Last year was the first year I taught the course Cyber Security for You and Your Clients at Scaling New Heights.  I will be teaching an updated version of this course at  this June in Atlanta.  This article is a primer to the conference looking at a very small portion of the content in order to stir your interest and potential participation in the class and conference.

Spear-phishing Cyber Attacks

Believe it or not, even as a small business or individual, your computer, and the other smart devices you use, are subject to cyber-attack. One of the growing forms of threat, which began to really mushroom in 2016 is called spear-phishing.

You might be saying, “I’ve heard of ‘phishing’, but I don’t know what this ‘spear-phishing’ is all about?”  The illustration below sums up the difference between phishing and spear-phishing.

While phishing is a broad form of cyber-attack using a technique to draw in as many ‘phish’ (computer users) as possible in hopes that one of them bites (takes the tainted bait), spear-phishing is a targeted cyber-attack using email spoofing that seeks to obtain illegal access in order to steal confidential data. It is very much ‘to the point’ delivery just the way a spear fisherman targets the fish they are after. 

Spear-phishing attacks are not the work of random actors but more often the persistent efforts of criminal enterprises, or even foreign-sponsored hackers seeking trade secrets, infrastructure interference, military intelligence, financial gain, or even personal or political compromises. 

Spear-phishing leverages social engineering techniques so as to appear to come from a person’s place of employment, an authority (like the IRS), a known associate (such as a co-worker or friend), a vendor with whom you do business (like Intuit), or even a customer.

As a result, even high-ranking targets within organizations, like top executives, can find themselves opening emails they thought were safe. That slip-up enables cyber-criminals to steal the data they need in order to attack their networks.

In addition to cyber security technology that focuses on email security, education concerning spear-phishing scams in which employees are made aware of the threats, such as the possibility of bogus emails landing in their inbox, is one of the best, if not the best, ways to fight spear-phishing scams.

The most common point of ‘invasion’ is not a hardware or software weakness in your network, it’s a human weakness, and all too often curiosity.  Remember the old saying, “curiosity killed the cat?”  The number one prevention element in these kinds of attacks is to insure that all your people know “not to click on links, open attachments, or respond to mysterious email messages.”

1. Through highly targeted data mining, an attacker gains key facts about a human target who has an important role in asset management or security for their company. 
2. The attacker then sends well-crafted email messages to trick the human target into clicking on a link which contains a malicious payload.
3. The targeted person receives a fake email, they then follow the instructions, and either clicks on a link, or open an attachment containing the malicious payload.

It’s just that simple. So, take the time to ask yourself right now, what are the odds that ‘your’ Account’s Payable people would click on the green button of this email if it was sent to them by name at your business?

Once the payload is delivered there are any number of malicious results including, but not limited to:

• Initiation of ransomware that locks away (encrypts) files, restricts system access, or may even delete files if the ransom is not paid by the deadline.
• Infection by a virus which may take over certain computer resources, by may actually use your computer to send emails to your own email list containing copies of the virus. 
• Infection by a worm which immediately begins to replicate itself and may then destroy data or files on the infected computer. It seeks to also infect other computers on the same network.
• Infection by a Trojan which in some cases alter your operating system or operating parameters, produce mischievous pop-up messages (especially when browsing), or attach themselves to legitimate emails you send, or data you exchange with other network users.
• Installation of a keylogger typically with a rootkit, this is designed to capture information on your computer, or which is keyed into applications by your computer.  For example, it could capture your login and password the next time you connected to your bank, it would be stored, and when the computer was idle, the rootkit would transmit the stolen information to the originating source.

Spear-phishing Defense

You need to ensure that you are ready for these forms of cyber-attack. Self-defense includes:

• Publishing a company-wide policy related to cyber-attacks.
• Prohibiting the sharing of internal company information that relates to personnel including organizational positions, personal information, telephone lists, individual emails, and similar information that may disclose sensitive positions.
• Implementing cyber awareness training for all personnel using company computers or with access to electronic information, or internet access while at work.
• Insuring all personnel are aware that they are potentially targets, and why cyber criminals might seek them out.
• Creating a specific response strategy to Spear-phishing attacks
• Utilizing security software that monitors the kinds of spam being sent to the company domain, you may not even be aware that you have already been targeted because your security software has been catching initial attacks.
• Seeking the assistance of Cyber Security Experts to assist you with these steps as well as other cyber awareness and security issues including a formal vulnerability assessment and response plan.

Tame the Machines

This year’s theme at Scaling New Heights is ‘Tame the Machines‘. While the them maybe centered around the big changes that are underway with artificial intelligence and the next level of automation, not to mention how those will impact our profession, the reality is that we all have to be concerned about our ability ‘tame the machines’ when it comes to the cyber criminality that is growing by leaps and bounds.

This article centered on only one single threat among the dozen or more that are running rampant across the internet. While QuickBooks ProAdvisors typically are not trained as ‘cyber security experts’, they should have sufficient training and awareness to recognize the most common forms of threats and weaknesses within the various computer networks in which QuickBooks resides. 

You may be dealing with either your own, or your client’s single computer, or a small local area network, or a wide-area network, or even the internet as the source of access to computers hosting QuickBooks or while using QuickBooks Online.  ProAdvisors need to be ready to recognize threats and seek out the proper methods to prevent or mitigate such threats, because the machine you tame maybe your own computer or smart device that is seeking to rob you of your most precious ‘information’ as a result of a cyber attack.