Why Cybercriminals are Targeting SMBs

By Nancy Hannan, AVP, Security Awareness Program Manager

It’s an unfortunate reality that cyberattacks continue to rise in frequency and complexity. According to Accenture’s Ninth Annual Cost of Cybercrime global study, security breaches increased by 11 percent from 2017 to 2018 and by 67 percent over the last five years. While major data breaches at large organizations such as Equifax or Marriott often grab headlines, it’s a myth that hackers only go after large companies. In fact, cybercrime may have an even greater impact on small to medium-sized businesses (SMBs). A report from the U.S. National Cyber Security Alliance stated that 60 percent of SMBs fail in the months immediately following a cyberattack. The increased focus of cybercriminals on this segment means SMBs need to consider prioritizing cybersecurity and build up their defenses against cyberattacks.

SMBs are an Inviting Target for Cybercriminals

Limited IT infrastructure and resources often make SMBs inviting targets for cybercriminals. Additionally, many small business owners think their size means their businesses won’t be targeted. According to a 2019 Switchfast Technologies report, 51 percent of small business leaders do not view their business as vulnerable to cyberattacks. This leads many SMB owners to neglect their cybersecurity infrastructure. Experts say this leaves small and medium-sized businesses especially vulnerable to increasingly sophisticated cybercriminals. CPO magazine has noted that “The rise of inexpensive automated tools sold over the dark web…make[s] smaller companies attractive to a wider variety of criminals.”

Company Email: A Key Entry Point for Hackers

Employees of SMBs remain a key target for cybercriminals. Phishing – the practice of impersonating trusted organizations like vendors or financial institutions via email – is one common way that cybercriminals target SMBs. The goal of such attacks is to entice employees to click a link or open an attachment that directs them to a fraudulent website where criminals can obtain confidential information such as login credentials (users IDs and passwords), or infect users’ computers with malware.

Phishing emails are particularly effective because of the familiarity that users have with the purported source. Leading brands impersonated by phishers include Microsoft, Google, Facebook, Apple, PayPal, Adobe, Dropbox, and FedEx.

Cybercriminals also use email to take control of business accounts, a type of cyberattack known as corporate account takeover. Cybercriminals accomplish the account takeover through malicious email hyperlinks that lead employees to phony websites where they key in their login credentials. Fraudsters can then use the information to compromise an organization’s internal documents and processes, sensitive customer data or financials.

In a recent analysis of account-takeover attacks targeted at its customers, the email security provider Barracuda found that 29 percent of organizations had their Office 365 accounts compromised by hackers. Since people have a tendency to use the same password for multiple accounts, hackers can also use the stolen credentials to access other types of accounts.

Business Email Compromise (BEC) Attacks Target Information and Cash

Business Email Compromise (BEC) attacks are yet another way SMBs can be targeted by cybercriminals. In such attacks, cybercriminals steal the credentials of a key employee (like the owner or CEO) and then impersonate that person in an email to others in the company, requesting wire transfers or payment transactions on their behalf. In many cases, scammers focus their efforts on employees with access to company finances or payroll data and other personally identifiable information. The FBI's Internet Crime Complaint Center received 20,373 BEC/Email Account Compromise (EAC) complaints in 2018, with adjusted losses of over $1.2 billion.

It’s important to note that not all BEC attacks are launched by clicking a malicious link. In fact, Barracuda states that about 60 percent of BEC attacks do not involve a link. The attack is simply a plain text email intended to fool the recipient into committing a wire transfer or sending sensitive information. These plain text emails make it tough for existing email security systems to detect because they are often sent from legitimate email accounts, are tailored to each recipient, and do not contain any suspicious links.

Cybercriminals also use BEC attacks to target a business’s payroll system. Once they gain access to an employee’s login credentials, they attempt to change direct deposit information, and redirect payroll funds to an account they control.

Ransomware: Holding Data Hostage

Ransomware – a type of malware that prevents users from accessing their computer systems until they pay a ransom – can sometimes damage a small business irreparably. When Brookside ENT & Hearing Services, a small medical practice in Battle Creek, Michigan, was targeted by a ransomware attack earlier this year, the owners refused to pay a $6,500 ransom. Cyberattackers then deleted and overwrote the practice’s medical, billing, and appointment records. Unable to retrieve its patients’ records, the practice was eventually forced to close its doors, becoming the first healthcare provider in the U.S. to permanently close due to a ransomware attack.

Attacks like the one on Brookside ENT reinforce the reality that SMBs aren’t immune to ransomware attacks. Additionally, business costs from ransomware can add up quickly. According to the 2018 SentinelOne Global Ransom Report, the average estimated business cost of a ransomware attack is more than $900,000 when factoring ransom, work-loss, and time spent responding to the threat.

How SMBs can Protect Themselves Against Cybercrimes

With cybercriminals growing in sophistication, it’s imperative that small business leaders consider prioritizing cybersecurity. SMBs can begin by reviewing the following ideas:

1. Conduct a safety audit of your information technology to discover vulnerabilities and ensure that you have a backup system in place for your data.
2. Use multi-factor authentication. Requiring multiple methods for employees to log in to an account can help prevent account takeover. Additionally, limiting the number of login attempts is another way to help block cybercriminals who may be searching for the right password to access accounts.
3. Train employees and hold phishing simulations to verify the legitimacy of emails by checking a web address in a browser before entering credentials, and caution them not to click on email links.
4. Install automated password management software. With enterprise-level privileged access management (PAM) software, passwords can be changed, rotated, and expired on an automated schedule and better managed when an employee leaves the company.
5. Verify wire transfers via an in-person conversation or telephone call to eliminate the possibility of BEC attacks.

How to Prioritize Cybersecurity

Cybercrime is here to stay (Cisco/Cybersecurity Ventures predicts that cybercrime damages are anticipated to cost the world $6 trillion annually by 2021). With SMBs especially vulnerable, it’s key for business owners to stay abreast of new cybercrime trends and cybersecurity solutions, consider dedicating resources to cyberattack prevention and continue to educate staff about how they can help to prevent cyberattacks.