Your Business Has Been Phished – Now What?

Small businesses are huge targets for hackers today, and they unfortunately hit their mark far too often. The good news is that even hackers who have wormed their way in still need time to figure out what to do next. If you can react faster than they can, you can save yourself a lot of hassle. Here are eight steps you can take to limit the potential damage. 

1. Change ALL Passwords 

This is an easy step that you can take at any hour of the day. Ideally, you should be changing all of your passwords, regardless of whether it’s a business or a personal account. If you don’t have access to all of the information, contact those who do and make the change a priority. If you want a handy way to keep track of the passwords, try a manager like 1Password. You can store anything from passwords to sensitive information in a virtual vault that’s guarded by a master password.

2. Set Up 2 Factor Authentication (2FA) or Multi-Factor Authentication (MFA)

Sometimes a single password just isn’t enough to guarantee data protection. 2FA/MFA is an effective way to cut down on fraud by ensuring that log-ins require more than one piece of information. So maybe for an email account, you not only type in a password, but you also have to input a random code that’s texted to your phone. You can also use App Password to give a device permission to access an Office 365 or Outlook account (as some apps don’t support 2FA or MFA).
But 2FA or MFA isn’t just preventative. While you many not react in time to prevent an initial download from starting, by enabling 2FA or MFA, you can prevent future logins and sometimes even kick the user off the system once it is enabled. Furthermore, by enabling 2FA/MFA on other accounts, you can prevent the loss of additional accounts.

3. Audit Your Admin Accounts 

Users with access to an admin account can add new users, change forwarding rules, see activity on other accounts and force login resets, among other similar powers. As a general rule, you should review your admin accounts periodically and make sure you really want the people with admin accounts to have that kind of authority. But, whether or not you have reviewed them in the past, after being phished, you will need to review them.
One of the things that a criminal can do after phishing the credentials for an admin account is create a new admin account. Now, even if you reset your password to the original account, the criminal can use the new account to gain more access into other users’ accounts. They can also change the forwarding rules, so that they are copied on all emails going forward. In this way, they can continue to spy on your business after you’ve changed all your login credentials.
For these reasons, it is imperative that you monitor the admin accounts continually after a phishing event. Unused accounts should be cleaned up, forwarding rules reviewed, and configurations verified. This is where an expert account admin may be able to help identify all the possible settings that should be verified.

4. Shut Down Account Access from Outside the US

While there are plenty of hackers and criminals inside the US, there are also countries that are known for being hubs of illegal activities. If your business only has US-based employees, you can at least reduce the number of criminals who can reach your accounts by disabling access from outside the US.
This approach won’t work for all businesses, and it won’t stop criminals that are based in the US, or who are sophisticated enough to spoof their location. But, it’s an additional hurdle that you can put up to limit the number of criminals that can reach your systems.

5. Block Any Emails from Outside the US 

Hackers have become increasingly more sophisticated with email communications, using everything from executive names to project information to craft subject lines and attachments that are nearly indistinguishable from the real thing.

If your company’s already been phished, hackers will have that much more information to work with. If your company only does business within the US, blocking foreign emails can go a long way toward keeping you and your employees away from further scams. Please note that there are ways to spoof location though, meaning some foreign criminals may still be able to send emails. 

6. Set Up Sender Policy Framework (SPF) or Domain Keys Identified Mail (SKIM) Records

SPF and DKIM records were both designed to authenticate any emails sent to your company. There are some differences between the two security tactics, but the main purpose is to confirm the validity of the sender and the information contained in the email. These records are not perfect, but they can reduce your odds of falling further into the scam. This is especially recommended if there’s no way to restrict access from foreign countries. 

7. Contact Customers 

No business owner wants to tell a customer that their information has been compromised, but you risk even more damage to your reputation if you keep quiet. It’s important to start a dialogue with customers here. Be open about what happened, and give them actionable tips on what they can do to protect themselves. For example, deleting any communications from the company if they come from your Facebook account. This can keep customers from sending financial or personal information to the wrong people. 

8. Check Your Server

If you have an on-site email server, you should be doing a security audit on the network. You can use an intrusion detection system to monitor for any malicious activity or violations. You can also perform full audits on any software you use for different workstations. Now is a good time to clear out any old files and update access settings for each program. Small businesses don’t always adjust their settings after people leave the company, and this kind of neglect can leave big openings for sophisticated hackers. 

Steps to Prevent Future Phishing

You can’t eliminate your odds of being phished, but you can reduce them significantly. Here are a few steps you can take to get it done:

1. Domain Name System (DNS) Protection 

The domain name system is compared to a traditional phone-book system and gives people the means to type in memorable domain names (e.g., Google.com) instead of a numerical address. DNS protection is a way to stop hackers in their tracks by preventing them from reaching your pages. 

If the threat of a DDOS or malware attack is detected at the DNS level, it essentially means that the odds of it affecting your business are slim to none. This type of security takes place in the cloud, and produces a nearly instantaneous response. Those who might phish you are rerouted to a block page and there is no practically no exchange of information between your network and theirs. 

2. SPAM Filter 

No one is immune from clicking on the wrong link or email. It’s just a fact of life that humans are not always going to have their guards up 24/7. A SPAM filter won’t be able to detect all phishing techniques, especially considering they’re rejiggered every year specifically to get around these filters, but it can provide a much-needed extra layer. When it comes to both physical and virtual security, you’re usually better off with more barriers than less. 

3. Cybersecurity Awareness Training 

The goal of employee training is to turn your staff into the first line of defense. Phishers rely on employees to make idle decisions and allowing their curiosity to get the better of them. The problem is that their understandable mistakes open your business up to real danger.

Your employees don’t need to be told that cybercrime is a threat. Training is more about calling attention to hacker tactics and providing actionable tips that employees can implement on a regular basis. 

4. Rethink Your Communication Protocol 

For major accounting or business management decisions, you might not want to use email as the only channel of communication. Hackers know that a lot of sensitive data passes back and forth, and they’ll use this to their advantage. So if you’re making adjustments to your payment destination, you might want to insist on both written and verbal confirmation of any changes.

Southeastern Technical Consulting knows that being phished is distressing, even under the best of circumstances. However, there are ways to get past the cleanup so you can move on with your life. Rest assured, we’ve worked with plenty of companies that have gone through this and survived it. We’re here to help walk you through every step of the process, whether it’s a standard audit or implementing SPF records.

Shane Lewis

Shane Lewis is founder/owner of Southeastern Technical. He is passionate about providing excellent IT service to small and medium organizations, and helping businesses develop and grow.

About Southeastern Technical

We help leaders discover how they can have stable, reliable information technology (IT), so their organizations can experience fewer IT problems and security threats.

Categories

Recent posts

solutions for real-world problems

We’ll send technology tips to help you resolve existing problems, information about underlying problems in your IT environment and how to solve them, and how to reduce digital security risk for your business.

Stay Connected

Facebook Twitter Linkedin