kindsey@kirkham.it, davin.chitwood@irontechsecurity.com, info@webpossible.net
#

Back to videos

How to Instantly Improve Your Email & Website Security

Are you still using Gmail to run your business? Or using an outdated WordPress site? Your website and email are both critical to the life of your business. That means it’s critical they are secure.

Prefer to read? (Transcription)

DAVIN: Let’s rock and roll. Thank you for that warm introduction. Like Kindsey said, we’re going to jump right into it and talk about how you can improve your email and website security. But first, I’m going to start with a quick question.

Have you or someone you know experienced an email compromise? Before we get started talking about email compromises, a lot of people experience email compromises through public domains, public email providers like Gmail, Yahoo, things like that. Some quick facts – recently, this year, as of May 2022 actually, in Gmail, cyber attackers have been allowed, because of the security controls in the security on the spam filters of Gmail, to impersonate legitimate companies – all different kinds of companies – making the malicious emails that they’re sending seem authentic and making it a lot harder for users to pick out those hacks or those attacks.

We’re getting some answers coming in. But what is crazy about this is that because of Gmail’s filters, they’re allowing over 4.6 million emails to be sent out in a 24-hour span. So you’re probably seeing a lot of these malicious emails looking like authentic organizations, legitimate companies. Even us here at IronTech Security, we’ve been seeing the exact same thing.

I see that about 20% of people here today have experienced an email compromise. 60% showing that someone that they know has experienced an email compromise. We’re going to talk about a lot of the vulnerabilities regarding emails and the sources and how that happens and different ways that it happens. To start off, if you’re using public email such as Gmail, Yahoo, there’s been lots of cyber attacks and lots of compromises within those, and today we’re going to discuss how to make sure you don’t become one of those statistics or a victim to one of those cyber attacks regarding emails.

First, email vulnerabilities. You hear all types of different things regarding email compromises, but the main thing you may have heard is what is a BEC, or a business email compromise. Business email compromises are one of the leading cyber attacks happening at the moment just because of the ease and the pure conversions that they’re getting.

We’ll jump into numbers here in a little bit, but what a business email compromise is, is a type of email cyber attack or cyber crime in which a cyber attacker targets a business or a person or a specific employee from that organization and either compromises their email by having their password or login credentials or acting like a malicious user regarding another email, and then compromising that email from there.

Why is this such a big thing? Why have we been seeing an increase in business email compromises? Well, a couple years ago, a thing called COVID happened and allowed or actually forced a lot of us to work from home and rely on different forms of communication instead of face-to-face or meeting in the office. We had to rely on email. We had to rely on Zoom meetings, virtual meetings.

I ran across this story not too long ago, and it really blew my mind. One way that business email compromises are happening and cyber attacks are happening is by a cyber attacker acting like an employee or a CEO/CFO, a top executive, because they’ve been able to compromise that person’s email via their credentials. From there, they’ll request to have another employee or maybe someone in finances or something participate in a Zoom meeting or virtual meeting.

So they hop on the meeting; the employee thinks it is the CEO. When they hop on, instead of having the video working, there’s just a still picture. You see often people don’t want to have their video cameras on, so they just put a quick picture of them, and then it looks real. It looks authentic. From that, they may say their audio’s not working or deepfake the audio where it seems like it’s messing up, so they just have to chat via chat box or email. Then, of course, they instruct that employee to initiate a wire transfer or transfer funds of money that looks completely authentic. But because of the business email compromise, there’s no way for that employee to know exactly what’s going on.

So that’s one crazy example that’s happening every day that no one would think about, but lots of people are being affected by it.

When we talk about business email compromises, it comes down to about 5 types. We just talked about a CEO fraud. That was an extreme example regarding virtual meetings, but it happens all the time where a cyber attacker will position themselves as that CEO or that executive, and email possibly the finance department requesting funds to be transferred to an account that looks legitimate but is actually controlled by that cyber attacker.

We’re seeing account compromises, as I mentioned, where an employee’s email account has been compromised because of maybe loose passwords, or you may be reusing passwords. Very easy to obtain those passwords, especially on the Dark Web. We’ll talk a little bit about that throughout the webinar. If your passwords aren’t safe and secure and long, 15-20+ digit passwords, it’s very, very common to see email compromises because of that. Then they’re acting as that user of the email and requesting funds, requesting information from your employees, colleagues, family members, that looks legitimate but of course is being done by the cyber attacker.

We’re also seeing false invoice schemes. A cyber attacker can act as a supplier to an organization, requesting funds. Of course, it’s a fraudulent account, a fake account that’s controlled by that cyber attacker. The funds are transferred and there’s no way of getting it back.

Recently, I personally have seen attorney impersonations where you’ll get an email; it may look like it’s from a legitimate legal representative. Usually they target lower level employees, asking for information or even financial transactions where a lower level employee wouldn’t question that legal person or that attorney, or that cyber attacker acting as that attorney, because they have no reason to.

Another example and type of business email compromise is data theft. This often is focused towards HR employees. They are impersonating, once again, maybe someone higher up in the comp, but their objective is to gain sensitive information on maybe another CEO, executive, or overall employees within that organization.

A specific example that actually happened to a client of ours regarding business email compromise – originally he used his AT&T email. It’s a public domain, a shared server. We’ll talk about that going forward. He relied on AT&T, and we advised him in the beginning to switch over to our private email hosting server. Of course, if he used us, he’d have a lot of security tools in place. What happened from him declining to use our safe, secure email hosting service – he ran into a situation where he had invoiced a client of his $14,000. Sent that to him via email.

But what he did not know was that he was currently going through a business email compromise, and the cyber attacker actually sent the same email to his client, same invoice and everything, but he simply changed the bank account information. From that, the client sent over the $14,000 to the wrong person, to the cyber attacker, and from there, our client was out $14 grand. It was a big ordeal. But from that he learned that he should’ve been on the private email server provided by us, safe and secure. He of course switched over to make sure this doesn’t happen again.

But all in all, if he simply wasn’t using that public server, if he wasn’t on Gmail, Yahoo, or AT&T, he wouldn’t have worried about that simple – it seems very simple – problem of business email compromise where now he’s out $14 grand. A $20 fix can avoid a $14,000 problem. And he was just a one-person law firm. So it happens every day, and it’s not a sniper attack. It happens to any and everyone.

Now, email vulnerabilities aren’t the only things that you have to worry about, but they’re also correlated to website vulnerabilities. Tom is going to talk about a couple of the most common website vulnerabilities and website threats that we’re seeing every day as an information security team, as information security specialists, but also what you’re seeing every day and dealing with every day.

TOM: Yeah. We talk a little bit about make sure you get your website professionally hosted, professionally managed, professionally protected by professionals. Infosec professionals. The reason for that is – there’s nothing special about a web server. It is a computer that has software on it. It’s got an operating system. It’s probably not Windows, and I would question anyone putting a website on a Windows server, but it’s what’s known as a LAMP – Linux, Apache, MySQL, and PHP. You don’t need to know what all that is, but it’s pieces of software, just like on your own computer.

The vast majority of websites used by everyone from the New York Times to us and your business are probably built on a WordPress platform. It’s just another piece of software that drives the whole website. They have to be patched. They have security updates. They can be penetrated. So you’ve got to stay up to date on all of those various things, just like you do on any other server, on your laptop, on your workstation, Windows, Mac, whatever. You’ve got to put these patches on there.

And it’s so easy for business owners to just say “Where can I get it the cheapest? I’m done with my website designer. I don’t need to do anything else.” And 3 to 5 years later when they realize that their site is getting out of date – and this doesn’t matter if you’re putting new blog posts on. I’m talking about the fundamental software components on a website. Their patches are getting older and older. There are plenty of vulnerabilities over all sorts of those different pieces of software, and the site gets breached.

And once a hacker gets into a website, they can deliver payloads to anyone visiting your site, and they don’t even know it. It doesn’t pop up, “Do you want to download this from this site?” Unless you’ve got some really good security, which is what I normally talk about, on your endpoint, your laptop or your desktop.

So websites have to be kept up. I think I saw a stat where it was an increase of 20% to 30% in the last year over website attacks, exploiting vulnerabilities on the websites.

Another thing you get with professionally managed websites is protection from DDoS attacks. It’s a denial of service. The ones that hit CNN are the ones everyone hears about, but I think we’ve been hit with a DDoS attack. But our site didn’t go down because it was being professionally managed. There is something called a CDN – yes, another acronym – but basically it’s a way to distribute your site, multiple, multiple copies, out on the internet, the World Wide Web, out on the cloud, and if one server goes down it doesn’t matter. It’s high availability.

But we were seeing an increase in distributed denial of service attacks. That’s where people intentionally crash your site. For the larger companies, they do it to hold them hostage and ransom and things. There’s a lot of different reasons why you want to do that. Hacktivists do that a lot, by the way. These activists have got a bone to pick with whoever – Greenpeace shutting down Exxon’s website, that kind of thing. But if you get it professionally managed, all of those things will be put in place.

And the best management of web hosting will automatically patch your WordPress. They’re going to take care of that server, but you know you have really good hosting if your WordPress components are getting patched as well. So don’t forget about that. This is something that – I think this is the first time where I’ve really gone in depth on this, Davin.

DAVIN: Yeah.

TOM: So don’t forget about your website.

DAVIN: It’s extremely important. This next visual that we have here actually shows the increase in the amount of people being affected. This might be a little too small, but I’ll go ahead and point out the extremely important pieces.

On the left, it’s the number of victims counted. It’s the bluish-gray. We’re talking about business email compromises, and you’ll see towards the middle, it says business email compromises, the number of victims is close to 20,000 people. And this is just recorded. This is the FBI internet crime report of 2021, to be exact. So it shows 20,000 people were a victim of business email compromise, that type of cyber attack.

But on the right, you’ll see the red box, and that shows the actual dollar amount lost from those affected victims. So business email compromise, 20,000 were affected with a total loss of over $2 billion in 2021.

TOM: Davin, what was the amount of dollars off of just one email on that attorney that had his email compromised?

DAVIN: $14,000.

TOM: Right. So what happened was the criminal intercepted that email and just changed the routing number and the bank account number. The criminal probably used the original email and manipulated it because he’s got full access to the email server. Just as the attorney did. He intercepted the invoice. It’s not a fake invoice. It’s just the account number and the routing number that was edited. And he pays it.

DAVIN: Unreal. He had no reason to question. It looked legitimate.

TOM: Right. Now, I would argue that that’s not his fault. And I think the attorney would probably agree because then he got off Yahoo or AOL or Gmail, whatever public email service he was using. He called us and said, “Let’s get this fixed. I need to get grown-up email.” Then that goes back to thinking about your business and your brand and all of that. For the vast majority of people in a business, using a Gmail account – I mean, that’s better than an AOL or a Yahoo. Yahoo gets breached all the time. I think Davin’s going to talk a little bit about that.

DAVIN: Yeah, back in 2016 – this came from Yahoo themselves – they reported that 500 million users’ emails were compromised. And that was revealing their personal information, their first/last name, email addresses, passwords, bank information. All kinds of information regarding their emails, over 500 million users were affected. And people still are using Yahoo today, knowing that.

TOM: I want to make another point about this. I’d love to do a Deeper Dive with you, Davin, sometime about privacy and security go hand in hand. Any time you’re using a free service from whoever the vendor may be, whether it’s Google, AOL, Yahoo, on and on and on, their business model is selling you. That’s why you get it for free. And that means it’s likely that security is also pushed down the list. Because they’re in the business of selling your personal data.

I saw a mailing list of one of ours the other day and I was absolutely stunned. Some of these companies have 20-30 people that work there and they’re using a Yahoo account. That’s a ticking time bomb. I know there’s some of you on here that are using those types of accounts, but it’s just a matter of time before it gets breached. Perhaps through no fault of your own.

DAVIN: Yeah. It’s crazy that you mention a lot of those free services. A report came out today – and then we’ll move on. We’ll talk about how you actually protect your email and protect your website, but briefly before we move on, an article came out today, and Gmail is actually going to start charging for you to use G-Suite, their business services, those business Gmail accounts. they’re going to start charging by the end of this month. And if you don’t sign up or don’t pay by August, those accounts will be suspended.

TOM: But the personal emails, the personal Gmail accounts, they’re going to continue to mine you to make money off of you. They’re just shifting the business grade, the G-Suite or whatever it’s called – Workspaces, I think.

DAVIN: Something like that.

TOM: The ones where it looks like it’s your domain, but it’s hosted by Google. That’s going to a paid model. So if you’re going to have to pay for it, why not do it right?

DAVIN: Have it done by security specialists.

TOM: Yes.

DAVIN: Next visual we have here, this is a quick graph, and this is showing the actual number of denial of service attacks that Tom was speaking about earlier on websites and the projected scale that the attacks are projected to be. Of course, in 2021, 12 million. We’re expected to increase over 2 million in attacks just next year. DDoS or denial or service attacks are becoming a lot more popular, as are business email compromises as well.

Now, of course, what you’ve been waiting for. I know the 30-minute mark is coming up here soon, but you have all of this information. You understand the vulnerabilities. You understand the risk. What do you do about it? How do you improve your security?

There’s multiple options, but the main one, and one of the most essential that you can do immediately, is private hosting. There are lots of positives regarding private hosting, using your information security team to host, manage, and secure your email, your website. Tom, I know you were talking about – I don’t think you mentioned it yet – DNS filtering and how that is extremely important regarding your information security team and private hosting as well.

TOM: Do you want me to talk a little bit about that?

DAVIN: Yeah, talk briefly on private hosting and DNS, and then I’ll finish the rest.

TOM: Okay. There’s a new scam going around right now, and it looks like it’s coming from a professional security specialist, like an independent. He goes, “I just want to get a bounty. I want to point out the flows in your system.” It goes through all these DNS records. It looks like a bunch of gibberish. It really looks like a legitimate bounty hunter. There’s people that go out and look for bugs and then they give them to the vendor and the vendor pays them if they’ve got a published bounty program.

So it totally comes in – I’ve gotten several of them. If you carefully look through their recommended changes, if you make these DNS – and DNS is what runs the entire internet. The CNN.com is at a string of numbers, but the DNS is what translates “cnn.com” to a numbered street address. It says cnn.com = 131.122. blah, blah, blah.

If we had changed to his recommended security settings, it would’ve allowed Gmail to send out of our domain, with all the correct other identifiers that identify it as being legitimate – in other words, all he had to do was send it from a Gmail account, and to all of the spam filters and all of the security defenses that are put in place to stop illegitimate email, it would’ve gone right past them. That’s why DNS is important.

The thing to learn from that is don’t let anyone tinker with your DNS. That’s a whole different Deeper Dive, and we can go into it sometime, but I think everybody’s eyes would roll back in their head. Just don’t let anyone tinker with your DNS that don’t know what they’re doing. And what was the – oh, the private hosting.

So private email hosting, you can get a shared enterprise grade email service for about the same price, or arguably less, than what you would pay Google for their business class email. You get it away from Google. But if you’re larger, larger organizations do what’s known as exchange servers. They’ll either have them in their big corporate data center or they’ll put them up in the cloud, which is where VPS comes in.

In our case, whichever way you go – and we do both – we have a shared exchange server, but nobody can see each other’s emails unless you’re with that company, but then we also have exclusive dedicated email servers for people that handle sensitive data, like law firms, accounting, on and on and on.

DAVIN: Etc., etc.

TOM: Yeah. So that’s something you really want to look into. There’s not a lot of providers out there that provide truly private enterprise grade email. And all of them you have to pay for. If you don’t have to pay for it, that’s not secure and it’s not enterprise grade.

DAVIN: And those vulnerabilities we talked about when we talked about the patching and the high security, that’s what you get from using an information security team like IronTech Security. That’s what you should expect when you get the private hosting. We know for a fact that the emails, the security is being monitored, the patches are being done routinely and immediately. But also, you get higher performance and you can customize it to fit your exact business needs.

Another extremely, extremely important security control you can put in place to secure your email, but also overall your organization and how you interact with the emails, is continuous cybersecurity training. A lot of people have once a year, hour-long training that is a lot of information at once, and usually goes in one ear and out the other. With our specific continuous security training, once a month, it takes about 5 minutes, short videos, a few questions, but it gets down to the point and updates you on the important information you need to know.

But what I like about it is that we actually send out simulated phishing emails. We’ve been talking about cyber attackers sending out malicious emails, impersonating others. Well, we have a training tool that you’ll get an email – it could say from Facebook or from Google, something like that – to ask you to change your password. If you fall for it and you click on it, it’ll say “You’ve been phished by IronTech Security. This is how we got you. This is what to look out for.”

We give you a short training on overall phishing emails, how to avoid them, and instead of your employee clicking or you clicking on an email that happens to be malicious and now your company’s being held for ransom and you’re out $100,000, you can go through this training exercise that if you do mess up, now you can learn from it in a safe environment. Extremely important. I myself have fallen for it. I don’t think anybody here in the office is 100%, except maybe one.

TOM: There’s one. I’m not 100%. It can fool the best. I’m telling you, it can absolutely fool the best.

DAVIN: Yes. But very, very good training exercise that I recommend for everyone. And it’s, once again, inexpensive.

Another extremely and probably the most important is an information security team. If you have an information security team, they will take care of all of this. We will take care of all of this. All of our clients who come on, if they’re using Gmail, Yahoo, or AT&T, AOL, something like that, like the example before, we highly, highly recommend that they use a private hosted email because of the vulnerabilities and the cyber attacks that we’ve been talking about here today.

But also, you can expect from your information security team that they have the proper security controls in place to stop those attacks, stop those business email compromises, take care of the managing and the patching of that email server, and overall take the stress off your shoulders of possibly thinking that the business that you’ve been working to build for the past 5 to 10 years, 15+ years, could be shut down just by an employee of yours clicking on an email.

Of course, if I was specifically a business owner, that would stress me out and I would be worried about that every day. So by having that information security team in your back pocket, hand in hand, those worries can go away.

TOM: I want to take a moment here. I know we’re going over a little bit, but I want everybody – we often come across, and we have a habit of doing this as well. It’s like, “How big of a company do I need to be before I really have to worry about this stuff?” Most people have a tendency to think “How many employees have I got? Do I have 1, do I have 2, do I have 5, do I have 10?” And that’s important because the more people you have, the more likely you’re going to be attacked because over 90% of the breaches require an insider to make it happen.

But another thing that you’ve simply got to factor in in your risk analysis is what’s your revenue, and what does that mean to your livelihood or to your wealth, to your happiness? Worth is different things to different people. It’s not about money always. We have clients that have 20 people in the company, but they’re an international company. One of them is a very unique business; they invented a whole category of stuff. But they’re a relatively small company. Then we’ve got others that have 200 employees that do $10 million a year.

But you’ve got to factor in the revenue that you’re trying to protect, and you’ve got to factor in the employees’ livelihood. You’ve got to think about all stakeholders when you’re doing a risk analysis, and how serious you need to be about security. If I had to point to 1 thing – there’s 2 things that prevent companies from implementing security. The other one is “It won’t happen to me” or “I hope it doesn’t happen to me,” and that’s not a strategy. That means you’re not being a leader. But the other is all the stakeholders are relying on you, even if it’s just you.

DAVIN: Yeah, and email is usually a vulnerability that’s overlooked, or your website is usually something that is overlooked, but clearly we saw the stats today. It’s not something to be overlooked anymore. It’s something serious that has to be addressed.

We’re a little bit over the 30-minute mark. Please, if you do have any questions, feel free to put those in the question box or the chat box. We want to speak with you. If you have questions regarding cybersecurity, if you have questions on how to protect your organization, or if you simply don’t know where to start – “What do I do?” – you can check out the meeting link. It is in the chat box now. You can click on that and schedule a short 30-minute meeting. You can also reach out to us at sales@irontechsecurity.com, but also feel free to call at the number below.

But the main thing is – and we do have a special going on right now. It’s very exclusive. If you’re interested and you don’t know where to start, you don’t know what to do, we’re offering free security and risk assessments. That is a brief process that allows you to understand overall where your vulnerabilities are, where your gaps are. It’s the perfect starting point to securing your organization. The worst thing you can do is start throwing security tools at your business and hoping it’s fixed. The proper and professional approach is to first identify those vulnerabilities and then put the proper security controls in place to fill those gaps. That’s the most efficient way, that’s the most effective way, and we’re here to help with that.

TOM: Yeah. That’s absolutely true. I don’t want to get into another Deeper Dive since we’re already over time here – and we’re going to do this one day. I want to stress, you don’t have to go to us. You need to go to a security specialist, not an IT person.

DAVIN: And we often work with IT professionals.

TOM: Yeah. They make us better, we make them better. But doing it the right way is really not their objective. Their mission is to just make things work.

DAVIN: Operations.

TOM: Increase productivity. It’s an operations role. Cybersecurity, defense, is a strategic role. It’s a management and a leadership decision. It’s the cost of doing business these days, and you’re only going to get what you truly need from the people that really eat, drink, and sleep it and keep up to date with what’s the latest Russian division that’s doing attacks on the critical infrastructure of the United States. Because they do it all the time. They’re war gaming all the time. I see the threat alerts. These don’t hit CNN. It happens all day, every day, 24/7, 365.

DAVIN: Also, like I said, this is a monthly recurring Deeper Dive series. Next month, last Thursday of the month, we will be talking on another topic regarding cybersecurity and overall how to protect your business. If you’ve got a notebook, write these links down. Write those emails down. If you think of a question or don’t have time at the moment but want to reach back out in the next couple weeks, feel free to reach out. Schedule a meeting. We are always open to talk to you. Remember, we are here as a resource to help protect organizations and individuals such as yourself.

TOM: Comments, questions, critiques, and suggestions for topics, use that email right there.

DAVIN: Yes. There’s not any more questions. We’ll give you another minute to put those in there if you have any. But if not, you have our email. You have our phone number. Please feel free to reach out. We will see you next month, talk a little bit more, dive a little bit deeper in cybersecurity. Hope you all enjoyed yourselves here today, and enjoy the rest of your Thursday afternoon.

KINDSEY: Thanks for joining, everybody.