used with permission from FTC.gov
by Andrew Smith, Director, FTC Bureau of Consumer Protection
As a business person, you know about phishing, of course. At first glance, the email looks like it comes from a recognized company, complete with a familiar logo, slogan, and URL. But it’s really from a cyber crook trying to con consumers out of account numbers, passwords, or cash. In addition to the serious injury these scams inflict on consumers, there’s another victim of phishing: the reputable business whose good name was stolen by the scammer.
Fraudsters don’t just masquerade as global financial institutions or industry giants. They impersonate small businesses, too. But there is good news on the fraud-fighting front. There are steps you can take to make it harder for scammers to send phishing emails that look like they’re coming from your company. Tech types use the phrase “email authentication” to refer to tools that work behind the scenes to help a server verify that a message that says it’s from yourbusiness.com really is from you. Those tools also will block messages or send them to a quarantine folder if they bear the telltale signs of a phishing attempt.
When we sat down with small businesses to see how we can help your cybersecurity efforts, you asked for more information about email authentication. The FTC’s Cybersecurity for Small Business campaign features new resources designed to fill that need.
Some web host providers let you set up your company’s business email using your domain name. In other words, if your domain name is yourbusiness.com, your email will be name[at]yourbusiness.com. Without email authentication, scammers can use your domain name to send emails that look like they’re from your business. To foil their efforts, make sure your email provider uses these three email authentication tools.
It can take some know-how to get SPF, DKIM, and DMARC up and running so they work as intended and don’t block legitimate emails. If you’re not sure you have the expertise, have your email hosting provider set them up. If they balk – or if they don’t include those fundamental protection tools in their service agreement – consider taking your business elsewhere.
If your email authentication tools are operating on all cylinders, you’ll get a notice if someone spoofs your email. Here’s how to respond:
Report the scam. Contact local law enforcement, the FBI’s Internet Crime Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. Forward phishing emails to spam@uce.gov, an address used by the FTC, and to reportphishing@apwg.org, an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies.
Notify your customers. Contact them ASAP by mail, email, or social media. (If you email them, don’t include hyperlinks. You wouldn’t want your notification message to look like another phishing attempt.) Remind customers not to share personal information through email or text. If their data was stolen, direct them to IdentityTheft.gov.
Alert your staff. Use the experience to update your security practices and train your staff about cyber threats. Distribute the FTC’s fact sheet on email authentication. Show this video at your next staff meeting for tips on how to respond if your email is spoofed. And here’s another video that takes a deeper dive into the technology behind email authentication.
To learn more, contact us today.
Bryan Antepara: IT Specialist
Bryan Antepara is a leader in Cloud engagements with a demonstrated history of digital transformation of business processes with the user of Microsoft Technologies powered by the team of eMazzanti Technologies engineers.
Bryan has a strong experience working with Office 365 cloud solutions, Business Process, Internet Information Services (IIS), Microsoft Office Suite, Exchange Online, SharePoint Online, and Customer Service.
He has the ability to handle the complexity of moving data in and out of containers and cloud sessions, makes him the perfect candidate to help organizations large and small migrate to new and more efficient platforms. Bryan is a graduate of the University of South Florida and is Microsoft Certification holder.
Think of all the devices accessing your network, from laptops and PCs to tablets and…
Penetration testing, the process of simulating cyberattacks to identify vulnerabilities, plays an essential role in…
Carl Mazzanti is the president of eMazzanti Technologies in Hoboken. Is your organization trying to…
Migrating to the cloud delivers undeniable business benefits. But it also opens the door to…
Carl Mazzanti is the president of eMazzanti Technologies in Hoboken. One of our clients —…
With the new Microsoft Planner joining the Microsoft 365 universe this year, users are taking…