Spam campaigns continue to be a major problem for businesses across the globe, serving up a mixture of malware, phishing, identity theft, and more. With scammers spiking activity in February after what appeared to be a bit of an extended holiday, malware spam (Malspam) attacks have returned in full force. Fax notifications, scanned images, resumes, and traffic tickets have all been successfully used as bait, often using password-protected documents and zipfiles attempting to defeat automated analysis.
Even as business shores up the technical side of things, Malspam authors hope to exploit the supposed weak link in the security chain – the non-security trained employee. A disaster of this nature poses a major risk both in public and behind the scenes. The two primary targets we see are finance and social media, and scammers hope to see a lethal combination of low/no security, and poor staff training in order to pull off a successful attack.
The soft HR/Finance Underbelly
If an unwary employee in HR or finance receives a "late payment" or tax invoice missive, there is a good chance they won't stop and think before opening the infected file (usually via the password pasted into the email itself - another evasion tactic). If this happens on a network with no suitable protection in place, that organization is looking at downtime, data theft, and even a dose of ransomware for their troubles.
From banking Trojans and clickfraud to "pump and dump" stock campaigns, the playing field for these attacks is a large one and it's essential that a layered defense goes hand in hand with regular, thoughtful training sessions for those guarding the financial keys to the kingdom.
Give your HR and finance teams an insight into the world of fake tax invoices. Let your CFO know about the ever-present threat from CFO fraud spam, along with ways to spot a fake. If you don't have a "two factor" method for authenticating wire transfers, do it now, or risk losing hundreds of thousands of dollars, or even (in the worst examples) millions to a CFO scammer. Just one incident could not only cause endless column inches about how badly your company got it wrong, but conceivably put you out of business.
Even your social media accounts aren't free from spam worries; we often see fake accounts pretending to be real companies that insert themselves into customer support conversations on Twitter in an effort to send victims to phishing or malware pages. Typically, they do this when the official Twitter support account isn't being used, so by the time the staff log in the next day it's too late.
Companies may wish to divide social media duties between different time zones to combat this, and also backtrack on conversations to ensure scammers haven't worked themselves into the debate. If it's possible to verify the identity of your account on a particular service, this will definitely help to prove your credentials. It's essential to explain to the people responsible for these social media accounts what dangers lurk, or else they can't effectively safeguard the interests of your customers on a daily basis.
Spam is a multi-platform, multi-vector approach to network compromise, and we need to weigh up the risks on all fronts to be able to combat it successfully. Whether finance or front line social media support, the time is now to take action and shore up those defenses.