ESET Warns SMEs Of March Tax-Related Scams

ESET, a global provider of security solutions for businesses and consumers, reveals latest cyber threats aiming at Indian small and medium businesses.

The end of financial year is always a busy time for authorities and corporates, and now for cyber criminals too. ESET researchers have noticed increase in spam pretending to come from Indian Income Tax Department. The e-mails often lead users to infected websites or try to fool them into opening infected attachments trying to compromise the system. In case of corporate network, if one machine was infected in such way the malware may spread further not only disturbing the company’s daily operations but prejudicing safety of company’s data and the privacy of its customers.

While there is a common thought that only large corporations are prone to cyber-attacks, even the smallest web based business may attract criminal hackers interested in stealing financially valuable data. Sadly these smaller businesses, usually lacking the security resources of the big corporations, are increasingly on the radar of the cybercriminal community.

Even the smallest business will have personal details of staff on file as well as company accounts and customer activities. If you process payments for customers, you may retain credit card details and addresses on your own servers. You may also hold other confidential details about customers as well as mailing and marketing lists. In short, businesses will at some point generate and store data that would be of interest to cyber criminals.

“To fight against such attacks as spam, phishing, social engineering used by bad guys to attack smaller companies, you do not have to invest much. Good security software, antivirus with anti-spam and anti-phishing, some basic social media security policies for employees along with basic training on secure behavior online and offline, are enough to keep your sensitive information and your clients’ data safe”, said Pankaj Jain, Director at ESET India.

In case of tax phishing e-mails that traditionally pop-up in the end of March, security software can bock fraudulent emails or block links in emails to web pages that are known to be infected or block downloading of attachments containing malware. Training employees to handle corporate and personal e-mails, social network accounts, etc. with double prudence would be an additional security layer as cyber criminals learned to get the access to corporate data through the employees who may never suspect he or she had been cheated.

With emerging mobile internet market in India it becomes more difficult for big and small companies to keep their infrastructures safe from cyber criminals. Malware penetrating company’s system through a pen-drive injected by employee is not a surprise any more. And so is mobile phone or tablet connected to corporate infrastructure directly or through wireless access. The difference is that the malware spreading through BYOD devices and the ways cybercriminals find to get into company’s system through these devices become much more sophisticated.

“This is still a new trend in India, but we see more and more companies becoming worried about BOYD and trying implementing BYOD policies. However, the cybercriminals, their malicious codes and their tactics have gone way too far. When offering business security solutions to the customers along with endpoints and servers security we suggest solutions for mobile and tablet security in corporate environment. However, these products are still understood by most of business owners as purely consumer products. I believe this trend is going to change soon,” added Pankaj Jain.

Here are few online safety tips SMBs and SMEs should keep in mind:

• Appoint a technical member of staff to take responsibility for IT infrastructure security and ensure they are fully aware of the software used across the business, that it is fully up to date with latest versions downloaded as soon as available.

• If a third party is used for web hosting, ensure that the Service Level Agreement (SLA) is fully up to date and that the provider has committed to keep systems up-to-date, protected, and backed up. Given the increasing threat to smaller businesses, any SLA should be reviewed at least annually.

• If security is too time consuming for your firm, then an outsourced security provider can be considered, with the same rules on SLAs applied.

• Finally, all staff should be educated about maintaining online hygiene and the importance of strong passwords, not clicking on suspicious links and careful use of social media sites.