “one of the most financially damaging online crimes,” and it’s one that can take many forms. There’s the “spoof” approach, where the attacker is trying to appear as a legitimate business or someone you know (my own employees have received emails supposedly from me, that say “Debbie Banko,” asking them to purchase gift cards urgently for “an upcoming event”); there’s “phishing,” where the attackers try to trick you into giving personal details or passwords; and there’s “malware,” which is malicious software the attacker wants you to download, either by following a link or just opening a nefarious email attachment.
You might have noticed more of these scammy emails hitting your own inbox. Indeed, phishing and BEC are on the rise, with some news outlets reporting almost a 200% increase in the past two years alone.
The consequences to you or your company—large or small—can be dire. They include financial losses, network compromise, damage to your reputation, legal consequences (if you have failed to protect customer information or fallen short of compliance regulations), operational disruption, damage to employee morale, recovery costs and possible regulatory fines, let alone your own peace of mind.
This is a big and scary thing, and it only seems to be getting worse. Luckily, however, there are ways to reduce your risk of falling prey to this sort of attack.
My own employees at Link Technologies have undergone thorough cybersecurity/cyberawareness training. That includes everyone from the IT engineers and finance folks to the recruiters, admins and sales team. Thanks in part to popular culture, people have this idea of a hacker gaining access to our “mainframes” by frantically typing on a keyboard while techno music plays in the background. “I’m in!” The real world is a lot more boring. Our stuff usually gets compromised through simple user error. So user training to try to prevent those errors is paramount.
The second thing—and for this you might need to chat with a system administrator—is to implement email security measures. We’re talking about email filters, firewalls and email encryption, even implementing stronger password policies in general (to prevent unauthorized access to the email accounts themselves).
I also recommend that businesses perform regular security assessments—checking their security measures to identify any vulnerabilities and address them promptly—and implement email monitoring (watching out for any suspicious activity, like login attempts from unknown devices or email forwarding to unfamiliar addresses).
Finally, we recommend everybody, both businesses and individuals, stay informed. The better informed you are—about the latest attacks, the latest BEC tactics, the trends around which attacks or scams are currently popular—the better positioned you are to protect yourself against new and existing threats.
This is part of the reason I founded CyberSmartNV, a nonprofit organization that’s a cybersecurity one-stop shop for security professionals and a resource for the community.staysafeonline.org, cisa.gov and “Stop. Think. Connect.” These are all great resources to learn about the latest cyber threats and how to protect yourself.There are also national resources like
The worst thing you can do in response to these threats is nothing. The digital landscape today sometimes seems to be less playground than battleground. It helps to think of it in those terms. Be on guard. Be suspicious of suspicious emails. And for Pete’s sake, don’t click on random attachments called “Invoice.html!”
Debbie Banko is the founder and CEO of Link Technologies, a cybersecurity consulting and IT staff augmentation firm that connects Fortune 500 companies, government agencies and small businesses with IT professionals and services. She’s also the founder and executive director of CyberSmartNV, a nonprofit organization dedicated to the education of cyber professionals and the public at large. She can be reached at [email protected].
Click HERE to subscribe for free to Vegas Inc’s BizClick newsletter. Stay up to date with the latest business news in Las Vegas sent directly to your inbox each Monday.