Very Small Business Cybercrime Protection Sheet

When cybercrime makes the news, it is typically because a large organization has fallen victim to an attack. However, contrary to what many may think, very small organizations are just as enticing to criminals as large ones, and, in certain ways, maybe even more so. Threat actors have the “we’ll take anything we can get” philosophy when it comes to cybercrime. These incidents can and have put small companies out of business. Therefore, it is crucial that even very small businesses (10 employees or less) should take precautions to avoid becoming a target. Large organizations have large resources, which means they can afford Information Security professionals and cutting-edge technology to defend themselves. Very small businesses on the other hand have very limited resources and cannot rely on a trained staff. That is why we wrote this section.

If you own or manage a very small business, we offer the following recommendations or best practices. We suggest you print out or tear out this section and refer to it when a concern appears.

What are the most common threats facing my business

The number one action type in our dataset for very small businesses are ransomware attacks. Ransomware is a type of malicious software that encrypts your data so that you cannot view or utilize it, and once the ransomware is triggered the threat actor demands a (frequently large) payment to unencrypt it. This is where having those offline²⁸ backups come in handy.

The second most common is the Use of stolen credentials. Attackers can get your credentials (username and password) via many different methods. Brute force attacks (where attackers use automation to try numerous combinations of letters, symbols and numbers to guess your credentials), various types of malware (thus the value of having an up-to-date Antivirus), reused passwords from another site that has been hacked and last but not least, social attacks such as Phishing and Pretexting.²⁹ 

You may have heard the term “Business Email Compromise” in news articles.  They typically involve Phishing and/or Pretexting, and can be quite convincing, (such as an invoice that looks like it comes from a known supplier but has a different payment account, or an email from a business partner saying they’re in a pinch and need a quick payment made on their behalf). While most come in through email, criminals have also employed the telephone to convince their target that this is a legitimate request. The criminal element often run their enterprise just like a legitimate business and may even take advantage of criminal call centers (yes, these exist) to help lend credence to their ploy.

Phishing is a type of social attack (usually via email) in which the attacker tries to fool you into doing something you should not, such as providing them with your user name and password or clicking on a malicious link. Examples include “click here to reset your password” or download an invoice, view the pdf attachment, verify your bank account number, etc. These attacks can be extremely realistic and are often very hard to identify. 

Pretexting is the human equivalent of Phishing. Typically, the threat actor attempts to create a dialog with the victim by impersonating a business partner, a bank employee, or a superior in your own organization in order to gain access to login information. The end game for Pretexting is usually the automated transfer of funds from your organization to the criminal’s bank account. 

How do I know I have become a victim?

Watch for anything strange or out of the ordinary. For example, you might see unexpected charges on your bank statement or phone bill. Keep an eye out for transactions on your credit card that you don’t recognize. You may receive comments from friends about emailed requests for them to buy a gift card. You may receive phone calls asking for your password or credit card number, or a request to change the account number or how you pay a regular vendor or client. All of these things are warning signs that something malicious might be happening. Think of your computer like a car–if it suddenly won’t start, runs slower or makes a weird noise, it’s time to have an expert take a look. Finally, with threats such as ransomware the threat actor will actually alert you that your data has been encrypted.

Who do I contact if I learn I have been a victim of cyber-crime?

• A large range of resources for many different situations is available through https://fightcybercrime.org/. This website provides information on where to go and what to do in the event of a cyber incident.
  
• Scam Spotter provides simple, easy-to-understand information about how to recognize common scams: https://scamspotter.org/
• If you are in the United States, your state’s Attorney General’s office website may have resources for you as well. 

Familiarize yourself with these resources, and draw up a plan for what steps you will take if you find your organization has become a victim. Plan this ahead of time instead of waiting until your company’s “hair” is on fire. Even if it is just a document that contains the contact information for all of your vendors and your bank’s fraud department, it is a place to start. Print it off and post it somewhere you can access it easily. Don’t just keep it on your computer—it might be unavailable as part of the attack.

Some planning on your part, along with a bit of educating the people most likely to encounter these kinds of attacks, can go a long way in helping to make your small company safer.

²⁸ If you’re unsure what “offline” means here, see “What to do to avoid becoming a target” below.

²⁹ If you’re note familiar with “phishing” or “pretexting” , it’s okay. Keep reading for the definitions.

³⁰ This adds an additional layer to just the username and password combination. It may be a code that is texted to your registered cell phone, the use of an authenticator app like Google or Microsoft Authenticator, or the use of a little device that you plug into a USB drive when prompted. If your vendors do not offer two-factor authentication (also called multi-factor authentication or MFA), start lobbying for them to accommodate it.

³¹ Not between people and not between applications or websites. A password keeper makes this easier.