The Dark Web: What It Is And How It Affects Your Organization

This article will explore the most commonly asked questions about the dark web and offer insights on how to prevent your organization’s data from ending up there.

What is the dark web?

The dark web and the deep web are terms that are often used interchangeably. The deep web is everything on the internet that is not indexed in search engines. This can include data like health records, confidential web pages, fee-based content, membership-based websites,  et cetera. Basically, anything that is not findable via Google or other search engines. If you have ever logged into Netflix to watch a movie or signed into Amazon to place an order, then you have been exposed to the deep web. The deep web makes up about 96%-99% of the internet. 

On the other hand, the dark web is estimated to make up about 6% of the internet, and it is a subset of the deep web.  In order to access the dark web, users need specific authorization, configurations, or software. Most people in the know associate the anonymizing browser, Tor, with dark web use. Tor makes it possible for dark web users to access buried dark web pages that end in “.onion” while keeping their location and other identifying data private while conducting transactions.

Though about 97% of dark web activity is legal (for example, BlackBook, the “Facebook of Tor”), the dark web is primarily known for that other 3%, cybercrime and anonymously conducting illegal business. The dark web is the gateway to buying and selling stolen data, credit card numbers, drugs, weapons, counterfeit money, software that helps hackers break into other people’s computers, and the list gets worse from there. 

Will the dark web ever be shut down?

This is an impossible question to answer, however in recent news, one of the world’s largest illegal markets on the dark web, DarkMarket, was recently shut down by an international group of law enforcement agencies from Australia, Denmark, Germany, Moldova, Switzerland, Ukraine, the United Kingdom, and the United States. The dark web still exists, but one major site, what many experts believe to be the world’s largest illegal marketplace, has been taken down. Unfortunately, however, it’s just the marketplace that has been shut down, not the users and vendors. Law enforcement officials believe that they have the information needed to track down some of the illegal buyers and sellers from the shutdown of DarkMarket, but the results of this remain to be seen.

Who created the dark web?

According to the International Monetary Fund (IMF), the dark web was created by several researchers who were involved in a US Department of Defense project to create a secret, hidden network for protecting US spy communications. This DOD network never came to fruition, but the researchers applied their project momentum to create “The Onion Router,” also known as Tor. The name references the multiple layers, like an onion, of encryption and anonymization. 

Different sources cite different intentions for the creation and release of Tor, a nonprofit and free download. The IMF states that it was developed to protect human rights and privacy activists from the surveillance of authoritarian governments. According to The Guardian, however, Tor was intended to protect individual data from corporations, not governments. Regardless of the initial intent, the unintended consequence of this “radical anonymity” allowed by the Tor browser and the creation of the dark web is that it is also used to cloak illegal activity.

When was the dark web started?

The anonymizing browser Tor was launched in 2002. It was created by researchers involved in a US Department of Defense project in the late-1990s. Since the creation of Tor, other dark web networks have emerged, for example, the “Invisible Internet Project,” also known as “I2P.”


How does the dark web affect my organization?

The dark web has opened up myriad opportunities for enterprising cybercriminals. When most people think of cybercriminals and hackers, they imagine a disenfranchised genius in a dark room wearing a hoodie. The truth is, it does not take high levels of genius to exploit the opportunities that the dark web presents. Cybercriminals with access to private records and data can anonymously sell this information on illegal dark web marketplaces that connect buyers and sellers. They can even go to one of these marketplaces to buy ransomware kits and other types of hacking software. This means that cybercriminals don’t even have to know how ransomware or other types of hacking software work; they can just find an opening in your network, install illegal software purchased from the dark web in a few clicks, and suddenly your company’s data is at risk of being sold to the highest bidder, being held for ransom, or both.


How do I keep my organization’s information off of the dark web?

Securing your organization’s information and networks is critical. The most common weakness in an organization’s information security is a lack of security awareness on the part of the organization’s staff. Lax password security is the #1 vulnerability in most organizations. To keep your organization’s data and networks protected, you need security awareness training paired with network security and backup and disaster relief solutions.

We have created a free IT Security Checklist that you can use to get started to improve the information and network security in your organization. 

Looking for additional IT security support?

We help our customers improve all areas of security with scalable solutions so that they can attain high productivity levels for their teams while keeping costs under control.

For a free consultation and IT security assessment, please contact us today. We know what it’s like to run a business, and we know your time is valuable.  

We can:

  • Learn about your business
  • Give you some ideas on what improvements you can make right away
  • Provide free advice on your approach to IT security

And if you’d like, we can show you where and how we can help. 

Stay Safe and Productive in 2021: 3 Phishing Threats to Know for the New Year

Cybercriminals are always evolving their methods of getting unauthorized access to your private information and with the rapid, on-a-dime increase of the remote workforce, 2020 has been an exceptional year for cybercrime. According to, phishing is a type of cybercrime in which a hacker contacts the target by email, phone, or SMS message (text message) and they pose as a recognized institution, business, or other organization. The purpose of phishing is to persuade people to provide private or sensitive data, like personal information, credit card and banking information, and login information (usernames, passwords, passphrases, etc.). 

In this article, we will go over some of the most common phishing phenomena reported in 2020. Security awareness is the most effective way to defend against cybercrime; start your year off armed with knowledge.


  • COVID-19 related emails

Cybercriminals have jumped on hacking opportunities that COVID-19 has created. Here are just some of the COVID-19-related phishing scams to look out for in 2021:


  • Fake Zoom-related domains: cybercriminals have created incredibly realistic-looking fake login pages for trusted video conferencing software, primarily Zoom, to trick users into providing login information (which is why it’s important to have different passwords for each account that you have), and also trapping users into downloading malware and/or ransomware. 



  • Fake CDC alerts: these emails may falsely offer updates on recent cases of COVID-19 in your area or other such promises enticing the recipient to click on a malicious link or download a malicious attachment. 


  • Fake workplace policy update emails: again, the purpose of these emails is to get you to click on a malicious link or download a malicious attachment while impersonating someone else, in this case, the recipient’s employer.


  • Ransomware

According to a recent Kroll report, ransomware was the most observed threat in 2020. Furthermore, CyberEdge Group has reported that in 2020, 62.4% of organizations were affected by ransomware in some way. This is up from the 2019 figure of 56.1%

Ransomware is a form of “malware” (literally “MALicious softWARE”) that locks a victim’s files. The cybercriminal demands payment to unlock the files. (This is why regular, secure automated file backup can be so important and valuable to an organization.) The ransoms can range from a few hundred dollars to thousands, payable online to an anonymous recipient in bitcoin. Phishing attacks are the most common form that ransomware makes it onto a computer or device.


  • File-sharing Phishing Scams

Much of the office workforce has become accustomed to receiving shared-file notifications from colleagues and clients on various platforms including SharePoint, OneDrive, DropBox, and Google Docs, to name a few. One way that hackers exploit our familiarity with file-sharing is by directing the URL in the shared file message to a phishing page that may look like a Microsoft 365 or Dropbox login page. From there, they can collect user login information, which can open up, potentially, an entire organization’s hierarchy of stored digital files. Another sneaky way that hackers have used the file-sharing guise to attack individuals and organizations is by sharing a legitimate file from a legitimate file-sharing service and burying a malicious link in the attachment, where many anti-phishing scanners cannot detect them.

Where to Report Phishing

If you think you have been phished, you can file a complaint at no charge to the Federal Communications Commission (FCC) on their website. You can also contact local law enforcement to report scams.

How to Protect Your Company from Phishing

Security Awareness Training is the best, most effective way to protect yourself and your organization from smishing, phishing, and other types of cybercrime. When employees know to simply delete suspicious messages and resist the temptation to respond, they will be protecting themselves better and more effectively than any other preventive action that they can take.


General rules of thumb for protecting yourself and your organization include:

  • Avoid responding to request for personal information
  • Always check the complete email address and/or link to see if it’s obviously a disguise
  • Spelling and grammar mistakes can sometimes be a tip-off
  • Generic greetings can be a tip-off (like “dear sir or madam”)
  • Avoid responding to anything that insists on acting immediately
  • Do not forward suspicious emails. If you want to show others as a warning, use screenshots instead.


Looking for additional Security Awareness Training?

At Xlingshot, we work with our clients to ensure that their networks are locked down and their staff is thoroughly trained on the latest in Security Awareness. We will take care of the training so that you are free to do what you do best: run your organization.

Our comprehensive Security Awareness Training includes baseline risk assessment and complete training on the mechanisms of spam, phishing, spear-phishing, malware, and social engineering. Included in the program are multiple refresher training and post-training phishing simulations with custom landing pages. Staffers who open the automated phishing emails are automatically enrolled in additional training until they no longer fail the simulations. 

Our approach to delivering the best possible IT service and Security Awareness Training is centered on you. For a free consultation please contact us today.

We know what it’s like to run a business and we know your time is valuable. We can:

  • learn about your business
  • give you some ideas on what improvements you can make right away
  • provide free advice on your approach to IT security and other IT solutions

And if you’d like, we can show you where and how we can help. Call 866-950-0698 or email us at

How to Recognize a Phishing Attempt

Phishing is a type of social engineering used to steal and collect data like login credentials, credit card, and bank account numbers, and other private information, or to get access to your company’s network. When they have that information, they can use it (or sell it) for identity theft, to access your accounts, or pose as you to people you know to get their information. Attackers pose as trusted entities, fooling victims into opening and clicking on the email, instant messages, and text messages. 

Awareness is the best defense against phishing and other types of cybercrime. According to the Federal Trade Commission (FTC), phishing messages often look like they’re from a company you know or trust. These messages often tell a story to get you to click a link or open an attachment. Some common examples include messages that say:

  • They’ve noticed suspicious log-in attempts
  • There is a problem with your payment information
  • That you must confirm some personal information
  • Messages that include fake invoices
  • Messages that want you to click on a link to make a payment
  • Messages that want you to register for a government refund or coupon for free stuff

The FTC recommends that you take 4 basic steps to set a baseline of protection:

  1. Use security software that is set to update automatically.
  2. Set your mobile devices to update automatically.
  3. Use Multi-Factor Authentication.
  4. Back up your data regularly.

Hackers and other cybercriminals are adaptive. Their methods and creative approaches to getting your data are constantly changing. Also, coronavirus phishing is a new phenomenon and it’s on the rise.

See also: 3 Ways to Prevent a Ransomware Attack on your Business

You don’t have to be an expert in the latest phishing scams and breaches, however. At Xlingshot, we have an entire suite of tools and a team of experts to help your organization implement and maintain the FTC’s recommendations and then some. Our goal is to find solutions that work for you and your business while keeping costs under control. 

Our approach to delivering the best possible IT service is centered on you.  For a free consultation and technology assessment, please contact us today.

We know what it’s like to run a business and we know your time is valuable. We can:

  • learn about your business
  • give you some ideas on what improvements you can make right away
  • provide free advice on your approach to IT and remote work solutions

And if you’d like, we can show you where and how we can help.  Call (303)-410-2845. 

Want more tips on keeping your employees and data safe? Sign up for our monthly newsletter.

When it Comes to Phishing, Email Subjects are “Red Herrings”

Unfortunately, email phishing and other types of cybercrime have gone up significantly during the Coronavirus pandemic. The surge in working from home has left many organizations vulnerable to hackers. Suddenly, millions of people now access their company networks over their home WiFi connections. Hackers capitalize on the new opportunities that the pandemic has presented.


Has your organization been phished? We hope not. Just in case, here are some things to watch out for if you want to stay protected. 


Heads up, we are indulging in some phishing puns on this post, so you’ve been warned. 


Social Media as “Bait”


Fake social media emails, especially from LinkedIn (or supposedly from LinkedIn), are especially enticing as phishing schemes. The most opened fake emails in recent phishing tests had subject lines like these:


  1. Please add me to your LinkedIn Network
  2. LinkedIn Password Reset
  3. Your friend tagged a photo of you
  4. People are looking at your LinkedIn profile
  5. You appeared in new searches this week!
  6. Someone has sent you a Direct Message on Twitter


Pro tip: If you receive a social media email that looks interesting, rather than opening the email and clicking links within the message, simply login to your account to find what the message is about.  When in doubt, go to the source. Do not follow links in social media emails.

Top Clicked Phishing Tests

Top 5 General Email Subjects Hackers Use to “Worm” Their Way Into Your Networks


In addition to the social media angle, hackers get creative with other subjects. In recent phishing simulations, these general email subjects were the most clicked on:


  1. Password Check Required Immediately
  2. Vacation Policy Update
  3. Branch/Corporate Reopening Schedule
  4. COVID-19 Awareness
  5. Coronavirus Stimulus Checks


Understandably, organization members want to be more security-minded than ever. Unfortunately, hackers are tuned into this desire and they know how to exploit it by raising questions and alarms about security. Hackers are also hip to current events and Coronavirus/COVID-19 subject lines are current phishing favorites. 


Pro tip: Always be wary of emails coming from untrusted sources, especially if they include links and/or attachments.


“Scale” Back the Risk: Additional Subject Lines to watch out for


We want you to stay extra safe. Here are a few more phishing email subject lines that tested well (from the hacker’s perspective) in recent phishing simulations:


  1. Microsoft: Abnormal log in activity on Microsoft Account
  2. Chase: Stimulus Funds
  3. Zoom: Restriction Notice Alert
  4. IT: ATTENTION: Security Violation
  5. Earn money working from home


Again, hackers are on top of their current events and they know how to use Coronavirus-related and working from home-related topics and concerns as ways to “worm” their way in.


Pro tip: Share this infographic from our security training partner, Knowbe4, with your organization


How to Make Hackers “Walk the Plankton”


In order to truly protect your organization, all staffers need to be aware of the risks and always vigilant. At Xlingshot, we provide our clients with comprehensive Security Awareness Training, complete with a company risk assessment, complete online training that can be done anywhere with an internet connection, refresher training, phishing simulations to identify additional risks, and regular reporting that shows the company’s results with the program. 


Xlingshot customers have seen great results. Here is a snapshot of the before-and-after phishing prevention impact after 12 months of our Security Awareness Training program:

  Industry Phish Prone % Prior to Training Industry Phish Prone % after 90 days of Training Industry Phish Prone % after 12 months of Training
Customer A Business Services- 35.8% 14.2% 3.6%
Customer B Consulting- 31.5% 11.1% 5.9%


Contact us today to find out more about how we can help you and your staff protect your company’s networks, email, and data.

Data Breaches: What Small and Medium Businesses Need to Know

What is a Data Breach?

A data breach is simply when information is accessed without authorization. This can be banking information, health, and other personal records, proprietary information, client lists, business plans, HR records, et cetera. If it’s data it can be breached. 

Small and Medium Businesses are particularly susceptible to data breaches, making up 58% of all reported cybercrime victims. There is a common misperception among small and medium business owners and their staff that hackers and cybercriminals only go after the giants like Netflix, Equifax, and others. The truth is, any business can be a target. Because of the lax security of many smaller organizations, they are specifically targeted as the perfect low-hanging fruit for a hacker looking to make some extra money through cyber fraud, data mining, or even selling personal and business records to the highest bidder. Due to the amount of private information contained in medical records, for example, they can sell for up to $1000 each. Maybe your company does not have to worry about protecting medical records. Do you have Human Resources files? Cybercriminals can use stolen personnel records like these for identity theft and sometimes even extortion. 

Want to learn about data breaches that may affect your business?

Learn more about relevant data breaches and other IT security tips by subscribing to our newsletter.

How do you report a data breach?

If your business is the victim of a data breach, it is important to notify your IT partner as soon as possible. They can help you identify what went wrong and how to reduce the risk of this happening again. You can also file a report with the Internet Crime Complaint Center of the FBI. If your breach resulted in the transfer of funds to a fraudulent account, contact your financial institution and ask them to contact the institution where the transfer was sent. Depending on the financial impact and liability associated with the breach, your insurance company may launch a further investigation. 

Additionally,  you may be required to report to your state or other authority, especially if Personal Identifying Information (PII) or Protected Health Information (PHI) is compromised. For example, in Colorado, you only have 30 days from when the breach is identified to notify those affected. If it has affected 500 or more Colorado residents you must also provide notice to the Colorado Attorney General.

How does a data breach happen?

There are lots of causes for data breaches but the biggest vulnerability, by far, is a human error caused by a lack of awareness. Stolen credentials through poor password security, for example, is a very common problem. Security Awareness Training is as important for an organization as Internet access. 

Breaches can also occur as a result of phishing, malware, when a lost or stolen device (like a phone or laptop) gets into the wrong hands, through unprotected networks, through social engineering, through old unpatched security vulnerabilities, and through insider misuse, just to name a few. 

How much will a data breach cost?

How much do you have? There is no limit to how much a data breach can cost your company. It depends on what was breached and how long it takes to identify and contain it. The average total cost of a data breach for companies of all sizes is $200,000, according to the insurance company, Hiscox. 

The longer a breach goes unidentified the more it can cost your business. According to a 2019 report by the Ponemon Institute, the average time to identify and contain a breach is 279 days. Breaches that are caught and contained within 200 days cost about 50% less than those that take longer to manage.

How to reduce the risk of a data breach

Every organization needs to carefully monitor their IT security, especially now, while so much of the workforce continues to work remotely. We have created an IT Security Checklist (link to downloadable item) as a starting point for evaluating your organization’s security policies and procedures. We recommend reviewing these checklist items with your trusted IT partner to ensure that your network and data are secure and that your staff is security-savvy.

Looking for an IT Partner?

Are you looking for more support with your information security, network security, data backup, and Security Awareness Training? We help our customers train their staff and lock down their data and networks so that they are free to focus on what they do best: running the business. We implement reliable solutions that can scale, all while keeping costs under control.

Our approach to delivering the best possible IT service is centered on you.  For a free consultation and security assessment, please contact us today.

We know what it’s like to run a business and we know your time is valuable. We can:

  • learn about your business
  • give you some ideas on what improvements you can make right away
  • provide free advice on your approach to IT security solutions

Schedule a Free Consultation

Interested in learning about how IT security helps arm your data from ongoing threats?

Call (303)-410-2845 or email us at contact us to schedule a free consultation

How to Safely Manage Your Fully Remote Team

Working remotely is steadily gaining popularity in America. In a recent study conducted by the US Census, more than 5.2%, 8 million,  Americans currently work from home as of 2017. The trend is moving upward 5% from 2016 and continues to climb. As internet connectivity continues to improve, the demand for a more flexible work environment also increases.


Working from home also helps improve employee retention and overall well being. Some small business owners saw a decrease in employee turnover by over 50% when they’ve implemented a remote work environment.    

It seems there are many advantages to ditching the cubicle and adopting a work from home policy. We’ve covered a few things to think about if you’re considering making the switch and ensuring you maximize productivity and protect your business at the same time.  

Pro Tips: Avoid these 5 Telecommuting Mistakes 

Challenges of Managing a Remote Team 

Managing a remote team does not come without its own set of challenges. When managing a team, here a few items to keep in mind as you roll out a work from home policy: 

  • Increased Risk of a Data Breach 
  • Lacking a streamlined communication tool for project management 
  • Lack of Accountability 
  • Establishing a defined work schedule 
  • Limited sense of team 
  • Not being able to track individual employee performance 

Safeguarding Your Data 

Grabbing your laptop and heading over to a local coffee shop to get work done is one of the best perks about working remotely. Logging onto your local coffee shop or public wifi may not be as secure you think. Unless a public WiFi is protected by a WPA2 Encryption, any information shared on the network can easily be intercepted and will put your data at risk for a breach. Not all networks are created equal. Be sure to log on to networks using a VPN and only visit websites that have a security certificate, or SSL for short. You can easily identify the website’s SSL by how the URL appears on your browser. Be sure to check for the lock as seen below or the HTTPS before the “www” in your browser’s search bar.

Another way to ensure your company’s data is safe is to instruct your employees to not leave your company’s laptop unattended at any time while working in a public place. A coffee shop’s environment may seem innocent, but you can run the risk of theft when laptops are left alone. 

Turn File Sharing Off 

When you’re on a private network, file sharing is secure and you don’t put your company’s data in jeopardy. On the other hand, file sharing on a public network can be intercepted by other users on the public network. 

Use a Virtual Private Network

A virtual private network creates a secure avenue through a public network. This way, when your employees conduct business, the information they share is protected from others on a public network from accessing your sensitive data. A VPN also protects browsing sessions while on a public network. Creating a VPN network is an easy and low-cost way to further protect your data from a breach. 

Avoid Physical IT Security Threats 

The risks of a physical data breach aren’t just limited to logging on to fake public networks, data interceptions, and hacking. A data breach could be as simple as someone looking over your shoulder at a coffee shop. Make sure you inform your employees to be mindful of where they are sitting at coffee shops or public places. Purchasing privacy screen covers are an affordable way to prevent physical breaches from occurring.  

Educate Your Employees 

Most employees don’t have the knowledge in place to make educated decisions regarding your company’s data security. The good news is that we have specialized training to educate your employees about the dangers of public networks and adequate preventative measures to strengthen your IT security. Coupled with an IT membership, our team at Xlingshot works with you and your employees to draft a security plan to armor your business from threats in today’s remote world. 

3 Ways to Prevent a Ransomware Attack on your Business

Holding a person’s or business’s data for profit has been wildly successful in the most recent years. The cybersecurity world may seem complicated for many non-IT experts to understand; however, the act is pure and shares a common goal. Ransomware is a form of malware that locks a person or business’s out of their hard drive, preventing the owner from accessing the files, and demanding payment for the release of the data. 

No business is immune to a malware attack, and an attack can be costly. Did you know that the average cost of a ransomware attack can cost well over $133,000 per attack? When your digital systems come under attack, it can be extremely stressful can put your business in jeopardy. In this post, we’ll break down the how-to prevent malware on your business. 

Backup Your Systems

The most critical step in preventing malware is backing up your system. Be sure to backup your systems offsite and locally. One way to backup your data is through cloud computing which allows you access your files from anywhere you have an Internet connection.

Partnering with a cloud computing company also helps add an extra layer of security since your files stored in the cloud rather than an offline file saving method. Failing to backup your system may lead to irreparable damage and a potential lawsuit from your customers.

Additionally, implementing a Backup and Disaster Recovery (BDR) solution can provide an extra layer of security and allow your business to recover faster in the event of an infection. A BDR system is a hardware device that takes backup snapshots of your systems, stores them encrypted both locally and in the cloud, and can even run your network if your server is unavailable. No more system downtime.

Educate Your Team And Self About Ransomware

Most malware attacks happen when employees or C level team members don’t know how to how to identify ransomware and malware. According to Symantec Internet Security Threat Report 2018,  71.4% of targeted attacks involved the use of spear-phishing emails are often the avenue of choice for attackers. And if an employee does not know the “tells” and how to spot a malware email, the consequences can be extreme. Data from 2019 State of SMB Cyber Security report shows that on average, a company with 10-49 employees lost $41,269 from a cyber-attack. The costs increase for organizations with 50-249 employees to $48,686. Those with 250-1,000 employees saw an average of $64,085 per incident.

Business owners and employees can rely too much on perimeter defenses and malware detection software to pick up malice emails and open a file not knowing the email has ransomware. Employees should recognize the signs of a phishing attack, and your company needs a process in place to handle such emails.

Review Before Clicking

If you receive an email that seems out of place, the first thing to look at is the email source and the name of the company. In the case below, the sender (the source of the malware) runs under the name “Ven Company”. Ven Company is there to fool you into thinking that the email is popular Venmo and legitimate money exchanging website. The title is a fake invoice number, and the invoice is not attached as a PDF as all software companies use to send their customers.

Another way ransomware can enter your system is through a fake file source. If you and your employees receive an email that includes .scr, .vbs, or .exe, there is a high chance the email attachment has malware. Malware creators use these file forms to disguise the actual file, which includes malware or even a virus. However, malware can be delivered via PDF, DOC, XLS, and even images.

When in doubt, it’s essential to partner with an IT service provider to help review the emails and malware potential. At Xlingshot, we offer solutions to help decipher the differences between good and bad files to best protect your business against a future attack.

Our security awareness training provides employees basic and in-depth skills to prevent a potential data breach. Xlingshot’s security awareness training teaches employees what to look for in regards to potential breaches and security threats.

Data Security Wrap Up 

Knowing what threats exist and how to handle them is are the first step in protecting the integrity of your business. Be sure to take the time to educate your employees about the impacts a data breach might have on your business. At Xlingshot, we offer a wide array of IT solutions including training and data security implementation. 

Surviving the Ultimate Fake Email

February 5, 2018 –

Think you’ve received an email from a company you know?  Maybe not. Cyber attackers often use a fake email that appears to be legit to trick you into sending them money.  Maybe you received an email from a familiar company, stating that there has been a last-minute change.  They say their bank has a provided them with a new wire transfer number and they’re asking you to wire the money to this new number. Unfortunately, if you wire money to a scammer, there’s a good chance you will never see that money again.

Sometimes cyber criminals will send an email trying to trick you into providing login credentials to popular websites like Amazon and banking sites like Wells Fargo.  Think you can’t be fooled? You’d be surprised.  As a managed service provider providing IT support to small and midsized organizations, we see these types of emails all the time.  To better train our customers, we have created training courses to help spot the fake emails.

How can you spot a fake email?

Email phishing scams are getting more sophisticated every day. To combat this, we keep our customers trained on what to look out for.  Here’s a sample email we sent to a customer recently (with management’s permission). Our goal was to see how many employees were fooled and who took the bait.

Here’s what we sent.

Ultimate Fake Email

It looks great, right? And who doesn’t want a free Amazon gift card? Clicking on this is extremely tempting. But before you click, how can you spot the fake? Were you able to see it? If not don’t worry, this one fooled a lot of people so you’re in good company. It even has a disclaimer and serial number on the bottom. It certainly feels legit. But in this case, you can spot the fake by the looking at the “from” address. Odds are good that Amazon won’t be sending out gift cards from the “.me” domain.

What else can you check for?

  • Check for tiny spelling changes. If the email appears to be coming from someone you know, double check the email address carefully.  Often cybercriminals will make tiny change to the spelling to fool the eye and trick the victim.
  • Don’t click. Hover your mouse over the link in the email and see where it’s sending you.
  • Never wire money to anyone who emails, or calls, and asks you to. Instead, approach the request with caution. Contact the company through a number or email address you know is real.  Don’t use phone numbers or links that were provided in the email!
  • Don’t open email attachments, event from someone you know, unless you’re expecting it. Opening attachments can put malware on your computer.

The bottom line on spotting a fake email is if it’s too good to be true, it’s probably a fake.

If you’ve already sent money to a scammer, act quickly!

If you wired money through your bank take action immediately.  Contact your bank and ask them for a wire recall.  If you used a money transfer company, like Western Union or MoneyGram, call their complaint lines immediately.  Regardless of the outcome, be sure to report the experience to the FTC at and to the FBI’s Internet Crime Complaint Center at

For more information on how to protect yourself from cyber criminals, review our Data Security section or contact us.  As a managed service provider we can provide the IT support and data security you need to protect your business. To learn more about training for your team, review our Security Awareness Training section or contact us for additional support.

– The Xlingshot Team

5 Non-technical Tips to Improve Your Data Security

January 29, 2018 –

As an IT support company, we spend a lot of time obsessing about the technology we use to keep our customers’ data safe and secure from cyber criminals.  But if you’re not into all that tech detail, what steps can you take on your own to protect your data? Are there non-technical security measures you can take?

Absolutely.  When we implement a data security solution we think about a multi-layered approach that goes beyond the technology. In fact, one of the most critical elements is the people factor.  Careless behavior by employees is a leading cause of data breaches.  And while not malicious or intentional, the security breach is still a very painful reality for small and midsized businesses.

So if you’re not a techie, what are the things you can do to improve your data security?

Non-technical Data Security Tip #1: Secure the Physical Environment

One of the best things you can do is help protect your physical devices is to lock the screen.  Whenever you’ll be leaving your desk, you can quickly lock the screen by pressing the windows key plus the “L” key simultaneously (for other cool tricks with the windows button check out our blog post from last week).  Locking the screen will prevent others from casually walking by your work area and seeing confidential or personally identifiable information (PII).  It also helps to protect your machine if someone walks off with it. When they try to log in they won’t have access without your username and password.

Non-technical Data Security Tip #2: Speak Up!

While it might feel a bit uncomfortable, don’t be shy. When it comes to protecting the data security for your business you should speak up.  Employees should be encouraged to speak up if they see something suspicious.  If there’s someone who doesn’t belong in the building or area, a strange package left in an odd location, or even an email that just “feels” a bit off to the employee, they must take steps to notify management immediately.

Non-technical Data Security Tip #3: Keep Your Work Area Clean

While a messy desk might not seem important, it’s an important part of a strong overall approach to physical data security.  Messy desks and conference tables can encourage misplaced security credentials, like a badge or key card that is left on the desk and not noticed by the employee with the rest of the clutter.  They leave for the day and anyone walking by now has a working keycard.  This is also true for confidential printed information that should have been filed securely and was inadvertently left out in the open.

Non-technical Data Security Tip #4: Watch Your Tail

Talk gaiting is a tried and true method for cyber criminals.  It’s considered a form of social engineering and it’s a tactic that is still in use today.  (To read about other social engineering scams click here).  With tailgating the assailant follows an employee into a building or secure area and counts on someone holding the door for them or not noticing them at all.  Employees are embarrassed and uncomfortable admitting they don’t recognize someone, so they don’t say anything.  Don’t be embarrassed!  Speak up and remind them they need to use their own credentials to enter the building or area.

Privileged access is any access that is unique to a specific set of employees.  Keeping your badge secure and ensuring people don’t follow you into secure areas is key.  However, even if you don’t have access to a secure area, if you see a door propped open that shouldn’t be or a reception desk or security desk unattended report those security incidents to management.

Non-technical Data Security Tip #5: Hide Your Screen

Anytime you pull up confidential information on your screen you’re at risk of others seeing your information.  Whether it’s someone passing by your desk in the office or looking over your shoulder at the airport, it’s all-to-easy for others to see information that should be kept private.  To protect yourself, invest in a privacy filter.  Privacy filters are a great way to prevent those around you from seeing your screen and potentially stealing confidential information.

For more information on how to protect yourself from cyber criminals, review our Data Security section or contact us.  We can provide the IT support and data security you need to protect your business.

7 Questions You Should Ask Your IT Security Provider

January 15, 2018 —

Data security continues to be a top concern for small and midsized businesses…as it should be. According to the Verizon Data Breach Investigation report, 61% of breaches hit smaller businesses. And while data security might be a top concern, too many small businesses don’t take action. 90% of small businesses aren’t using any sort of data protection according to UPS Capital. In order to protect your business, there are some critical questions you should be asking your IT Security provider. (Don’t have one? Contact Us.)

IT Security Question #1 – How Often Do We Back Up Our Data?

Your business changes by the minute. Backing up your data only once per day or just weekly isn’t enough. That’s because it doesn’t put you in the right position for a fast recovery in the event of data loss. Backing up your data multiple times per day provides you with the protection you need. It also reduces the time required to get back up and running. You may also consider implementing a disaster recovery solution. These solutions can be immediately ready-to-relaunch with your full system, applications, and data. This takes your recovery time down from hours to minutes.

IT Security Question #2 – Is Our Email Secure?

One of the easiest ways for hackers to gain access to systems is via email. You need to protect your organization from spam, email-born viruses, email-based malware, phishing emails, malicious links, unsecured email and Denial of Service attacks. By using solutions that provide advanced threat detection, you can put in place a vital security layer. This layer scans email attachments and compares them against a cryptographic hash database. Emails found to contain malicious content are quarantined and administrators and users can be notified. If no malicious content is found, the email is passed through seamlessly to the user.

IT Security Question #3 – Is Our Data Traffic Secure?

Encryption will help protect your data and personal information as it is traveling through the Internet. For example, if you are passing secure information such as credit card numbers, social security numbers, medical information or even just customer names and addresses, encryption can ensure this data is sent securely rather than as “clear text” which can be read by anyone. Data encryption for your email traffic is no longer an expensive and out-of-reach solution for small and midsized businesses. This technology is now available at an affordable price, and can help ensure sensitive data sent over email will safely reach its destination. It will protect your data from being “read” by hackers who will use the information maliciously. That could include phishing schemes, information gathering including passwords and sensitive financial information, and confidential personally identifiable customer information. All to be packaged up and sold on the dark web.

IT Security Question #4 – Are Employees Visiting Unsafe Websites?

One of the oldest (and still most popular) ways of breaching your systems is done via code that is activated when a user clicks on (or in some cases even hovers over) a malicious link. Malware and ransomware can then be quickly installed on the device and your data can be held hostage. A back-up system can help in this situation, allowing you to recover your data without paying the exorbitant ransom fee. But it is even better if you can proactively prevent the malicious code from entering your system in the first place. Also, it costs a lot less to stop the infection before it starts than to recover from an infection.

You need to have a technology layer in place that checks every data request that is being made out to the Internet to ensure that the requested site is safe.

Those which are safe have traffic routed without interruption. Internet traffic to and from sites which include malicious content are blocked. And those which are considered questionable are sent through another layer of security with malware and anti-virus tools to confirm whether they are safe.

IT Security Question #5 – Do We Have a Password Policy?

While it’s convenient for users to keep the same password for months or even years, it’s horrible for your business. Frequently changing passwords can help protect your organization. Here’s why. Hackers will often “revisit” and re-use the same account information over and over. Allowing them to continually access your systems over time. Frequent changing of your password prevents this repeated abuse. Also, if the user’s computer is moved to a different employee or it leaves your company (through a sale, theft, or recycling) there may be saved passwords stored in the machine.

Changing passwords regularly will reduce the likelihood that these saved passwords will still be valid and can help prevent unauthorized access.

Tracking that employees are regularly updating their passwords is an important step. And solutions are available to help automate and enforce a password changing policy that is appropriate for your company. To make this easy, consider using a Password Management solution that improves your password management by creating and enforcing more secure passwords, protecting your organization if employees leave, and giving you control over all the passwords being used in your organization.

IT Security Question #6 – Are Mobile Devices a Problem?

Mobile devices can be safe to use if they are set up properly with the right security layers in place. Similar to how you protect your network with technology that filters web traffic to confirm its safety, your mobile devices can be installed with lightweight versions of the same technology. This layer ensures that data requests being made out to the Internet are exchanging information with safe sites. If you have employees on mobile devices that aren’t using this additional security layer, you may be introducing malware and viruses onto the device and then into your overall network. We also recommend mobile devices be connected only to your “guest” (or separate network). This separates them from your default corporate/employee network, creating another security layer between your mobile devices and your core network applications and data.

One of the best ways to protect your systems is to remotely delete all data on a mobile device. This is important in the event the device is lost or stolen. Although you’ll still be out the cost of the hardware, but it can reduce your exposure to the more significant costs of stolen data.

IT Security Question #7 – Are Employees Adding to our Risk?

It’s critical to train your employees so they can recognize phishing schemes, malicious links, suspicious emails. Sophisticated hackers use social engineering to gain access to your systems and steal your data. Well-trained employees are your number one line of defense, yet security awareness training often skipped by small and midsized businesses. The best data security system in the world cannot overcome an employee who unwittingly provides access for hackers.

Implementing a Security Awareness Training program will provide your employees with the critical skills they need to avoid falling victim to hackers thereby compromising your systems. Furthermore, employees can be trained to recognize potential dangers and how to report potential breaks in security.

Moving Ahead

Although data security can seem overwhelming, the good news is there are a lot of cost-effective solutions available to mitigate these risks.  And they can be implemented quickly with minimal disruption to your team.  In the end, the #1 way to protect your business is to START.  Make a plan and move ahead.

To learn more, check out our Data Security insights.

For a free data security assessment, please contact us. We can review your systems and help you move forward with a more secure IT approach to secure your data and protect your business.

– There Xlingshot Team