Season 1 Episode 13: Everything Email In Your Business
If you stop for a moment and think about how your life would be without using e-mails, you’d soon realize that it is the bread and butter of your operations, and any problems with it are going to have a significant impact. Let’s look at the most regularly asked questions about malware, dispel myths, and talk about good business practices to safeguard your privacy and business.
The basics
Spam
“It’s fake meat in a can,” I hear you say. We all know that. It’s mystery meat. You have to love the analogy of the none technical life applied to technology, especially e-mails. Spam is junk mail.
Phishing
The term comes from fishing, as in, throwing bait off the back of the boat. You’re hoping to grab some fish, say bluegill, with that bait.
A bait e-mail, for instance, is, “Hey, here’s an invoice from FedEx.” It’s designed to be appealing to you so that you open the e-mail. If you are a regular customer of FedEx and you get a notification to warn you that there is a problem with your order, even if you have no current orders, you are likely to open the mail anyway. Better check, right? Not necessarily so. The minute you open that e-mail is the minute you expose yourself and your operations to some potentially nasty malware that could affect your business in a bad way.
Spearfishing
So we know what “phishing” is, it’s hoping for bluegill with a worm on a hook.
If you now start using a spear gun and shoot barracuda with it, you’re directly targeting it with the spear. Direct targeting is spearfishing.
The spearfishers will do research to find that, say, Ruthy owns this company and works in accounts payable. After infiltrating the network somehow, they see all the e-mails going back and forth between Ruthy and others in the company. Ruthy approves a lot of substantial invoices, and she’s always e-mailing this guy named Tim, who is apparently further up the chain than she is. So the spearfishers say, “I’m going to impersonate Tim in a fake e-mail I’ll send to Ruthy.” Under the guise of Tim, the spearfishers ask to approve a $10,000 transfer, and she falls for it. Why wouldn’t she? The order came from her superior, Tim.
We often see this happen with larger companies because it’s easier to fly under the radar for a while once their system is infiltrated. It takes effort to target, so spearfishing happens in high dollar amounts.
Real-life example
One of our very own customers was working with a large corporation that got spearfished. The corporation fell for an attack and ended up transferring almost $20,000 to a spearfisher. Meanwhile, our customer is still waiting for his payment. He follows up with a phone call, and it transpires that his invoice has already been paid in full to another bank account that was supplied to the corporation via a spearfishing e-mail. This is a typical case, and we see this happening more and more.
Spoofing
If your e-mail address is ruthie@ruthie.com, the spoofer will make it look like they are sending e-mails from your inbox when in fact, they aren’t. It will really look like it came from your e-mail in every way, including the actual e-mail address.
It can end in an ugly mess.
Once your inbox is compromised, all your data, such as names and e-mail addresses, can be harvested. This valuable information can then be further used for malicious targeted attacks – spoofing, spearfishing, and more.
Recommended solutions
1. Always use your own domain – name@yourbusinessname.com
Move away from using my businessname@gmail.com and use name@yourbusinessname.com. There are simple ways for a tech team to help you transition into that. Your contacts will effortlessly be able to continue communication with you.
2. Stay away from POP e-mail in any form
POP e-mail is what you’ve been using from your web provider or cable company. By design, it’s not secure. It’s an older form of unencrypted e-mail. It’s near impossible to secure it in any relevant way and to avoid being spoofed.
3. Use an e-mail service with a mail server behind it to communicate your e-mail directly through the server
The most common ones are Microsoft Office 365 and GSuite. They are very popular, and they work very well for the majority of small businesses.
Terrapin Networks specializes in small companies, up to 15 users. We’ve only got a few people who have an actual exchange server on their premises. Usually, that’s legacy because it’s always been there, and it’s never been moved.
4. Opt for a hosted exchange, where the actual exchange server is hosted out in the cloud
A middle ground between having an exchange server in your building (option 2) and using Office 365 or GSuite (option 3). For you, as a business owner, consider an e-mail server specifically for your company, with security behind it.
Cloud-based e-mail servers should be backed up by the service provider and have adequate protection from attacks, so you don’t have to worry about those.
Setting your system up doesn’t end there. You still want to do your own supplemental backups.
All the commercial e-mail service providers will have primary and some secondary spam filtering built-in. Supplement the secondary filtering to address phishing and, even to some degree, spearfishing. Protect from those kinds of e-mails ever hitting your inbox.
It takes an expert team to get things right and tweak them until they are working for your company. You can accidentally filter out the stuff you don’t want filtering. Our team filters on the side of caution and works off a white list unique to your business. Our team teaches the inbox to filter via sophisticated machine learning.
The importance of staff training and involvement in e-mail safety
As a business owner, you cannot possibly track your staff’s every move, especially in their inbox. You can set up the smartest systems and the most sophisticated filters, but if your staff lacks awareness of good business practices, you can still face an ongoing problem. Training your staff is at the center of your defense against exposure to these risks.
Let’s revisit the large corporation I mentioned that paid off an invoice to a spearfisher.
The underlying issue was the lack of staff training. We all need to encourage and train staff to look out for certain potential threats and if they are ever unsure or suspicious, at the very minimum, to speak to their immediate supervisor as soon as they can, without delay.
Encourage an environment where staff feels free to speak and inform management. This can save you a lot of trouble in the long run.
Provide your employees with a clear written policy governing e-mail usage and actionable checklists for instances needing their immediate attention. Make follow up calls for larger payments mandatory, for example. Send regular reminders to your users with tips about how to keep their inboxes safe and remind them of the potential threats that small, insignificant actions such as opening e-mails from an unexpected, unknown user can have. Your efforts will filter down to your employees’ behavior to other tasks that they carry out and into their domestic life.
Takeaway
Just because it’s working, it’s not necessarily excellent. If you’ve always used it, it doesn’t mean it’s problem-free.
Think ahead. Plan ahead. Invest a little, and you’ll reap the results later. Set things up correctly from the beginning and maintain regularly.