When you think of spam, you might typically associate it with junk emails going into your personal inbox. Unfortunately, spam can also be used to infect organizations with malware designed to cripple networks or pilfer valuable data. If you run a small to midsize business (SMB) or manage an IT team, it's crucial you understand the ways in which spam can be used to threaten your company. It's also imperative that you be on the lookout for spam so you can deflect attacks. You should also enlist your employees to help you defend against spam by telling them what they need to look out for when they open their inboxes.
Continue Reading Below
In this article, I'll explain the business ramifications of spam. I'll tell you what spammers are doing to try to get into your network right now, and what your employees should avoid before and after opening new email messages.
1. Business Email Compromise (BEC) Attacks There are a broad set of business-targeted spam messages that range in severity, said Tom Landesman, Security Researcher at Cloudmark, a company focused on providing threat protection software to businesses. Probably the most noticeable and annoying attacks are unsolicited advertisements for business services (such as custom search engine optimization or SEO), email blasts, or budget travel services. These attacks waste time and clog your company's inboxes, but they won't cripple your business the way other, more severe attacks will.
One example of a severely dangerous attack is a business email compromise (BEC) attack, which "targets a business with highly tailored scam messages intended to maliciously extract something from the victim business," said Landesman via email. These emails typically impersonate the company's CEO and are directed at a finance team member. "The message will urgently ask for a wire transfer to be made to a foreign business that the company is supposedly doing business with," said Landesman. From late 2013-2015, more than 7,000 of these attacks occurred in the US, totaling losses exceeding $740 million, according to FBI data.
Landesman said a new form of BEC attack has emerged this year in which attackers trick businesses into sending W-2 tax records associated with the company's employees. Scammers use the W-2 information to steal social security numbers for identity fraud and to file the victim's tax return in order to steal any possible returns. Cloudmark witnessed roughly 60 businesses fall victim to this scam this year.
2. Ransomware It's not only the email itself that can cause trouble. The documents attached to these emails can be embedded with malicious content that infiltrates a computer or a network and threatens to shut down an entire system unless a ransom is paid.
"Criminals have continued to evolve the ongoing macro-enabled document attack vector over the past few weeks," said Landesman. "Cloudmark observed two new file extensions used to deliver booby-trapped office documents: .dot and .dotm, also known as Microsoft Word templates. Word templates have the ability to enable embedded macro content, which the criminals have briefly experimented with using in May to deliver payloads including Cerber ransomware and Dridex."
Cerber ransomware, when installed, typically demands a ransom payment to decrypt the infected file. If the ransom is not paid within a certain amount of time, the file will continue to be encrypted and the ransom amount will double. Cerber attacks can infect most common file types such as image or text files. Dridex is typically seen in the banking sector and most commonly infects Microsoft Office documents. Dridex attacks steal credentials and personal information on whatever system has opened the Office document.
3. What You Can DoOnce malware or ransomware has infiltrated your system, you'll want to enlist the help of an endpoint security system to help you undo some of the damage. If you're hoping to be more proactive, working with anti-spam companies such as Bitdefender, Cloudmark, Kaspersky, and Symantec is a great start.
But you'll also want to enlist the help of your employees as they will be on your front line of the war against spam. Here are six things you'll want to tell them to do:
- Never use work email to register for forums or message boards: Doing this will make your work email public, and you'll have no idea who has access to it or what they'll do with it.
- Report emails that have no Reply button: This is a common characteristic of a spam email. These emails tend to look harmless, and you don't often look for a Reply button, especially if you don't intend to converse with the sender, so they often go unnoticed.
- Don't use work emails for e-commerce: Unless you know exactly what the company to whom you're giving your information will do with your email address, you shouldn't use an account associated with work for shopping.
- Do not unsubscribe from spam: Your employees may think they're doing the company a service by clicking on the Unsubscribe button in unwanted emails. However, if the email contains any form of malware or ransomware, it's likely the Unsubscribe button will deliver the death blow.
- The same goes for attachments: If someone sends an all-business email but you don't recognize the name of the sender, check with your manager before opening the attachment. Hackers are smart enough to disguise attacks as generically worded messages such as, "Please look this over and get back to me by end of day," and then loading the accompanying attachment with a virus.
- If it's too good to be true, don't look: This is a no-brainer and everyone should know this from personal spam experiences. But if the subject of an email is so enthralling that you can't resist opening the email, you're probably about to get spammed.
If you follow these steps and enlist the help of partners, you'll probably be safe from spammers. But it's important that you keep a close eye on the news to help you stay aware of innovative ways hackers are targeting companies like yours. The battle never ends.