Online scammers are forever trying to trick not only unsuspecting users, but also company employees. Sure, it is usually far harder to dupe a business than a retiree is, but the potential rate of return is far higher in the former case. Therefore, attempts to get SMBs to swallow the bait continue unabated.

Numerous techniques exist, but because scammers are generally a lazy bunch, most cases involve variations on tried-and-true themes. Here are the most common schemes in use.

Types of bait

It is important for cybercriminals that you not only read their messages, but also react to them: click on a link, open an attachment, pay a bill. To get you to do that, they need to grab your attention.

A notice from the tax service

You receive an e-mail stating that you have not paid a tax in full, and now interest have been added to the bill. If you want to appeal, you’ll have to download, fill out, and submit the attached form. The form contains a macro, though, and as soon as you enable it (most users automatically click “I agree” in pop-up windows), it immediately downloads and runs malware.

Many businesses fear the tax authorities, but it’s important to look fear in the eye — or at least at some of its e-mails so that you can spot the differences between real and fake ones. It’s worth knowing whether your local tax office tends to send e-mails or call people up.

Notifications about pending payments

Paid all your taxes and settled with all contractors? Well done, but you still might get a message saying a payment failed to go through. After that, anything goes — from a request to pay a supposedly reissued invoice to a prompt to go to some strange site.

Antivirus can block a suspicious link, but only your common sense can stop you from paying the same bill twice.

Proposal from a mysterious contractor

Sales e-mails are usually sent out randomly in the hope that at least some of them will hit a good target. Scam e-mails that look like mass sales e-mails — but including malicious attachments meant to look like product or service details — do the same.

Security service notification

This scam operates mainly on companies with offices in different locations. Regional office employees often have a fuzzy idea of what HQ staff look like and do. On receiving an e-mail from the important-sounding “chief security officer” instructing them to install a security certificate, many will comply without noticing that the message came from a bogus address. Install the certificate and they have you completely.

Consequences of being hooked

Phishing is conceptually simple — its purpose is to steal your credentials — but e-mail malware comes in different flavors. The most common types are those in the following list.

A RAT in the computer

Cybercriminals are particularly fond of remote access tools (RATs), which enable attackers to get into the corporate network, where they can wreak havoc. For example, using a RAT can enable an outsider to install additional malware, steal important documents, locate the finance manager’s computer, and intercept payment system access data — and then transfer money to their account.

Ransomware

Ransomware encrypts files so that they cannot be used. That means not being able to refer to your important documents anymore, or even show a presentation. Some types of ransomware spread over a local network, penetrating one computer initially but encrypting data on every machine the Trojan reaches. To restore the files, the attackers demand a ransom (hence the name). For example, not so long ago, municipal computers in Baltimore, Maryland, got hit by ransomware that took some services completely out of action. The attackers demanded more than $100,000 to restore everything.

Spyware

Cybercriminals also like using spyware Trojans — malware that collects maximum information — to infiltrate companies. The spyware sits quietly on computers, logging usernames, passwords, and addresses, and harvesting messages and file attachments. For tech companies, the main danger here is that expertise or plans might leak to competitors, whereas for other businesses, the main threat from spyware is that the attackers might get inside the financial system and steal money. It can happen to large organizations too — for example, the Central Bank of Bangladesh got hit to the tune of $81 million.

How to avoid common SMB scams

Follow these general safety tips to stay out of scammers’ SMB traps:

  • Be vigilant;
  • Know the laws of the jurisdiction in which you operate and understand how the government and regulators work;
  • Be aware of which file types are more likely to be dangerous than others;
  • Install an antivirus solution, preferably one with protection against spam and phishing, on all work devices.

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2020

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.