DMARC Policies?

Spearphishing?

Odds are that if you are a business owner operating in that sweet 1 to 5 million AR space then your day started like this...

5-7 am (Alarm goes off - ignore at least once but then get up, lets go)
Morning Routine (variable - kids - coffee - food - commute - etc)
7-9 am (arrive at the office)
All hours between arrival and 5pm (or whenever you leave work...)
CHAOS

Rinse and Repeat.

Why does this matter? Well, unless you are truly a unicorn there is not a slot in that insane life/schedule for studying Cyber Security terminology and increasing your acumen with a "Carry on Mr. Bowditch" style hunger for knowledge. You are inundated with crisis, pressure, decisions, stress, fear, doubt, wins, loses, HR questions, taxes, bills, quarterly planning, goal setting, soccer practice....the list obviously goes on.

(If you don't run a business but want to know what it feels like, volunteer to work a Monday morning shift at your local airport Air Traffic Control tower with zero notice and no backup.....its like that)

Ok, now that we are all feeling heard and understood, lets proceed.

These hyper specific notices by various law enforcement and security focused entities detailing threats that often times feel nuanced at best are important because they point to VERY real threats to your business. lets explore how:

This DMARC/Spearphishing notice caught my eye because we have already seen it being used in the wild. (By NK, not necessarily but the technique is popular) Now lets not get caught in the weeds on the technical terms, this threat deals specifically with email security weaknesses and how easy it is for someone to impersonate you and your email address to trick people into.....all sorts of things.

Criminal/Hacker (Poses as you and emails your Office Manager on a Monday when you are out of town)

Message states that you forgot to pay an invoice before you left, you are forwarding it to her can she please take care of this since you wont be back until next week and you don't want to think about it.

Office Manager opens attached Invoice, looks legitimate, clicks payment link, looks legitimate, pays invoice for $7253.00 (consumables, equipment, website etc...)

You get home next week and the invoice comes up in conversation but you never emailed her, and the realization is instantaneous....gut wrenching.

Just happened to a business here locally, luckily the management team has a policy to call and verbally confirm all payments so the fraud was prevented, but it was close. The email looked great, the invoice and payment link, everything was pristine, it was just fake.

Could happen to anyone of us at any time.

If your IT partner isn't leaning in strongly on email security and cyber awareness training then you have cause for concern at a minimum.

Harden the target, stay vigilant!

Reflections on article tagged below: