I work for a small U.S. based company and we’ve been the target of a seemingly low-level, email-based cyber-attack. As you’ll see in a minute, the problem is multifaceted.
It started a few months ago. Every few days we’ll receive a fraudulent email message that is clearly an attempt to get one of our employees to click a suspicious hyperlink. Typically, the scammer(s) pretend to be a vendor sending us an online invoice (the link to which will undoubtedly trigger a download of some kind). Any somewhat tech savvy person could identify these messages as fraudulent, so we’ve largely just been ignoring them up until now.
More recently we were notified by one of our actual vendors that they had received suspicious messages that appeared to come from one of our official company email addresses. The messages were formatted very similarly to the ones I described in the previous section. Except now the scammer(s) are pretending to be our Accounts Receivable department requesting payment for imaginary invoices. As you may have guessed, those messages also prompt the receiver to click a potentially dangerous link.
To make matters worse, we now know for a fact that the scammer(s) have been able to access at least one of our internal passwords; they revealed this to us and sent an actual password of ours to us in a message. Being a small company, it has been up to me (the youngest person on the team) to figure this all out. I did a full scan with Malwarebytes on all our machines. One computer apparently had a couple of viruses that Google says are typically associated with ransomware (I’ve forgotten the names of the programs/files by now). After removing those we started the process of going through and changing the passwords for all our different online accounts. The most important ones (finance related) require multi-factor authentication, so we’re not as worried about those.
From the looks of it, this is all seems like a pretty standard ransomware attack. My suspicion is that one of our older employees fell for one of the fraudulent emails (the viruses were on his computer), and the scammer(s) gained access this way. And I wish I could say changing our passwords and setting up daily virus scans fixed our problem, but it didn’t. They’ve requested $500 worth of BTC to stop messing with us. And we’re still getting messages trying to bait us for further infection. Not sure if they’re still pretending to be us though. I don’t have much experience with this sort of thing, but I can only assume the scammer(s) have either been spoofing our email addresses or they’ve gained access to our actual email accounts and are sending messages that way. As a company we use Microsoft Outlook, and the actual addresses were created through our web host (HostGator).
What else can we do? I can manage a firewall and your typical AV software. Even considering a company-wide password manager. But I’ve no idea how to combat email spoofing (or whatever is going on). It’s a really bad look to have harmful messages look like they’re coming from our company. All recommendations welcome!
TLDR: The small company I work for is getting bombarded with ransomware scams and what looks like email spoofing. Need help remedying this!