Surviving the Ultimate Fake Email

February 5, 2018 –

Think you’ve received an email from a company you know?  Maybe not. Cyber attackers often use a fake email that appears to be legit to trick you into sending them money.  Maybe you received an email from a familiar company, stating that there has been a last-minute change.  They say their bank has a provided them with a new wire transfer number and they’re asking you to wire the money to this new number. Unfortunately, if you wire money to a scammer, there’s a good chance you will never see that money again.

Sometimes cyber criminals will send an email trying to trick you into providing login credentials to popular websites like Amazon and banking sites like Wells Fargo.  Think you can’t be fooled? You’d be surprised.  As a managed service provider providing IT support to small and midsized organizations, we see these types of emails all the time.  To better train our customers, we have created training courses to help spot the fake emails.

How can you spot a fake email?

Email phishing scams are getting more sophisticated every day. To combat this, we keep our customers trained on what to look out for.  Here’s a sample email we sent to a customer recently (with management’s permission). Our goal was to see how many employees were fooled and who took the bait.

Here’s what we sent.

Ultimate Fake Email

It looks great, right? And who doesn’t want a free Amazon gift card? Clicking on this is extremely tempting. But before you click, how can you spot the fake? Were you able to see it? If not don’t worry, this one fooled a lot of people so you’re in good company. It even has a disclaimer and serial number on the bottom. It certainly feels legit. But in this case, you can spot the fake by the looking at the “from” address. Odds are good that Amazon won’t be sending out gift cards from the “.me” domain.

What else can you check for?

  • Check for tiny spelling changes. If the email appears to be coming from someone you know, double check the email address carefully.  Often cybercriminals will make tiny change to the spelling to fool the eye and trick the victim.
  • Don’t click. Hover your mouse over the link in the email and see where it’s sending you.
  • Never wire money to anyone who emails, or calls, and asks you to. Instead, approach the request with caution. Contact the company through a number or email address you know is real.  Don’t use phone numbers or links that were provided in the email!
  • Don’t open email attachments, event from someone you know, unless you’re expecting it. Opening attachments can put malware on your computer.

The bottom line on spotting a fake email is if it’s too good to be true, it’s probably a fake.

If you’ve already sent money to a scammer, act quickly!

If you wired money through your bank take action immediately.  Contact your bank and ask them for a wire recall.  If you used a money transfer company, like Western Union or MoneyGram, call their complaint lines immediately.  Regardless of the outcome, be sure to report the experience to the FTC at www.ftccomplaintassistant.gov/information and to the FBI’s Internet Crime Complaint Center at IC3.gov.

For more information on how to protect yourself from cyber criminals, review our Data Security section or contact us.  As a managed service provider we can provide the IT support and data security you need to protect your business. To learn more about training for your team, review our Security Awareness Training section or contact us for additional support.

– The Xlingshot Team

5 Non-technical Tips to Improve Your Data Security

January 29, 2018 –

As an IT support company, we spend a lot of time obsessing about the technology we use to keep our customers’ data safe and secure from cyber criminals.  But if you’re not into all that tech detail, what steps can you take on your own to protect your data? Are there non-technical security measures you can take?

Absolutely.  When we implement a data security solution we think about a multi-layered approach that goes beyond the technology. In fact, one of the most critical elements is the people factor.  Careless behavior by employees is a leading cause of data breaches.  And while not malicious or intentional, the security breach is still a very painful reality for small and midsized businesses.

So if you’re not a techie, what are the things you can do to improve your data security?

Non-technical Data Security Tip #1: Secure the Physical Environment

One of the best things you can do is help protect your physical devices is to lock the screen.  Whenever you’ll be leaving your desk, you can quickly lock the screen by pressing the windows key plus the “L” key simultaneously (for other cool tricks with the windows button check out our blog post from last week).  Locking the screen will prevent others from casually walking by your work area and seeing confidential or personally identifiable information (PII).  It also helps to protect your machine if someone walks off with it. When they try to log in they won’t have access without your username and password.

Non-technical Data Security Tip #2: Speak Up!

While it might feel a bit uncomfortable, don’t be shy. When it comes to protecting the data security for your business you should speak up.  Employees should be encouraged to speak up if they see something suspicious.  If there’s someone who doesn’t belong in the building or area, a strange package left in an odd location, or even an email that just “feels” a bit off to the employee, they must take steps to notify management immediately.

Non-technical Data Security Tip #3: Keep Your Work Area Clean

While a messy desk might not seem important, it’s an important part of a strong overall approach to physical data security.  Messy desks and conference tables can encourage misplaced security credentials, like a badge or key card that is left on the desk and not noticed by the employee with the rest of the clutter.  They leave for the day and anyone walking by now has a working keycard.  This is also true for confidential printed information that should have been filed securely and was inadvertently left out in the open.

Non-technical Data Security Tip #4: Watch Your Tail

Talk gaiting is a tried and true method for cyber criminals.  It’s considered a form of social engineering and it’s a tactic that is still in use today.  (To read about other social engineering scams click here).  With tailgating the assailant follows an employee into a building or secure area and counts on someone holding the door for them or not noticing them at all.  Employees are embarrassed and uncomfortable admitting they don’t recognize someone, so they don’t say anything.  Don’t be embarrassed!  Speak up and remind them they need to use their own credentials to enter the building or area.

Privileged access is any access that is unique to a specific set of employees.  Keeping your badge secure and ensuring people don’t follow you into secure areas is key.  However, even if you don’t have access to a secure area, if you see a door propped open that shouldn’t be or a reception desk or security desk unattended report those security incidents to management.

Non-technical Data Security Tip #5: Hide Your Screen

Anytime you pull up confidential information on your screen you’re at risk of others seeing your information.  Whether it’s someone passing by your desk in the office or looking over your shoulder at the airport, it’s all-to-easy for others to see information that should be kept private.  To protect yourself, invest in a privacy filter.  Privacy filters are a great way to prevent those around you from seeing your screen and potentially stealing confidential information.

For more information on how to protect yourself from cyber criminals, review our Data Security section or contact us.  We can provide the IT support and data security you need to protect your business.

7 Questions You Should Ask Your IT Security Provider

January 15, 2018 —

Data security continues to be a top concern for small and midsized businesses…as it should be. According to the Verizon Data Breach Investigation report, 61% of breaches hit smaller businesses. And while data security might be a top concern, too many small businesses don’t take action. 90% of small businesses aren’t using any sort of data protection according to UPS Capital. In order to protect your business, there are some critical questions you should be asking your IT Security provider. (Don’t have one? Contact Us.)

IT Security Question #1 – How Often Do We Back Up Our Data?

Your business changes by the minute. Backing up your data only once per day or just weekly isn’t enough. That’s because it doesn’t put you in the right position for a fast recovery in the event of data loss. Backing up your data multiple times per day provides you with the protection you need. It also reduces the time required to get back up and running. You may also consider implementing a disaster recovery solution. These solutions can be immediately ready-to-relaunch with your full system, applications, and data. This takes your recovery time down from hours to minutes.

IT Security Question #2 – Is Our Email Secure?

One of the easiest ways for hackers to gain access to systems is via email. You need to protect your organization from spam, email-born viruses, email-based malware, phishing emails, malicious links, unsecured email and Denial of Service attacks. By using solutions that provide advanced threat detection, you can put in place a vital security layer. This layer scans email attachments and compares them against a cryptographic hash database. Emails found to contain malicious content are quarantined and administrators and users can be notified. If no malicious content is found, the email is passed through seamlessly to the user.

IT Security Question #3 – Is Our Data Traffic Secure?

Encryption will help protect your data and personal information as it is traveling through the Internet. For example, if you are passing secure information such as credit card numbers, social security numbers, medical information or even just customer names and addresses, encryption can ensure this data is sent securely rather than as “clear text” which can be read by anyone. Data encryption for your email traffic is no longer an expensive and out-of-reach solution for small and midsized businesses. This technology is now available at an affordable price, and can help ensure sensitive data sent over email will safely reach its destination. It will protect your data from being “read” by hackers who will use the information maliciously. That could include phishing schemes, information gathering including passwords and sensitive financial information, and confidential personally identifiable customer information. All to be packaged up and sold on the dark web.

IT Security Question #4 – Are Employees Visiting Unsafe Websites?

One of the oldest (and still most popular) ways of breaching your systems is done via code that is activated when a user clicks on (or in some cases even hovers over) a malicious link. Malware and ransomware can then be quickly installed on the device and your data can be held hostage. A back-up system can help in this situation, allowing you to recover your data without paying the exorbitant ransom fee. But it is even better if you can proactively prevent the malicious code from entering your system in the first place. Also, it costs a lot less to stop the infection before it starts than to recover from an infection.

You need to have a technology layer in place that checks every data request that is being made out to the Internet to ensure that the requested site is safe.

Those which are safe have traffic routed without interruption. Internet traffic to and from sites which include malicious content are blocked. And those which are considered questionable are sent through another layer of security with malware and anti-virus tools to confirm whether they are safe.

IT Security Question #5 – Do We Have a Password Policy?

While it’s convenient for users to keep the same password for months or even years, it’s horrible for your business. Frequently changing passwords can help protect your organization. Here’s why. Hackers will often “revisit” and re-use the same account information over and over. Allowing them to continually access your systems over time. Frequent changing of your password prevents this repeated abuse. Also, if the user’s computer is moved to a different employee or it leaves your company (through a sale, theft, or recycling) there may be saved passwords stored in the machine.

Changing passwords regularly will reduce the likelihood that these saved passwords will still be valid and can help prevent unauthorized access.

Tracking that employees are regularly updating their passwords is an important step. And solutions are available to help automate and enforce a password changing policy that is appropriate for your company. To make this easy, consider using a Password Management solution that improves your password management by creating and enforcing more secure passwords, protecting your organization if employees leave, and giving you control over all the passwords being used in your organization.

IT Security Question #6 – Are Mobile Devices a Problem?

Mobile devices can be safe to use if they are set up properly with the right security layers in place. Similar to how you protect your network with technology that filters web traffic to confirm its safety, your mobile devices can be installed with lightweight versions of the same technology. This layer ensures that data requests being made out to the Internet are exchanging information with safe sites. If you have employees on mobile devices that aren’t using this additional security layer, you may be introducing malware and viruses onto the device and then into your overall network. We also recommend mobile devices be connected only to your “guest” (or separate network). This separates them from your default corporate/employee network, creating another security layer between your mobile devices and your core network applications and data.

One of the best ways to protect your systems is to remotely delete all data on a mobile device. This is important in the event the device is lost or stolen. Although you’ll still be out the cost of the hardware, but it can reduce your exposure to the more significant costs of stolen data.

IT Security Question #7 – Are Employees Adding to our Risk?

It’s critical to train your employees so they can recognize phishing schemes, malicious links, suspicious emails. Sophisticated hackers use social engineering to gain access to your systems and steal your data. Well-trained employees are your number one line of defense, yet security awareness training often skipped by small and midsized businesses. The best data security system in the world cannot overcome an employee who unwittingly provides access for hackers.

Implementing a Security Awareness Training program will provide your employees with the critical skills they need to avoid falling victim to hackers thereby compromising your systems. Furthermore, employees can be trained to recognize potential dangers and how to report potential breaks in security.

Moving Ahead

Although data security can seem overwhelming, the good news is there are a lot of cost-effective solutions available to mitigate these risks.  And they can be implemented quickly with minimal disruption to your team.  In the end, the #1 way to protect your business is to START.  Make a plan and move ahead.

To learn more, check out our Data Security insights.

For a free data security assessment, please contact us. We can review your systems and help you move forward with a more secure IT approach to secure your data and protect your business.

– There Xlingshot Team

W2 Phishing Scams are Headed Your Way

January 8, 2018 – It’s that time of year again. HR administrators and payroll teams are coming out of their holiday haze. And now it’s time to focus on everyone’s second favorite time of year…tax time.  Jokes aside, this time of year provides a fresh opportunity for cyber criminals to target small and midsized businesses.  Cyber criminals will use sophisticated W2 phishing scams to trick payroll departments, accountants, and HR teams into providing W2 data on company employees. This type of business email compromise is big money, and small-to-midsized businesses are a prime target.

How W2 Phishing Scams Work

With phishing schemes, the cyber criminal sends an email from a fraudulent account. But the email appears at first glance to come from a high-level executive. These phishing schemes work by employing a sense of authority and urgency in the communication.  The email will ask the employee to provide tax-related information from the W2 so that they can be properly issued.  There is typically a false sense of urgency created as well, causing a quick reaction by the recipient before they have a chance to think things through.

These emails are incredibly convincing, and may include the actual email signature block of an executive.  Within the email there will be a link to upload volumes of employee data to a fraudulent location, or simply a request to reply to the email with the information.  Unfortunately, because the email came from a spoofed mailbox it will be sent to the cyber criminal.  The executive is none the wiser that their identity was used fraudulently.

How to Protect Yourself

So what’s the best way to protect your organization from these sophisticated criminals?  Turns out, it’s education.  While web defense and email defense solutions can help prevent viruses, ransomware and malware from penetrating your network, the best defense against phishing is people.  Employee Security Awareness Training enables your team to identify a potential scheme and investigate before taking action.  Often it’s a simple phone call to the individual who sent the note.  If the employee is uncomfortable reaching out to the business owner or an executive they can be instructed to notify the security team and/or their manager.  It’s important to put the procedures in place and educate your team on the steps to take so phishing schemes can be detected, investigated, and shut down.

Employee security training can come in many forms including in person training at your facility or flexible online training.  Whatever suits your business, make this a priority so you can avoid becoming the next victim.

What Actions Can I take Right Now?

If you’re looking for steps to take right now to protect yourself, you can start by communicating directly with your team members who have access to confidential information.  Inform them of the process you will be using to collect and disperse W2 information, and be sure everyone understands that process. Remind them not to send confidential information without first verbally confirming with the requestor. Employees also need to notify management if a request is made outside of the published process.

Read more on Data Security for your organization and Contact Us to find out how to protect yourself.

– The Xlingshot Team

2018 Technology Resolutions for Small & Midsized Business

,

January 1, 2018 –

The new year is here! And with every new year comes a new set of opportunities (and challenges!) for your growing business. Make 2018 the year you use technology to give you a competitive edge, and also to protect your business. If you’ve been putting this off (maybe hoping you’ll somehow be missed by cyber criminals?), now is your chance! Tackle that IT “to do” list and put yourself on the right path to move your business forward.

Technology Resolution #1 – Backup Your Data

Take a moment to picture this: What would happen to your business if you lost a day’s worth of data? A week’s? All of it? Unfortunately data loss can happen to your team at any time due to human error, hardware failure, corruption or cyber attacks. Make sure you have your data safely and securely backed up and stored. Today, 96% of PCs* aren’t adequately backed up. For the same reasons you buy insurance for your business, be sure to invest in a quality backup solution. This will help you recover in the event of data loss. Be sure your back-ups are secure, encrypted, and monitored. So you can count on your data being there when you need it.

Read more about Backup and Disaster Recovery

*Source: Pricewaterhouse Coopers

Technology Resolution #2 – Update Your Data Security

According to data from Symantec, 43 percent of cyberattacks are targeting small business.  What’s most alarming is that 60% of small and midsized businesses that are breached go out of business within six months!  From ransomware, to Business Email Compromise, to malicious websites, there’s a lot of criminals looking to take advantage of small businesses who might not have prepared to defend themselves from attack.  This HAS TO BE THE YEAR when you tackle your data security and make sure you have the protections you need.

Read more about protecting your business from cyber threats

Technology Resolution #3 – Use the Cloud to Your Advantage

Moving your technology into the cloud can be a huge advantage for your small to midsized business. You can run your software in the cloud, your email and communication tools in the cloud, and your hardware (data storage) in the cloud. With this move you can take advantage of the latest technologies and scale quickly as your business grows. And from a data security standpoint, you’ll often have more protection as your data is stored in a secure facility than what you might be able to achieve in your local office.

If you’re not sure where to start, read more about Cloud Computing solutions or contact us.

Technology Resolution #4 – Manage Your Passwords

If you don’t have a strong password management policy in your organization then your first step is to have everyone update their passwords to something unique as soon as possible. (Today is good day for it!). Make sure your team uses a unique password that they aren’t using anywhere else. Check out this article for tips on creating good passwords. Once that’s done, consider using a Password Manager solution, which can help automate password creation and storage for your team. You install the software on your computer and mobile device, and use one master password (which you memorize) which will unlock all of the passwords being stored. With the right solution you can manage passwords across your business. You can also change passwords for employees that leave and enforce a password changing policy to keep your business secure.

If you’d like to manage passwords across your entire business please contact us.

Technology Resolution #5 – Train Your Team

You can install the best data security solution in the world, but it won’t matter if your employees unwittingly give out confidential information to cyber-criminals. Hackers today use sophisticated social engineering schemes to trick your employees into sharing passwords, wiring funds to fraudulent accounts, and sharing employee and customer data. The best defense against these schemes is to train your employees to spot them so they don’t become the next victim. Many small and midsized businesses skip this critical step, so make a resolution to start your training program in 2018.

Read more about setting up user training to help protect your business.

Tackle these technology resolutions in 2018 and you’ll be on the right path to move your business forward. If you would like to learn more about using technology to empower your business and protect your data, contact us for a free evaluation and recommendation. You can also call us at 303-410-2845.

Here’s to a great 2018!

– The Xlingshot Team

Implementing BYOD for Small and Midsized Businesses

,

December 4, 2017 –

BYOD (Bring Your Own Device) has become more and more popular with small and midsized businesses.  When employees supply their own mobile devices and laptops it can be a great benefit for your business in terms of cost savings.  Plus, employees get to have the device of their own choosing. (For more on the pros and cons of BYOD, see our blog post from last week).

When implementing BYOD, one of the cons we highlighted last week is security issues.  To reduce the risks (and the costs) we recommend small and mid-sized businesses take an approach that includes the following areas:

Create a BYOD Policy

Before implementing BYOD, it’s important to set up the policies you will put in place for your organization.  A BYOD policy will address questions including:

  • allowed device types,
  • what information/areas/applications employees will be able to access via the device,
  • permitted and disallowed apps,
  • and what personal data will be collected from the device by the business.

A strong BYOD approach also requires employees to sign an acknowledgement that they have read and understand the policy.  This acknowledgement will outline the acceptable uses including guidelines for personal use on company time, website access rules, security policies, use of cameras while onsite (particularly for secure/confidential areas of the facility), allowed applications, and zero tolerance policies for texting while driving.

Set up BYOD Security Measures

There’s a wide array of solutions available to support proper security on employee-owned devices.  Whether you’re using a fully automated solution or addressing security issues manually, you need to be sure you have the following areas covered:

  • Track and Register devices connected to the network and accessing applications (including email)
  • Set up devices to be wipe-enabled, so if they are lost or stolen the corporate data can be remotely removed.
  • Require passwords and auto-lock standards to improve on-device security
  • Install VPN technology on the device
  • Require encryption software on the device
  • Separate the personal data from the corporate data using Enterprise Mobile Management solution. IT personnel can selectively mange (and wipe if required) the corporate data, leaving the personal data and applications untouched.

Train Your Users

While proper employee training is important in order to achieve peak performance from your team, it is a mission critical requirement if you’re going to successfully implement BYOD at your small or mid-sized business.  The training employee must educate your team on:

  • How to security access and manage corporate data accessed via the device
  • What applications are approved to use versus those which are restricted due to security or other company policy requirements
  • Guidance on the use of public WiFi networks
  • How to set up security on the device including password policies, auto-lock features, and more

Ongoing Monitoring and Management of Devices

After implementing BYOD, you must continually monitor and check that employees are complying with policies and the latest security measures are kept up-to-date and still active on the device.  There are a variety of software solutions that can help to automate the BYOD process for businesses.  At a basic level, there are solutions which will monitor, management and secure the employee’s mobile device.  These solutions also track usage, ensure the latest operating system files are installed, and confirm encryption software is operating correctly.  More advanced solutions expand out into managing all types of endpoint devices including desktops, IoT devices, and mobile devices all from the same software platform.

Regardless of the software used, or how far you want to go with BYOD, it’s important to tread carefully.  This isn’t an area of your business where you want to just “give it ago”, open up the network and see how it goes.  The IT leadership team should carefully plan the approach, enact the policy, secure employee agreements, and manage and monitor the environment to ensure ongoing compliance with the BYOD approach.

For more insights on how to implement BYOD successfully in your business, please feel free to Contact Us.

  • The Xlingshot Team

Top 5 Small Biz Tech Trends for 2018

,

November 20, 2017 –

In October Microsoft surveyed over 1300 small business owners to gain insight into the trends we’ll be seeing in 2018. And there were a couple of surprises. Here we’ll share our take on the results, and showcase what we believe are the top 5 most important tech trends to be aware of as we turn the corner into next year.

#5 – Keeping up with Technology is a Top Concern

Top tech challenge for small biz in 2018 is staying ahead of technology change, with nearly have of the established business owners surveyed picking this as the top concern.  And there’s no arguing that technology is rapidly changing the business landscape.  But in some ways, new technology innovation is leveling the playing field for small businesses as they go up against their larger competitors.

#4 – In-person Contact Still Dominates

The most dominant communication form is still in-person contact, with email and text messaging further down on the list.  Fifty-one percent of small business owners indicated that in-person communication is still their “go-to” form.  This one felt like a bit of a surprise, but for a small business, having personal and engaging direct communication with your customers could be a unique differentiator in the market and is often a key part of the value proposition. From a tech trends perspective, in our own experience we’re also seeing more and more small businesses beginning to rely on text messaging for communicating to their employees, suppliers and customers.

#3 – Younger Businesses Rely Heavily on Mobile Devices

Managing your work from a mobile device is a trend that continues to rise.  Younger businesses (those in business for less than one year) are more likely to have employees working primarily from mobile devices compared to their established counterparts.  Approximately 2/3 of those businesses indicated that at least some of their employees are using mobile devices as their main technology for their job.  In general, the respondents were very mobile.  Rather than the traditional office, they are working from multiple locations and from home.

#2 – Small Businesses Are Underprepared and Concerned about Cybersecurity Threats

Small business owners feel underprepared for cybersecurity threats, with half of respondents indicating they’re concerned about a data breach.  And they have every right to be concerned.  43% of cyber-attacks happen to small businesses. And attacks are on the rise.  For more information on how to protect your business, check out our Threat Management page.

#1 – Too Many Small Businesses are Doing Nothing to Protect Themselves

As we write this tech trends article for 2018, this is the one which came as a surprise to us. And it’s also the most important. When we begin working with a new client one of the first things we put in place is a robust plan for Data Security.  Yet according to the Microsoft survey, many small businesses, a whopping 25%, say they are doing nothing to protect themselves from cyber security threats.  Why is this so concerning? As we mentioned, 43% of attacks happen to small businesses.  And for those experiencing a major data breach, 60% go out of business within six months.*

For those who are taking action, 70 percent have indicated that they would prefer to partner with experts in the area of cyber security rather than trying to go it alone.  For those companies, 30% are using encryption software, which can help protect the data on your machines if they are lost or stolen.  Almost 40% have their employees using some form of anti-virus software on their machines.

For more information on how to improve your data security please visit the data security section of our website.  You can also download the “Data Security: Top 10 Ways to Protect Your Business” whitepaper.

* http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

Spam – Simply Annoying or a Serious Business Threat?

November 13, 2017 –

It’s November of 2017 and we honestly can’t believe we’re writing a blog post about spam.  Yet spam-related issues are still a major problem…and it feels like it’s coming back in full force.  Is it our imagination?  Unfortunately not.  Back in 2010 spam was hitting its peak.  It was all over your inbox, and incredibly annoying.  But for the most part it was simply that…annoying.  The bulk of it just delivered ads you didn’t want.  And occasionally you would hear about spam delivering viruses, and people got used to the idea of installing anti-virus programs on their machines.  For users, you cleared out your inbox and moved on.

And over the past few years, we’ve all enjoyed a bit of respite from the spam deluge.  New anti-spam software came on the market.  Governments and private firms collaborated to take down spam-sending cyber criminals.  It appeared to be a problem under control.

Spam is Back. And It’s Brought Some Friends Along

According to the latest Cisco Cybersecurity report*, spam has come back in a big way, rivaling levels we saw back in 2010.  It is now estimated that nearly two-thirds of total email volume is spam, and the volume is growing.  What is even more unfortunate is that about 8 to 10 percent is malicious, meaning it includes dangerous attachments.  Often there are multiple malicious files included within a container zip-style file.  Cyber criminals are experimenting with a wide range of file types to see which ones are more successful.  They are flexible and dynamic in their approach, and quickly adjust as needed.

How to Protect Your Small to Midsized Business

Small and mid-sized businesses need just as much protection as large enterprises.  Due to the nature of the threat, spam is an equal opportunity access point for hackers.  It spreads far and wide, and is constantly changing.  Businesses need to protect their systems by using an email defense solution, which filters out unwanted and dangerous spam, preventing it from infiltrating the organization. And it’s critical that your solution provider continuously updates their defense software with the latest protections from constantly changing threats.

However users often have one main complaint when using email defense and filtering solutions. Sometimes a legitimate email from a new customer or supplier gets “caught” in the email filtering software.  Every few hours the email security software will send a notice about emails that are in quarantine, but by then you may have already wasted a lot of time trying to track down the missing email.  However if you use Outlook to manage your email, one feature we recommend is getting a solution which includes a Microsoft Outlook plug-in.  If you have a solution with an Outlook plugin, you can quickly check email messages which are quarantined and release safe ones right from the Outlook program.  You get all the protection, without the inconvenience.

Email Defense and Filtering is a Must…but it can only go so far

You need a solution that continuously keeps your system up-to-date with the latest protections.  This is because cyber criminals are continually adjusting their approach in order to circumvent these protections.  They create a new malicious file and the email defense software hasn’t seen it before.  The defense software quickly adapts, and within a few seconds or minutes it will begin blocking the new threat.  The cyber criminals like to work in that window, sending out as much spam as possible. It is a constant race, and no defense software can keep every bit of spam out 100% of the time.

Your next best line of defense is the individual user.  Training is essential so users learn how to spot and avoid interacting with spam emails.  A strong email defense and filtering solution works almost like a magic wand, but you must strengthen every link in your chain.  Each employee is potentially a vulnerable entry point, and you must give them a strong training program to provide the information, test their knowledge, and continually refresh the team to keep their skills sharp.

For more information on how to train your employees to stay vigilant, visit the Security Awareness Training portion of our website.

If you would like to start a data security training program, please call us at 303-410-2845, email us at info@xlingshot.com, or use the Contact Us page.

  • The Xlingshot Team

* Cisco 2017 Annual Cybersecurity Report

Top 5 Social Engineering Scams – Protect Yourself

November 6, 2017 –

What are Social Engineering Scams?

Social engineering scams are tactics that allows hackers to access your systems through direct manipulation of your employees.  This is taking cyber-attacks to a whole new level. And it is challenging because it can be extremely difficult to prevent. With social engineering, the hacker will focus themselves on a specific target. They will try to fool their target into clicking on a link and downloading a file. Or they’ll try to get them to reveal personal and confidential information like usernames and passwords.

What are the main Social Engineering Scams to watch out for?

There are 5 main social engineering scams.  Read below to find out how to spot them before hackers can do damage to your systems.

  1. Phishing – Phishing is by far the most common of the social engineering scams. The hacker will pose (via email) as a financial institution or some other authoritative group (like a government agency). They will send out an email that required “urgent” attention by the target user. These emails will contain a malicious attachment or an embedded link.  When the user interacts with the attachment or link, malware is released into the system. Sometimes it is obvious right away, other times it lurks silently waiting to strike at a later date.
  2. Baiting – Baiting is a lot like phishing. The user will receive an email from a seemingly reliable source. The message will include some sort of incentive or reward for engaging with the content. Often this will be in the form of a free gift the employee can claim.
  3. Pretexting – Pretexting is when an individual lies and pretends to be someone else in order to trick an employee into sharing information, sending money to a fraudulent account, or opening a malicious attachment. Usually this is done via email with a Business Email Compromise (BEC) scam. The cyber criminal will pretend to be in a position of authority in the company. They will send a communication from a fake email address that at first glance appears to be legitimate. They’re betting people are so busy they won’t notice that the email address is spelled slightly differently and they are right…how often do you actually look at the long form email address for contacts you already know? In the email they’ll give the employee instructions to open a malicious attachment or send money to a new (fraudulent) supplier.  In another form of pretexting, the criminal ask the employee to verify personal information. They are very talented and manipulative, and can easily trick an unsuspecting person to reveal more and more information over time.
  4. Quid pro quo – this is a bit like baiting, where the employee is (seemingly) getting something of value in exchange for information. Often this will take the form of someone pretending to be in IT support, and offering to fix something on their machine in exchange for their login information. They’ll claim they need this in order to correct a problem on the employee’s computer. Or better yet in an ironic twist they say they want to install data security software to protect the employee from hackers.
  5. Tailgating – this form of social engineering is more hands-on and in-person. As your employee is approaching the door to the office, they will be followed in by another “employee” or “delivery person.” Often the fake employee will pretend to have their hands full and be struggling to find their badge. These types of scammers are incredibly comfortable with conning people, and appear to be friendly and social. They might even read the employee’s name off their badge and pretend to know them.  And now they have access to your facility. Side note: this is a particular vulnerability for small and mid-sized businesses leasing space in larger office buildings. Someone will gain access to the building as a whole and then easily follow an employee into their work area.

How can I protect my business from Social Engineering?

Training. Training. Training. There’s no magic wand…preventing social engineering requires you to strengthen every link in your chain. Each employee is potentially a vulnerable entry point, and you must give them the skills to spot a social engineering scam and shut it down. A strong training program will give people the information, test their knowledge, and continually refresh the team to keep their skills sharp.

For more information on how to train your employees to stay vigilant, visit the Security Awareness Training portion of our website.

If you would like to start a data security training program, please call us at 303-410-2845, email us at info@xlingshot.com, or use the Contact Us page.

– The Xlingshot Team

Significant Wi-Fi Network Vulnerability – WPA2 Security Flaw

October 20, 2017 –

Earlier this week, security researchers announced a WPA2 security flaw.  WPA2 is the main encryption used to secure the majority of Wi-Fi networks.  This technology encrypts the connection between the wireless device (tablet, mobile phone, printer, etc.) and the wireless access point.  Up until a few days ago it was thought to be a very secure encryption technology.  This newly-discovered vulnerability, called KRACK could change all that. Android and Linux devices are particularly susceptible to the vulnerability.

How Will the WPA2 Security Flaw Affect Me?

This will primarily affect you if you are using public WiFi.  We recommend that you avoid sending any secure, sensitive, or personally identifiable information over public WiFi at all times.  However, with this vulnerability even password protected public WiFi is not any safer so avoid them if possible.

What Steps Can I Take?

  1. Only send sensitive and personally identifiable information when on your secured work network.
  2. Use a trusted Virtual Private Network (VPN) when connecting via WiFi. VPNs will encrypt your data and keep it protected from hackers.
  3. Set up a VPN on your smartphones and tablets too, not just your PC/laptop, to protect all of your web traffic.
  4. Only visit websites that are using HTTPS (Hyper Text Transfer Protocol Secure). You can confirm this by looking at the URL.  It should start with “https://” versus the un-secured “http://” (without the “s”).  Please note, while this can be manipulated and bypassed in certain circumstances by the KRACK vulnerability, it does help provide an extra layer of security.
  5. Watch for security updates from Microsoft, Apple, Google and others and apply them to your mobile devices.
  6. If you have Internet of Things devices (Amazon Echo, Google Home, connected thermostats, smart lights, etc.) check with your manufacturer for firmware updates.
  7. Check for firmware updates for your wireless access points and Internet routers.

For Current Xlingshot Customers

If you are a current Xlingshot managed services customer please rest assured we are updating your supported PCs, laptops and wireless network devices with the appropriate patches as soon as they become available.  Most updates have already been applied.

How Can I Enhance my Data Security?

For more information on how to improve your data security please visit the data security section of our website.  You can also download the “Data Security: Top 10 Ways to Protect Your Business” whitepaper.