For hackers, American small business culture represents a target-rich environment. Small businesses don’t often possess robust institutions designed to deter attackers. They might not use commercial grade antivirus, and they most likely don’t use tools such as strong passwords or two-factor authentication. They almost certainly don’t employ firewalls, IDS/IPS, or SIEM tools, and all but the largest and most well-resourced SMBs don’t employ a full-time employee to monitor these tools. Many of the decision-makers at these companies don’t see the need for robust security measures.
As a result, attackers have a huge opportunity when it comes to small businesses – and it’s an opportunity that they usually take. 57% of small businesses have experienced a cyber attack within the last 12 months, and yet 47% of these organizations don’t know how to take the first steps to defend themselves. Because of this, attackers can do much more damage to small businesses compared to the effect they have on larger companies. A large company will probably survive a cyber attack, but 60% of small businesses will fail within six months of experiencing a data breach.
At MicroTech Boise, we’ve worked with hundreds of small businesses based in the city. We’ve seen cyber attacks take the same pattern time and time again. A trusting employee clicks on an untrustworthy link, a CEO accesses an account from an unsecured home computer, and consequences ensue. To illustrate what happens, here’s a story from one of our customers (who was not a customer at the time of the phishing attempt) who very nearly destroyed her marketing business with a single click.
Names Have Been Changed to Protect the Innocent
We’re not here to embarrass anyone, and the point of our story is that this kind of cyber attack could happen to nearly everyone reading this – even you. Therefore, we’ve changed the name of our protagonist to Jenny Smith.
Jenny is the owner of a boutique marketing firm with ten full-time employees and a number of freelancers. They specialize in building marketing plans for institutions such as banks and hospitals. At the time of the cyber attack, they were above average in terms of their security preparations.
They were familiar with applicable compliance laws and used tools such as antivirus, firewalls, and security monitoring to defend themselves. As we wrote previously, 47% of small businesses don’t know how to defend themselves from cyber attacks, so Jenny’s firm was in rarified company.
First, a bit of context. Jenny’s agency used Office 365 in the cloud for every aspect of their agency – email, word processing, document sharing, and more. This allowed their freelance users to access and add to their entire repository of documents while working from home. If a freelancer left the company or was hired, it was easy to provision and deprovision them. Meanwhile, much of their security was handled on the Microsoft platform – Jenny’s workers were mostly responsible for keeping their passwords secure.
Here’s where things get hairy.
Early on a Monday morning, Jenny Smith on a business trip. She got an email that looked like this:
The email contained the Microsoft letterhead, used the Microsoft font, and contained a message that was certain to raise Jenny’s eyebrows – her payment for Microsoft Office had been declined. It conveniently included a login portal where Jenny could put in her correct payment information.
There’s only one suspicious item in the image – if you look carefully, the domain isn’t Microsoft.com – it’s “support.onmicrosoft.com.” Most people reading the domain name would see only what they expect to see.
Jenny was lucky. Instead of clicking on the email and putting in her login information, she thought that one of her credit cards had simply expired. Therefore, she simply forwarded the email to her bookkeeper asking to make sure that her Office 365 subscription be paid up. Then she forgot about it.
A week later, she received a different version of the same email. She was curious to see why the payment had not gone through.
This time she clicked and logged in to what she thought was her Microsoft account.
[HINT - Notice the highlighted differences in the URL]
As soon as her browser rendered the page, she realized that something was off. Her URL read “electriccompany.microsoft.com,” not the ordinary Microsoft Office URL. She knew she’d been tricked. The only question was what would happen next.
First things first – Jenny was responsible about information security. She responded to the data breach by changing all her passwords right away. Nothing seemed to happen as a result of being hacked – at least at first.
On Tuesday, five days after the incident, Jenny noticed that she could receive emails, but not send them. Since she needed to reply to up to 500 emails a week, this was a problem with a mission-critical application.
She put in a ticket with her hosting company, which called back. She spent two hours on the phone with a representative before being escalated to tier 2 support. They told her to wait until morning. Meanwhile, her clients were getting restless.
Next day was the same story – she could receive emails but not send them. After another 3 hours of troubleshooting with the hosting company, she was told to implement a double authenticity application from Microsoft. She does this.
Nothing changed by the next day, however. At this point, Jenny has spent three days being unable to directly access her business email. Instead, she was replying to inquiries from her Gmail account, which left her clients a bit confused. She’s spent a total of five hours working with support. Finally, her hosting company recommended that she call Microsoft directly.
After another two and a half hours, she receives an answer. Her email account was suspended after attackers stole her username and password and then used her account to send out 21,000 spam emails. The representative promised to escalate the issue and then call back.
By the next day, no reply from Microsoft was forthcoming.
Nor was it forthcoming the day after. Or the day after that. In fact, Jenny didn’t receive a reply from Microsoft until a full 10 days after losing access to her account. On that day, after spending five hours on the phone with a technician, she was finally told that she needed to write a letter to the compliance board at Microsoft explaining the incident and asking to have her account reinstated.
Six days later, and Microsoft still hadn’t replied. She still wasn’t able to reply directly to emails, teleconference with anyone, or schedule meetings efficiently. Her business was in freefall.
Finally, after calling Microsoft and begging for help, the company replied to her. It was now 22 days after losing her account. Although her account was reinstated, she was warned that one more compromise might result in her account being terminated for good.
In total, Jenny had to spend 17.5 hours on the phone over 22 days before she was able to regain access to the account.
In the meantime, her attacker had full access to her contact list, which now may be vulnerable to further attacks. In the meantime, Jenny still gets phishing emails – and if she or any of her employees click on one of them again, the whole nightmare will repeat itself.
How to Prevent This From Happening to You
Telling phishing emails and phishing sites apart from legitimate equivalents is a masterclass in noticing little details. The takeaway from this is that you will be fooled – there are no exceptions. What’s more, antivirus and firewalls can’t stop this kind of attack. Instead of planning to avoid phishing emails, plan to be attacked instead.
Working on their own, small businesses can help fight phishing attempts in three ways. First, if you train yourself and your employees to notice the details that make up a phishing email, you can avoid them. Second, if you enable two-factor authentication on all of your accounts, you can make it much harder for attackers to steal your data. Finally, you should always authenticate, document, and verify requests for data such as invoices, employee information, and passwords.
These methods are good, but they’re not foolproof – and they won’t help you mitigate the effects of an attack once it occurs. If you want to avoid spending 22 days without access to email, work with a managed IT expert. They can help detect anomalies such as suspicious login attempts, multiple logins, or system failures – red flags that would have exposed Jenny’s attackers before they fully compromised her Office 365 account.
No business is ever safe from a cyber attack, but if you take the appropriate steps, you can save yourself from a lot of pain, hardship, and lost productivity. If you want to learn more, contact MicroTech Boise today.