“Hey boss, I think I have been hacked.”
Words that a small business owner or office administrator never want to hear. Sadly though, it is almost an inevitability. Your employees are constantly bombarded with phishing and other social engineering attacks and the law of averages always wins. But knowing that you have suffered a breach is the end of the threat. Now you can work towards closing the doors on the attacker. The real risk of the breach is how long it has existed and how much information has already been lost.
When a cybercriminal gains access to your email account, via phishing or purchasing stolen credentials from the Dark Web, they have many options. They can phish all your contacts, try to login to your personal banking or eCommerce accounts, or they can simply wait. This is known as a persistent email breach. Some bad actors will sit silently on your account, sometimes for months, waiting for the right opportunity to strike. They will begin to learn your workflow, read your sensitive documents, download invoices and banking information, and start to formulate a plan. The end goal of these persistent breaches are typically to convince a target to alter banking and invoicing details and redirect payments to an account controlled by the attacker.
Let me give you a real-world example of
how a persistent breach works:
A cybercriminal gains access to your email credentials. They sign-in and begin looking for anything of value. Banking statements, invoices, company letterheads and so on. Next, they will setup rules within your email account. These rules can be used to hide their presence as well as auto-forward emails with keywords such as “banking,” “payment,” “invoice,” etc. to an email account they control. Once they have enough information, they can then create convincing emails to re-route payments or fake invoices that appear to be from familiar organizations. The longer the criminal has access to the account, the more sophisticated and credible their emails will appear. With this amount of insider information, it becomes increasingly difficult for employees to spot a malicious email.
Sadly, this happens every day. And the impact can be significant. While some companies might lose only a few hundred dollars, local businesses have lost over $150,000 from just one attack. The reality is that this style of attack is here to stay, and business owners must do what they can to protect themselves.