Cybersecurity threats are increasing at an alarming pace, with criminals targeting small- and medium-sized businesses (SMBs) over larger, more well-defended companies. What will the projected cost of cybercrime be in 2021? $6.1 trillion dollars, according to a report by Cybersecurity Ventures.
It’s easy to say, “It will never happen to me”, but the reality is that no business is immune from attack — it’s less a matter of “if” than “when”. Don’t believe us? We’ve rounded up some real-world cyber attack examples to prove just how easy it is to fall victim. These real-world incidents were the catalyst for these companies to seek out Umbrella Managed Systems as a trusted cybersecurity partner. All names have been changed to protect the victims’ identities.
Case 1: Craig, the new CFO, fell for phishing
According to Microsoft’s 2020 Digital Defense Report, an eye-watering 70% of cybercriminal activity now takes the form of credential phishing and business email compromise (BEC). In these attacks, criminals masquerade as trusted colleagues, partners, or contractors to request information or payments from other employees. If they go after the top leadership in an organization, it’s known as “whaling”. In our first case, an unsuspecting CFO was the victim.
It was Craig’s third day in his new role as CFO. After updating his LinkedIn to reflect his new position, he received a formal-looking email from “Microsoft” instructing him to change his password. He opened the link, typed in his credentials and received an error message. He tried again, eventually gave up, and returned to his busy day.
Little did Craig know that his actions had given an attacker his password. Working undetected, the intruder began collecting information about the organization by accessing various systems, including email.
Now, what happens next proves the sophistication of these attacks is growing. By this point, the attackers (also known as “bad-actors”) had gained full access to the company’s system. After discovering the CEO was on vacation, they took the opportunity to emulate the CEO’s email. Next, these bad actors spoofed an email message from the CEO to Craig (the CFO) requesting a $50,000 wire transfer.
Not wanting to question his new boss, Craig fulfilled the transaction. Following their success, the attackers repeated the transfer request twice more. On the third attempt, the CFO finally picked up the phone to find out what was going on, and discovered that the CEO never made the requests. In total, the attacker obtained $100,000 in wire transfers and cost the company further time and money on investigations, litigation and insurance.
The takeaway
Cybersecurity is all about layers. Unfortunately, many safeguards were missing that could have prevented this attack. First, the phishing email should never have reached Craig’s inbox. Professional Email Security, proper SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance) configuration, and other email hardening techniques would have reduced the likelihood of the phishing email being delivered.
Next, had the company employed Microsoft 365 Security Best Practices, this story could have ended differently. In fact, it could have been easily prevented. Multi-factor authentication (MFA) could have blocked unauthorized access to the CFO’s email account, even if the attackers had his real password.
Perhaps the most significant oversight was the lack of security awareness training. Sure, it was day 3, but had the CFO been trained not to click on links in emails, never to give up his password, and how to recognize and report suspicious activity, the breach would never have occurred.
Case 2: Head of HR Heather falls victim to ransomware
CEOs everywhere lose sleep over the thought of a ransomware attack, where the victim’s data is held hostage until a ransom is paid. In this case, it all started when the organization posted a job advertisement on Indeed.
After seeing the job posting, the attacker researched the company and found the email address “careers@hxxxxxxxpany.com”. Next, the attacker emailed their “resume” as a Word document to the company’s HR department, instead of applying on Indeed. The spoofed resume contained malicious code that exploited a recent Microsoft Word macro vulnerability, which allowed the ransomware to execute when the document was opened.
When the head of HR, Heather, opened the file, it initiated a Remote Access Trojan (RAT) malware program that gave the hacker access to her computer. The RAT exploited the company’s inadequate permissions and network management, which allowed the attacker to infect the entire network.
Due to poor disaster recovery preparation, the business was unable to restore the ransomed data through backups, and after 48 hours was forced to pay $70,000 to the criminals — still a cut below the average cost of a ransomware attack, which stands at $84,116 according to a report from Coveware.
Due to poor disaster recovery preparation, the business was unable to restore the ransomed data through backups, and after 48 hours was forced to pay $70,000 to the criminals — still a cut below the average cost of a ransomware attack, which stands at $84,116 according to a report from Coveware.
The takeaway
The cost of ransomware goes well beyond the ransom fee, as the business will also suffer downtime and reputational damage. In this case, again, a lack of security training played a significant role in the incident.
Had Heather been instructed to only accept resumes submitted directly through Indeed, it’s unlikely the attacker would have ever gained access to the organization’s systems in the first place. Additionally, staff should have been warned not to open documents that ask them to enable macros. Email Security tools that scan attachments, or better document intake procedures, could also have prevented the attack.
As with most successful cybersecurity events, the attacker relied on a chain reaction of mishaps. Beyond the front line human error mentioned above, if the company had been keeping their Microsoft Office programs up-to-date, they would have minimized vulnerabilities in their software. Additionally, better access and network permission controls could have stopped the attacker in their tracks, while network isolation would have controlled the spread.
On top of this, threat-hunting software could have detected and contained the breach before it got out of control, and endpoint protection software might have been able to block the ransomware payload before it executed.
Finally, a thorough incident response and disaster recovery plan could have minimized the damage by allowing the business to restore its data efficiently from backups, thereby reducing downtime and possibly negating the need to pay the ransom.
It is important to note that ransomware attacks don’t necessarily stop with paying the ransom. A cybercriminal may go on to sell your data or leave backdoors in the network for future criminal activity. For this reason, it is essential to remain vigilant long after the initial attack has taken place.
Case 3: Medical Biller Steve receives an SMS text
This case of fraud took the form of “smishing” or SMS-based phishing. This is where the attacker poses as a trusted entity and communicates directly through texting. It is well known that people tend to be less vigilant toward text messages than emails, explaining why smishing is on the rise. Just like phishing emails, this type of social engineering attack aims to trick the victim into downloading malware or revealing private information through a fraudulent link.
After receiving an SMS “fraud alert” from what appeared to be Steve’s bank, he responded and used his work computer to connect to the fraudulent website provided in the text. Via a chat dialog, the bad-actor then stated they would need to scan Steve’s computer before they could remove the fraud alert. Steve allowed the bad actor to complete the scan, providing them with access to his personal bank account, as well as his company computer.
Luckily, in this case, the employee was able to halt the bank transfer initiated by the attackers, and no further breaches or exploitations were discovered in the resulting investigation. It was verified that the compromise was isolated to just one computer, which had to be wiped.
The takeaway
Successful attacks play on human vulnerabilities, which is why it’s so important for employees to be trained to identify and respond to these attempts. In fact, the most prudent approach is to implement monthly phishing/smishing tests and frequent security training. Actively managing the security training so the content is fresh, effective, and relevant to current events is important.
This case could have been much worse if the attackers had gained access to the company network through the compromised device, but luckily for Steve, their only objective was to obtain a bank transfer and not to infect the network with ransomware.
Does your business need help with cybersecurity?
As these three cases show, multiple things need to go wrong for an attack to be successful. Cybercriminals rely on poorly defended networks and human error. In order to protect your business, your security needs to be layered and your staff need to be trained.
Cybersecurity costs are minor in comparison to the cost of cybersecurity breaches, which typically go well beyond the financial to include reputational damage and compliance failures.
If you feel your business is vulnerable and need help with your cybersecurity, backups, or employee security awareness training, Umbrella has you covered. Get in touch with us today to find out how we can protect your business from cybercrime. If you feel your business is vulnerable and need help with your cybersecurity, backups, or employee security awareness training, Umbrella has you covered. Get in touch with us today to find out how we can protect your business from cybercrime.
