By now, most small business owners and employees are aware of scam emails from unknown parties designed to steal sensitive data like logins, passwords and other sensitive data. But what about emails that appears to be from a known a sender?
“Social engineered emails are designed to specifically look like they are coming from a trusted source,” says Anne O’Neill senior director, Symantec SMB and .Cloud. “It looks very credible to the recipient, but it could be coming from a hacked account or an account mocked up to look like a trusted source.”
For instance, a small business owner or employee may get an email that appears to be sent directly from the company’s smart printer or scanner asking the recipient to click on a link or open an attachment. In the case of the link, the employee could end up going to what they think is a legitimate website and enter sensitive data. Opening an attachment could unwittingly install a virus on the network that’s designed to capture data. Other social-engineered emails falsely look like are from a colleague and get the recipient to provide sensitive information thinking it’s safe to share.
“There’s been a big upswing in email born malware, especially socially-engineered attacks,” says O’Neill. “It shows that there’s an increasing savvy way in which emails are presented that could carry malware.”
Often social engineered email attacks are targeted at a particular individual within a company. And the assumption that targeted attacks are focused on large companies is false, said O’Neill; small businesses are also susceptible.
According to Symantec, of all the companies that received at least one targeted attack since 2010, more than half were small-to-medium-sized business with less than 500 employees. On top of that, the percentage of employees who received a targeted Trojan during 2010 was much higher for the small-to-medium-sized business sector than for big companies.
The idea of fake emails coming from trusted sources is sure to scare business owners of all sizes, but O’Neill said there are some steps a business can take to protect their data.
Her first suggestion is to educate employees on the risks out there and to use common sense when receiving emails with an attachment or a link.
“[They need to know] if the email looks strange or isn’t familiar, don’t click on the link,” advised O’Neill. She also added that if the content of the email seems out of character for the sender think twice before opening the attachment. “The whole goal of these social engineered threats is to trick, that’s why there has to be awareness,”
Another way to validate an attachment is to hover over it with the mouse: A file name will appear and if it’s foreign, don’t open it.
On top of educating employees, O’Neill said companies need to have a security system in place whether its software installed on the network or a cloud-based application with monthly fees. And it’s not enough to have the security software—it needs to be updated on a regular basis.