Speaker: Mario, in your experience, how typical is it for a small-medium business to experience a cybercrime attack in this day and age?
Mario Zaki: It's something that's happening on a daily basis. Most email systems, like Google and Microsoft tend to do a decent job with built in spam filters but, if you were to look in your spam folder right now and actually just read some of the stuff that's in there, you can see just how often cybercriminals are attempting to scam you.
Now, the problem is sometimes what these people are doing is they're becoming more and more clever and disguising the way malicious email looks, learning from your behavior.
One of the more popular email scams that tend to trick most people, because it’s not as obvious as say…a Nigerian prince asking for a donation, happen around Christmas time. The cybercriminal sends an email that looks like it’s coming from FedEx or UPS – but it’s certainly not from either one of those entities.
The email is meant to be an alert about how the package failed to be delivered to the address on file and they need a different address in order to redirect the package. As you can imagine, most people are expecting packages around Christmas time – everyone is ordering gifts from amazon these days. So what happens? They click on it, and then type in their company address for the package to be redirected and then all of the sudden, there’s ransomware in their computer.
I’ve heard horror stories about even the most competent business owners falling for these scams – it’s not obvious at all!
Speaker: What do you think is an obvious phishing attempt versus a not-so-obvious phishing attempt?
Mario Zaki: That’s a great question, and one that not a lot of people are asking.
I think an obvious phishing scam would be an email from your boss, when your boss is…sitting right next to you. You know it’s a scam.
What I've seen lately, as far as not-so-obvious, is not only disguised emails that look like it’s coming from FedEx/UPS – but also from Microsoft. If, in your business, you already have a relationship with your employees where most of your communication happens via email, like delegating tasks, fake Microsoft emails can really catch an employee off guard. Most employees believe if they are receiving an email from Microsoft it’s something they need to reply to or taken action with right away, because you don't want your system to malfunction, or even worse – ignore a task their boss delegated to them.
What happens is… a hacker researches your organization and the staff members who work there; then sends an email out stating that their Microsoft account needs to be updated or needs to be verified with a link to bring them to the appropriate place to fix that issue.
The employee clicks on it, thinking it’s an email coming from the manager or boss, and then it gets directed to what looks like a Microsoft site to type in your username and password. So, you know, all these hackers need to do is literally just copy of Microsoft logo, paste that into an email. And before you know it – your company is being held for ransom in exchange for your sensitive client for patient data.
I’ve heard so many stories from my clients before they were my clients, who didn’t know that fake Microsoft emails were going to be a threat to their businesses – or even worse, put them out of business. It’s something you just don’t think about – but you should.
Speaker: What should you do to try and avoid this?
Mario Zaki: Well, the most important thing is training. You have got to train your employees. Most companies don’t have a resource for that kind of thing, even though it’s immensely important. You know, on almost daily basis I get calls and tickets from my client’s employees that have taken a screenshot of a suspicious email.
“Mario, this email looks a little fishy - what do you think?” I’ll tell them the truth ….” Yeah, that's not correct. You should delete that”.
Having an IT company as a resource is very important. Obviously, you want to also have spam filters, antivirus and malware protection in place – but there's always going to be content that will get through and it's up to the user to make the most appropriate decision. Your employees have to ask themselves every day – do I click on this, or do I not click on this?
If my clients didn’t have me as a resource – their employees would have probably caused a few cybercrime events by now – a terrible thing to imagine. To avoid ransomware or any type of malicious activity, you need to protect your organization with user training with a professional and reputable IT company that actually cares.
Speaker: How important is it to educate your employees on data protection and phishing precautions?
Mario Zaki: Oh gosh – it’s so important – but the funny thing is, most companies just aren’t doing it.
Think about this. You buy liability insurance, property insurance, flood insurance – so why not invest in cybercrime insurance? That’s basically what a managed service provider does – provides a cybersecurity services as an insurance policy for your business.
Speaker: Now, what steps should local New Jersey businesses take, and their employees be aware of to prevent this in particular? Solutions?
Mario Zaki: it's always good to have another IT company, like ourselves, come in and provide an assessment for comparison.
Another company can provide a pair of fresh eyes and give your organization a report to compare to what you are receiving from your existing provider. The report can point out some important information, like what software should be upgraded. For example; if you're running Windows 7, it's no longer going to be supported after January 14.
Did your existing IT provider make you aware of this? If Microsoft is no longer supporting the software, then the antivirus is no longer supporting you – and all of the sudden it’s January 14th and you are vulnerable to cyber-attacks.
I will always emphasize to my customers or colleagues, the most important thing that you can do for your company is to make sure that everything is backed up. If something happens, like data gets compromised or deleted due to a cybercrime attack or software failure - you won't lose any information and you'll be able to roll back as quickly as possible.
You know how in real estate they say it's all about location, location, location. When it comes to the technology that your business needs to succeed, it’s all about backup, backup, backup.
If you are not 100% sure that your data is being backed up – I’ll come in and show you exactly how to do it, no questions asked.