How $43,000 Got Stolen From A Small Business In The Blink Of An Eye

What you are about to read is a real story showing you how a business can be devastated by cybercriminals in the blink of an eye. Most importantly, I’ll share several ways this could have been avoided. Make sure to forward this to anyone who might be making online payments and, better yet, your entire staff. The name of the company and principals have been withheld so they don’t become a further target.

$43,000 Gone In The Blink Of An Eye

Imagine, on a normal Friday night after a long week of work, you glance down at your phone and see an alert from your bank.

You open it to find that you’ve just paid a company you’ve never heard of $43,000!

This was an all-too-real situation for one small business owner a few weeks ago – and there’s NOTHING the owner, or police, or anyone else can do to get that money back. It’s gone forever.

Thankfully, for this company, $43,000 was a loss they could absorb, but it was still a huge hit and, frankly, they are lucky they weren’t taken for more.

Here’s what happened and how you can keep this from happening to you.

The E-mail That Started It All

Imagine receiving an e-mail so convincing, so utterly devoid of red flags, that you find yourself compelled to act. This isn’t a failure of judgment; it’s a testament to the sophistication of modern cyberthreats.

In this case, an employee in the accounting department received an e-mail from the company’s “CEO” saying they were starting to work with a new company and needed to get them set up in the system and make a payment to them right away.

This was NOT an abnormal type of e-mail, nor was the amount anything that aroused suspicion – they made and received large amounts of money often.

The only telltale clue might have been that it came in on a Friday afternoon and it was made clear that it was an urgent matter that had to be handled right away.

The employee, thinking they were doing exactly what their boss wanted, set the attacker’s company up in the system, including their bank routing number, and made a payment. And the minute they hit “Send,” the money was never to be seen again.

It wasn’t until the CEO called minutes later, after receiving notification of the transfer, that alarm bells started to ring! But by then it was all too late.

So What Happened?

While it’s impossible to know what exactly occurred to kick off this chain of events, the most likely culprit is that an employee, possibly even the owner, received an e-mail sent by a cybercriminal weeks or even months earlier that allowed this person to gain access to some of the company’s systems.

In all likelihood, the e-mail looked normal and had a link that, when clicked, downloaded software onto the recipient’s computer, and that’s where things started to go wrong.

Over the following weeks, the cybercriminals accessed company communications, figuring out who the players were, and devised a plan to make it look like the CEO needed a vendor to be paid urgently.

And when the criminals determined the time was right, they “attacked” and walked away with $43,000 for their efforts.

Home Alone

While this scenario may sound far-fetched, it’s not new.

If you remember seeing the classic movie Home Alone, would-be thieves watched houses immediately preceding Christmas to determine which families would be away for the holidays so they could break into those homes.

Cybercriminals do the same thing, but from a distance, and you’d never know they were ever there.

The scary fact is, your system could be compromised right now, and you would have no way of knowing it, until an attack happens.

In the cybercrime world, the kind of attack this company suffered is referred to as spear phishing. Criminals identify a single point or person in an organization who they believe could fall victim to a scam like the one that happened here, and they engineer a scheme to specifically target them.

What You and Your Employees Need To Know To Help Thwart Attacks

The sad fact is that there is no 100% safeguard against cybercriminals. But, just like our robbers in Home Alone, cybercriminals go after the low-hanging fruit. If your house has a gated entry, security system, outside cameras and lights, and has three vicious-looking dogs roaming around, would-be thieves are much more likely just to move on to a house without all these layers of security.

Cybercriminals operate in the exact same fashion, looking for companies that aren’t protected and then targeting them specifically. So, the best thing you can do is have layers of protection for your company, along with education for your employees.

3 Things to Do Right Now To Protect Your Company

1. Multi-factor authentication (MFA), also called two-factor authentication (2FA), is not just a tool but also a shield against the relentless barrage of cyberthreats. An example of MFA is when you try to log into a program, and it sends a code to your cell phone via text that needs to be entered before granting access to the program. While often deemed a nuisance, MFA isn’t an inconvenience – it’s the digital equivalent of locking your doors at night. It’s a simple yet profoundly effective measure that can be the difference between a secure business and a cautionary tale.
2. Employees are your first line of defense. Just like you’d teach your kids not to open the door for someone they don’t know, you NEED to educate your employees on malicious threats. Teaching them about the common scams, how to avoid them and what to do if they think they’ve inadvertently clicked a link they shouldn’t have, is key. You need to ask your IT company to provide this training, and often they have programs that you can require your employees to go through a couple of times a year. The program then quizzes them to ensure they have the knowledge. While this process isn’t something you or they will look forward to, the reality is that it could take just 10 to 15 minutes a couple times a year to keep you out of the news and your money out of someone else’s account!
3. Get cyber security services in place. MFA is just the start of a comprehensive security plan. You need to talk to a qualified company (not your uncle Larry who helps you on the side) about getting more than a firewall and virus scan software. What worked a decade or two ago – and may still be helpful on a home network – would be like protecting a bank vault with a ring camera. It’s just not going to cut it. NOTE: We offer a variety of security services for companies of all sizes and can certainly talk to you about options that make sense for your situation.

Whatever You Do, Don’t Do This!!!

Maybe the worst thing the owner of the company that lost $43,000 did was they then posted a video and story on social media.

While their intentions were good because they wanted to warn other business owners not to fall victim to the same scam, they might as well have had T-shirts made with a big target on the back.

It’d be like having cash from your house taken, then going online and telling people exactly how it happened – you’re just inviting more people to come try to take your cash.

Not Sure If You’re as Protected And Prepared As You Should Be?

To make sure you’re properly protected, get a FREE, no-obligation Cyber Security Risk Assessment. During this assessment, we’ll review your entire system, so you know exactly if and where you’re vulnerable to an attack.

Schedule your assessment with one of our senior advisors by calling us at 305-574-2169 or going to

Best Practices To ‘Celebrate’ National Change Your Password Day: How Does Your Password Stack Up?

Each year on February 1st, we celebrate Change Your Password Day. While it’s not a holiday that gets you off work, it serves as a good opportunity each year to do a quick check-in and make sure you’re using strong passwords that will keep your accounts protected.

The suggested ‘rule’ used to be to change your password every three months. With advanced tools like password managers and data encryption, experts now say the type of password you use is more important than how often you create a new one. We’re sharing up-to-date advice on how to create a strong password that will keep your account secure and hackers guessing.

Make It Complex

Aim for complexity by combining uppercase and lowercase letters, numbers and special characters. Avoid easily guessable information like birthdays, names or common words. The more intricate and unique your password, the harder it is for hackers to crack it.

Longer Passwords Are Harder To Crack

Long passwords provide an added layer of security. According to Hive Systems, brute-force hacking can crack an eight-character password in less than one hour! When creating a new password, aim for a minimum of 12 characters, and consider using passphrases—sequences of random words or a sentence—which can be both strong and easier to remember.

A random passphrase would be something like: cogwheel-rosy-cathouse-jailbreak.

This passphrase was generated from the website useapassphrase.com, which will auto-create a four-word passphrase for you if you’re stumped.

Use Unique Passwords For Each Account

Resisting the temptation to reuse passwords across multiple accounts is crucial. If one account is compromised, having unique passwords for other accounts ensures that the damage is contained. Consider using a reputable password manager to help you generate and store complex passwords securely.

*Do NOT use Google or your browser’s password manager. If your Google account is compromised, all of your passwords will be too. Talk with your IT team about what password management tool they recommend for you and your organization.

Update Passwords Yearly

As long as your account hasn’t been compromised, you only need to change your passwords once a year to minimize the risk of unauthorized access. The only time a regular password change routine would be exceptionally helpful is if someone has access that you don’t know about. A frequent password change can make it more challenging for attackers to maintain access to your accounts over an extended period of time.

Engage Multi-Factor Authentication (MFA)

Implementing multi-factor authentication is another easy way to make your password bulletproof. MFA typically involves combining something you know (your password) with something you have (like a code sent to your phone). Even if your password is compromised, MFA significantly reduces the chances of unauthorized access.

Set Up Strong Password Recovery Alternatives

Leverage password recovery options like security questions or alternative e-mail addresses. It’s important to choose questions with answers that are not easily guessable or have publicly available information so “What’s your mother’s maiden name” is out!

Use Password Managers

You don’t have to try and remember every password, and you shouldn’t write them down on a sticky note on your desk. Instead, use a good password management tool that is secure and will handle keeping track of your passwords for you.

Bonus points for turning off the auto-fill feature. Hackers can infiltrate sites and install a little bit of code on a page that creates a second, invisible password box. When your password manager autofills the login box, it will also fill in the invisible box, giving hackers your password. This isn’t overly common, but it still poses a risk.

Regularly Review Account Activity

Monitor your account activity for any suspicious logins or activities. Many online platforms offer features that notify you of login attempts from unfamiliar devices, allowing you to take swift action in the event of unauthorized access.

It’s also always good to be aware of phishing attempts, never click suspicious links or attachments in e-mails, avoid public Wi-Fi and only use secure connections and educate and train your team on what to look for when it comes to cybercrime so they can protect themselves, you and the company.

As cyber threats continue to evolve, mastering the fundamentals of cybersecurity, like creating strong passwords, becomes paramount. By making informed choices and staying proactive, you can significantly enhance your online security.

However, as the leader of your organization, it’s important to remember that nothing is foolproof. Educating your team on cybersecurity best practices is essential, but mistakes can and will still happen. For most, it’s not a matter of if, but when. You must have a robust cybersecurity plan in place. The right IT team will make sure you have every protection in place to keep you safe and a crisis management plan ready if something goes wrong. To find out what gaps you have in your cybersecurity system, we’ll do a FREE Cybersecurity Risk Assessment. Click here to book yours now. Or visit our website : https://virtualitmanagers.com/free-network-analysis-and-security-assessment/

How “Cheaper” IT Providers Sneak In Expensive Hidden Costs

Is your company looking to hire an IT firm? Unfortunately, unless you’re tech-savvy or experienced with IT contracts, there can be hidden costs that you wouldn’t expect or know to look for. While it can sound appealing to go for the cheapest firm, that decision can end up costing you more in the long run due to carve-outs and hidden fees in the contract. Cheaper IT firms will omit certain services from the original agreement and later nickel-and-dime you to add them on or by quoting you inadequate solutions that you’ll later need to pay to upgrade.

To help you weed out these companies that are not the bargains they advertise themselves to be, there are a few key elements to consider determining if your quote is insufficient, overpriced or underquoted.

Insufficient Compliance And Cybersecurity Protections:

A ransomware attack is a significant and devastating event for any business; therefore, it’s imperative that the IT company you’re working with isn’t just putting basic (cheap) antivirus software on your network and calling it a day. This is by far the one critical area most “cheaper” MSPs leave out.

Antivirus is good to have but woefully insufficient to protect you from serious threats. In fact, insurance companies are now requiring advanced cyber protections such as employee cyber awareness training, 2FA (2-factor authentication), and what’s called “advanced endpoint protection” just to get insurance coverage for cyber liability and crime insurance. We provide those standards in our offering, so not only do you greatly reduce your chances of a cyber-attack, but you also avoid being denied an important insurance claim (or denied coverage, period).

Inadequate Recovery Solutions:

One thing you also want to make sure you look for in your IT firm proposal is that they do daily backups of your servers and workstations, as well as any cloud applications your company uses (Microsoft 365, Google Workspace, etc.), because online applications do NOT guarantee to back up your data. You also need to make sure your backups are immutable or unable to be corrupted by hackers. Again, most insurance companies now require immutable backups to be in place before they’ll insure against ransomware or similar cyber events.

Transparency About On-Site And After-Hours Fees:

This might take you by surprise, but most IT firms will charge EXTRA for any on-site or after-hours visits. We include ALL of this in our agreements, but ‘cheaper’ MSPs will intentionally leave this out and add it on later to make the sticker price appear lower. Make sure you understand what is and isn’t included in your service agreement before signing.

Nonexistent Vendor Liaison And Support:

Will they help you with all your tech, or just select pieces that they’ve installed? Some IT firms will charge you hourly to resolve tech support issues with your phone system, ISP, security cameras, printers, and other devices they didn’t sell you but that still reside on the network (and give you technical problems). These fees can stack up over time. As a client of ours, you get all of that INCLUDED, without extra charges.

Cheap, Inexperienced Techs And No Dedicated Account Managers:

One way some companies cut costs is by skimping on customer support and expertise. Many of the smaller MSPs will hire technicians under a 1099 agreement or find cheaper, less experienced engineers to work on your network and systems. The more experienced and knowledgeable a tech is on networking and, more specifically, cybersecurity, the more expensive they are.

Further, many smaller MSPs can’t afford dedicated account managers, which means you’re depending on the owner of the company (who’s EXTREMELY busy) to pay attention to your account and to look for problems brewing, critical updates that need to happen, upgrades and budgeting you need.

Good account management includes creating and managing an IT budget, a custom road map for your business and reviewing regulatory compliance and security on a routine basis to make sure nothing is overlooked. You get what you pay for, and this is NOT an area you want overlooked.

BEFORE you sign on the dotted line, it’s important to make sure that you fully understand what IS and ISN’T included in the service you are signing up for. It’s VERY easy for one IT services provider to appear far less expensive than another UNTIL you look closely at what you are getting.

If you’d like to see what dependable, quality IT support looks like, book a call with our team, and we’ll be happy to give you a quote that covers everything you need. To Schedule Your FREE Assessment, please visit https://virtualitmanagers.com/free-network-analysis-and-security-assessment/ or call our office at 305-574-2169.

New Security Features To Protect Your Phone In 2024

Long gone are the days when phones were simple devices used to make calls. Today our phones are advanced, handheld supercomputers that can do everything from pay a bill to order lunch for delivery to edit videos and more.

But with more capabilities come more risks. Because our phones are computers and connected to the Internet, they are susceptible to the same security risks that any other computer would be. Worse yet, personal devices often contain private information like bank account numbers, which, if accessed by the wrong person, could result in dangerous and expensive problems like drained bank accounts, identity theft and so on. Still, despite the obvious risks, most people do not treat phones like the security threats they pose, making them easy, no-brainer targets for cybercriminals.

To give perspective on how severe the problem is, Apple recently shared a study from MIT revealing a shocking 2.6 billion personal records were breached in 2021 and 2022 and were expected to increase in 2023. According to Kaspersky Security Network, in Q3 of 2023 alone, a total of 8,346,169 mobile malware, adware and riskware attacks were blocked, with adware being the most common tactic at 52% of total detected threats.

The risks are even more serious for business owners. Does your organization have a mobile policy for employees? Are employees accessing sensitive work documents or accounts using unprotected devices? If you’re not sure, you need your IT department to look into this immediately. It only takes one entry point for a hacker to break into your network.

There are a few ways to protect your devices now. Both Apple and Android have developed powerful security systems with advanced protective features you can start utilizing today.

Apple:

End-to-end encryption has been the default for Apple iMessage, iCloud Keychain, and Health data, but with a recent update, Apple rolled out Advanced Data Protection (ADP). This feature is an optional setting that offers Apple’s highest level of cloud data security by encrypting messages in iCloud, iCloud Backup, Notes, Photos, Safari bookmarks, Siri Shortcuts and more.

Activating this setting protects your data in the event of a cloud-based data breach by only allowing trusted devices added by you to decrypt the information. Not even Apple can access your data.

Here’s how to enable Apple’s Advanced Data Protection Setting:

1. Make sure devices signed in with your Apple ID have been updated to at least iOS 16.2, iPadOS 16.2, macOS 13.1, tvOS 16.2, watchOS 9.2 or later.
2. Open the Settings app on your iPhone.
3. Tap your name at the top.
4. Select iCloud, scroll to the bottom, and tap Advanced Data Protection.
5. Tap Turn On Advanced Data Protection.

NOTE: If you don’t have a recovery contact or key set up, you’ll be prompted to do that first.

6. Once a recovery contact/key is set up, return to Settings > iCloud > Advanced Data Protection and tap Turn On Advanced Data Protection.
7. Follow the prompts.

NOTE: You may be asked to update other devices signed into your iCloud account before enabling end-to-end encryption (E2E).

You can also remove devices with old software to continue the process.

If your device is new, for security reasons, Apple might make you wait to enable the feature. If that’s the case, that timeframe will show on your screen during setup.

Android:

While Apple is known for having a robust security system that reduces vulnerabilities and protects users’ data, Android’s security features are not far behind. Google Play Protect analyzes every app before it’s available for download, and any new apps where a security risk is detected are unable to be accessed. The software also runs daily scans to help identify and disable malware and other harmful applications installed on your phone to protect your data.

Furthermore, Android backups are regularly uploaded to Google servers and encrypted with your Google Account password for security purposes.

How to keep data secure if you’re using an Android:

If you’re using Google One, you can set up automatic backups on your Android device to ensure that if disaster strikes, your data is securely stored in the cloud:

1. Open the Google One app on your Android.
2. At the bottom, tap Storage.
3. Scroll to “Backup” and tap View.
4. If this is your first phone backup, tap Set up data backup.
5. If this isn’t your first phone backup, tap View Details.

4. To review backup settings, tap Manage backup.
5. Choose your backup settings.

NOTE: If you get a message to install an app, update an app or change your settings, follow the onscreen steps. Then, go back to the Google One app to finish.

6. If asked, tap Allow Permissions.
7. At the top left, tap Back.

NOTE: Google One backups may take up to 24 hours to complete.

How To Protect All Of Your Devices:

These features are not the end-all, be-all for phone security, but they will add a layer of protection for your data. To ensure every device on your network is secure, we recommend getting a third-party Cybersecurity Risk Assessment. This is a free, no-obligation assessment where one of our experts will examine your network and let you know if and where you’re vulnerable to an attack, including your mobile device policy.

Schedule your assessment with one of our senior advisors by calling us at 305-574-2169 or going to https://virtualitmanagers.com/free-network-analysis-and-security-assessment.