How scammers hook SMBs

Common attack schemes targeting SMB employees.

Online scammers are forever trying to trick not only unsuspecting users, but also company employees. Sure, it’s usually far harder to dupe a business than a retiree, but the potential rate of return is far higher in the former case. Therefore, attempts to get SMBs to swallow the bait continue unabated.

Numerous techniques exist, but because scammers are generally a lazy bunch, most cases involve variations on tried-and-true themes. Here are the most common schemes in use.

Types of bait

It’s important for cybercriminals that you not only read their messages, but also react to them: click on a link, open an attachment, pay a bill. To get you to do that, they need to grab your attention.

A notice from the tax service

You receive an e-mail stating that you have not paid a tax in full, and now interest has been added to the bill. If you want to appeal, you’ll have to download, fill out, and submit the attached form. The form contains a macro, though, and as soon as you enable it (most users automatically click “I agree” in pop-up windows), it immediately downloads and runs malware.

Many businesses fear the tax authorities, but it’s important to look fear in the eye — or at least at some of its e-mails so that you can spot the differences between real and fake ones. It’s worth knowing whether your local tax office tends to send e-mails or call people up.

Notifications about pending payments

Paid all your taxes and settled with all contractors? Well done, but you still might get a message saying a payment failed to go through. After that, anything goes — from a request to pay a supposedly reissued invoice to a prompt to go to some strange site.

Antivirus can block a suspicious link, but only your common sense can stop you from paying the same bill twice.

Proposal from a mysterious contractor

Mass sales e-mails are usually sent out fairly randomly in the hope that at least some of them will hit a good target. Scam e-mails that look like mass sales e-mails — but including malicious attachments meant to look like product or service details — do the same.

Security service notification

This scam operates mainly on companies with offices in different locations. Regional office employees often have a fuzzy idea of what HQ staff look like and do. On receiving an e-mail from the important-sounding “chief security officer” instructing them to install a security certificate, many will comply without noticing that the message came from a bogus address. Install the certificate and they’ve got you hook, line, and sinker.

Consequences of getting hooked

Phishing is conceptually simple — its purpose is to steal your credentials — but e-mail malware comes in different flavors. The most common types are those in the following list.

A RAT in the computer

Cybercriminals are particularly fond of remote access tools (RATs), which enable attackers to get into the corporate network, where they can wreak havoc. For example, using a RAT can enable an outsider to install additional malware, steal important documents, locate the finance manager’s computer, and intercept payment system access data — and then transfer money to their account.

Ransomware

Ransomware encrypts files so that they cannot be used. That means not being able to refer to your important documents anymore, or even show a presentation. Some types of ransomware spread over a local network, penetrating one computer initially but encrypting data on every machine the Trojan reaches. To restore the files, the attackers demand a ransom (hence the name). For example, not so long ago, municipal computers in Baltimore, Maryland, got hit by ransomware that took some services completely out of action. The attackers demanded more than $100,000 to restore everything.

Spyware

Cybercriminals also like using spyware Trojans — malware that collects maximum information — to infiltrate companies. The spyware sits quietly on computers, logging usernames, passwords, and addresses, and harvesting messages and file attachments. For tech companies, the main danger here is that know-how or plans might leak to competitors, whereas for other businesses, the main threat from spyware is that the attackers might get inside the financial system and steal money. It can happen to large organizations too — for example, the Central Bank of Bangladesh got hit to the tune of $81 million.

How to avoid common SMB scams

Follow these general safety tips to stay out of scammers’ SMB traps:

Tips