Cybercrime Alert: Intuit Warns Users About QuickBooks Scam
Business Email Compromise is an increasingly common cybercrime tactic today that doesn’t rely on technical vulnerabilities at all—it relies on you and your team. Is someone on your staff an ideal target for the new QuickBooks scam?
Intuit has issued a warning to QuickBooks users about a new Business Email Compromise scam that is making the rounds.
Cybercriminals are posing as Intuit and sending phishing emails to users claiming that their accounts have expired and need to be renewed. When the target pays the renewal fees, the money is sent directly to the criminal.
If you use QuickBooks, make sure that you and your team know how to deal with this type of scam. Should you have any questions or concerns, get in touch with Mathe right away.
What Should You Do If You Receive A Phishing Email?
Ideally, do not open or click on the email at all. Flag it as spam or dangerous content and inform your IT team.
However, if a user has already opened the attachment or clicked a link, they should follow these steps:
- Delete any downloaded files.
- Scan their computer and network with an anti-malware solution.
- Log out of all accounts and update their passwords.
- Get in touch with their IT team.
What Is Business Email Compromise?
Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments. In order to effectively defend against scams like this, you have to first understand how they are executed.
How Does Business Email Compromise Work?
In layman’s terms, a cybercriminal will write an email pretending to be from a known contact or organization (e.g. your bank), and request that a payment be processed—instead of sending the funds to a legitimate source, the payment will go to them.
Business Email Compromise can be carried out a number of ways:
- Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to “fish” sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
- Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
- Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organizational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.
In some cases, cybercriminals may only spoof an email address, and in others, they’ll directly breach the target’s account. Once a cybercriminal has gained access to a target’s email address, they can begin sending payment requests or simply redirect all invoices to a private folder for their perusal. Whether they’re redirecting incoming or outgoing funds, the end result is still the same —your business loses money.
Alternatively, cybercriminals can simply intercept an important financial document such as an invoice. They can either change the payment details or inform the recipient that the details have changed, substituting their own bank account for the business.
Who Are Common Targets For Business Email Compromise?
While the CEO is often a target, cyber criminals can do plenty of damage by going after other members of an organization. There are a number of key, high-value targets that make it worth the cybercriminal’s time to go after.
Whether it’s their authority or their access to confidential information, these groups are all at risk for Business Email Compromise:
- Financial Staff Members: While the finance department is especially vulnerable in organizations that regularly engage in large wire transfers, smaller businesses’ payroll data is also of high value to cybercriminals.
- Human Resources: Similar to finance, HR is a key target for the data they store on employees, including birthdates, medical data and more, all of which are of high value to cybercriminals.
- C-Level Executives: You don’t have to be the CEO to be a high-level target. CFOs have access to financial data, CTOs have access to login info, and everyone at this level has the authority to execute wire transfers and make large purchases.
- IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets.
How Can You Stop Business Email Compromise?
Know Your Targets
By noting the above listed key targets, you can examine the role they play in cyber security, and how their access and authority is being protected:
- Review social/public profiles for job duties/descriptions, hierarchical information, out of office detail, or any other sensitive corporate data.
- Identify any publicly available email addresses and lists of connections.
Defend Your Organization
Implementing the right range of cyber security solutions can help to protect common points of penetration for cybercriminals:
- Email filtering
- Multi-factor authentication
- Automated password and user ID policy enforcement
- Comprehensive access and password management
- Whitelist or blacklist external traffic
- Patch/update all IT and security systems
- Manage access and permission levels for all employees
- Review existing technical controls and take action to plug any gaps
Implement A Robust Security Policy
You need to dictate how members of the organization, top to bottom, contribute to your cyber security. Everyone with access to your IT environment should follow these best practices:
- Don’t open attachments or click on links from an unknown source.
- Don’t use USB drives on office computers.
- Follow a Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
- Participate in mandatory security training.
- Learn to recognize phishing emails.
Plan Ahead To Mitigate Cyber-Risk
You need to develop a comprehensive cyber-incident response plan for your organization. Make sure to test it regularly, and update it to address any shortfalls. Make sure to implement your plan properly—it won’t work if your staff doesn’t know about it, and can’t participate in it:
- Executive leadership must be well informed about the current level of risk and its potential business impact.
- Management must know the volume of cyber incidents detected each week and of what type.
- A policy should be established as to thresholds and types of incidents that require reporting to management.
- Best practices and industry standards should be gathered up and used to review the existing cyber security program.
- Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.
Test Against Phishing
Share these tips with your employees to ensure they know how to spot a phishing attempt:
- Genetic content: Cybercriminals will send a large batch of emails. Look for examples like “Dear valued customer.”
- “From” Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain.
- Urgency: “You’ve won! Click here to redeem a prize,” or “We have your browser history pay now or we are telling your boss.
- Check Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
- Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass spam filters.
- Don’t Click Attachments: Virus containing attachments might have an intriguing message encouraging you to open them such as “Here is the schedule I promised.”
Whether You’re An Easy Target Or Not Is Up To You
The bottom line is that everyone in your organization, top to bottom, is a potential target. Make sure everyone is following cyber security best practices and is protected.
If you need expert assistance defending against cybercriminals and training your staff to recognize social engineering scams, get in touch with Mathe.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.