Employees are falling for 3x more phishing scams

Have you ever stopped to wonder how many phishing scams your employees encounter each day? The answer might come as a nasty surprise.

Last year, the number of employees clicking on phishing links TRIPLED – and businesses everywhere are paying the price.

Before we dive into this situation a little more, let’s rewind a bit.

Phishing is where scammers try to steal sensitive information (like passwords or payment details) by pretending to be a trusted source.

Maybe your employee gets an email that looks like it’s from Microsoft, with a link to a login page. Once your employee enters their details, that information falls right into the hands of criminals… and from this, they get the keys to your business.

Here’s the really worrying part: Phishing attacks aren’t just happening more often, they’re getting harder to spot, too.

Email phishing is still a big issue, but scammers are branching out; planting fake links in search engines, social media, online ads, and website comments. Scammers know that employees are taught to be cautious about emails, so they’re finding new ways to slip through the cracks.

So, why are more people falling for these scams?

Part of the problem is fatigue. Employees see so many phishing attempts in their inboxes, it’s difficult to keep their guard up every minute of the day. Scammers are also getting more creative, using fake websites and emails that are almost impossible to tell apart from the real thing.

And they’re now targeting trusted platforms like Microsoft 365, which hold a goldmine of business data.

Your people can either be your greatest defense or your biggest vulnerability. A well-trained, alert team can spot phishing attempts before any damage is done. But if they’re unaware or unprepared, a single click can open the door to financial losses, stolen data, and a whole world of trouble for your business.

So, what’s the solution?

Start with education. Make sure your team knows what phishing looks like, not just in emails but across the web. Teach them to question unexpected requests for their login details, double-check links, and report anything suspicious. And don’t rely on memory alone; regular training sessions can keep the risk of phishing scams fresh in your employees’ minds.

At the same time, don’t leave all the responsibility on your team’s shoulders. Tools like multi-factor authentication (MFA) add an extra layer of security, so even if a password does get stolen, attackers can’t get in. Combine this with up-to-date software and a strong cyber security plan, and you’ve got a much better chance of keeping your business safe.

Phishing scams aren’t going away any time soon, but with the right approach, you can stop your business from becoming another statistic.

Need help protecting your business data? We can help – get in touch.

by Truman Roe

Don't Get Sidelined By A Cyber Attack - Build Your Winning Cyber Resilience Playbook ASAP

FRIGHTENING FACT: 60% of smaller businesses that suffer a cyber attack go out of business within six months.

Data on cyber attacks for the past few years (including 2025) show that small- and medium-size businesses (SMBs) and startups in the US face significant — and potentially existential — cybersecurity threats.

Cyber criminals are constantly changing their tactics, running new plays, like a team changing its offensive strategy mid-game — especially targeting smaller companies to try and gain access to valuable data.

Think of cyber criminals’ approach as a full-court press — relentless and aggressive. Staying ahead of them requires continuous threat intelligence and frequently adapting your defenses.

SMB Cyber Attacks in the US: By the Numbers

The following statistics highlight the increasing vulnerability of SMBs to cyberattacks, and the need for improved cybersecurity measures and preparedness.

  • 60% of small business owners consider cybersecurity threats a top concern, yet only 23% say they are very prepared to handle a cyberattack.
  • 43% of all cyberattacks in 2023 targeted small businesses.
  • 46% of all cyber breaches impact businesses with fewer than 1,000 employees.
  • 95% of cybersecurity incidents can be attributed to human error.
  • 54% of businesses admit their IT departments lack experience to handle complex cyberattacks.
  • The most common types of cyberattacks on small businesses are:
  • 37% of ransomware attack victims have fewer than 100 employees.
  • 82% of ransomware attacks in 2021 targeted SMBs with fewer than 1,000 employees.
  • Employees of small businesses experience 350% more social engineering attacks than those at larger enterprises.
  • Small businesses receive the highest rate of targeted malicious emails, with 1 in 323 being affected.
  • SMBs spend between $826 and $653,587 on cybersecurity incidents.
  • 76% of small businesses have increased their cybersecurity spending due to rising threats.

KEY TAKEAWAY: If you don’t want your business to become a statistic, you’re going to have to have to build resilience by implementing a solid cybersecurity game plan… fast!

What’s the Financial Impact of Cyber Attacks on SMBs?

The financial consequences of cyber attacks on smaller businesses are substantial:

  • The average data breach from 2018-2023 cost companies around $4.5 million.
  • Detection and escalation costs: $1.58 million.
  • Lost business costs: $1.3 million.
  • Response following a breach: $1.2 million.

What Are the Risks for Bay Area Businesses?

Businesses in the Bay Area are particularly vulnerable for a number of reasons:

  • San Francisco's reputation as a high-tech environment makes businesses in the city more attractive targets for cybercriminals, including smaller businesses.
  • Hackers often target smaller businesses in the Bay Area as potential gateways to larger, more lucrative networks.
  • The competitive landscape of the Bay Area means intellectual property theft is a significant concern, particularly for companies developing innovative products.
  • Bay Area businesses face among the highest costs for data breaches in the world.

What’s Your Plan to Secure Your Business from Attack?

Whether you’re based in the Bay Area or beyond, being cyber resilient is crucial.

Like a basketball team needs a solid strategy and strong players to win the March Madness tournament, your business needs a comprehensive cyber resilience plan to withstand disruptions, survive and succeed in today's complex digital landscape.

Also, cyber resilience isn't just a good strategy for all businesses in general, but if yours is a regulated business, it's a requirement for you to be cyber secure. Like a championship team, you need a robust defense to protect sensitive data and maintain compliance.

What is Cyber Resilience?

Cyber resilience is essential for keeping businesses secure, reducing risk, and maintaining strong security practices against potential threats. It involves preparing a business to respond to and recover from potential cyber incidents.

Building cyber resilience means understanding business vulnerabilities and strengthening defenses.

Key steps from the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF - V2.0, available free of charge*) guidelines provide a foundation for building cyber resilience and recovering from security incidents.

*The NIST CSF “...provides guidance to industry, government agencies, and other organizations to manage cybersecurity risks. It offers a taxonomy of highlevel cybersecurity outcomes that can be used by any organization — regardless of its size, sector, or maturity — to better understand, assess, prioritize, and communicate its cybersecurity efforts.”

What Are the Core Elements of Cyber Resilience?

The building blocks of cyber resilience include: Govern, Identify, Protect, Detect, Respond, and Recover. Download our Cyber Resilience Checklist as a reminder.

  • Proactive cybersecurity defense measures involve neutralizing threats before they cause harm through regular assessments, threat intelligence, and strong policies.
  • A well-structured incident response plan allows for quick risk detection and mitigation.
  • Strategic business continuity planning includes backup and disaster recovery steps to prevent disruptions from cyberattacks.
  • Staying ahead of the curve means adaptability through evolving with the threat landscape, learning from past incidents, and continuously strengthening defenses.
  • Fostering a security-conscious culture involves awareness training so that employees are better able to identify and manage risks.
  • Up-to-date compliance involves meeting regulatory requirements to avoid fines, lawsuits, and damage to brand reputation.

KEY TAKEAWAY: Strategic cyber resilience involves proactive defense, quick response, business continuity, staying ahead of the curve, security-conscious culture, and compliance.

What Are the Challenges to Achieving Cyber Resilience?

  1. Evolving Threat Landscape: Hackers are Running a Fast Break

Just as teams adapt their strategies throughout a tournament, cybercriminals are constantly evolving their tactics: developing new methods of attack and finding new ways to break through your defenses, making it difficult to keep up with the latest threats.

Think of a cyber attack like a buzzer-beater three-pointer from a team you never saw coming. Just like a 15-seed can upset a 2-seed, unexpected cyber threats can take down even the most confident businesses. The chances of this type of game outcome are historically low, but still possible: in March Madness, upsets happen.

In cybersecurity, they happen too. Just like UMBC shocked Virginia in 2018, a small, overlooked vulnerability can lead to a major breach. And the odds of a breach are increasing as the frequency of attacks on smaller businesses rises, just like the number of upsets in recent tournaments. Don't let your business be the next big upset.

KEY TAKEAWAY: You need to be prepared to break the press and protect your data. Regular patching and staying updated on cybersecurity trends are crucial.

2. Resource Constraint: You Can't Win with Just One Star Player.

You can't expect your business to win against cyber threats with just one IT person — that's like trying to win March Madness with only your star player. You need to draft the right players and have a full team of solutions and strategies.

Many businesses — including in regulated industries — struggle with limited budgets and staff, and with the cost of compliance; and so, they don’t allocate enough budget for cybersecurity or a dedicated IT team. But you don't need an NBA-sized budget to build a strong defense.

Training employees and partnering with a reliable IT service provider can help. Think strategically about your draft picks — prioritize essential security tools and partner with experts such as managed security services (MSSPs) who understand your particular needs and who can provide industry-specific cybersecurity solutions.

KEY TAKEAWAY: Working with an MSSP is like having a dedicated coach and training staff specializing in your league’s rulesensuring you stay compliant and secure.

3. Complexity: The Zone Defense of Cybersecurity

Cybersecurity is like a zone defenseit requires everyone to know their role and work together. And compliance is like learning the rulebook for your league. It can be overwhelming, but it's essential to stay in the game.

Integrating cyber resilience into every aspect of a business can be overwhelming, especially without an IT background or properly trained IT resources. Not to mention trying to navigate complex regulations like HIPAA or GDPR.

But breaking it down into manageable steps and outlining the key plays you need to run makes it easier to defend.

KEY TAKEAWAY: Frameworks like the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) and automation tools can simplify the cyber resilience process.

4. Awareness: No Fouls AllowedEveryone Plays Defense

Employees often lack the training to understand how their actions can compromise a business. A single employee clicking on a phishing email is like a player traveling with the ballit can cost you the game.

Employee awareness is crucial, especially in regulated industries where data privacy is paramount. In regulated industries, a data breach is like a flagrant foul – it can lead to severe penalties.

Everyone in your organization needs to understand their role in protecting sensitive information. Taking measures such as implementing strict password controls and mandatory security training can address this.

KEY TAKEAWAY: Just like coaches drill their players on fundamentals, you need to drill your employees on cybersecurity best practices to keep them sharp.

The Championship Run: Building Your Resilience Strategy

To build a championship-caliber cyber resilience strategy you need to include the following moves in your playbook:

  1. Scout Your Team: Assess your current security posture and identify vulnerabilities.
  2. Draft Top Talent: Invest in skilled cybersecurity professionals or partner with reputable service providers.
  3. Practice, Practice, Practice: Regularly test and update your incident response plans.
  4. Study the Playbook: Leverage resources like the NIST CSF to guide your strategy.
  5. Win as a Team: Ensure every employee understands their role in maintaining security.

REMEMBER: Just as only one team cuts down the nets in April, the businesses that prioritize cyber resilience will be the ones celebrating long-term success in the digital era.

We Can Help You Understand The Key Plays And Develop A Winning Game Strategy

When there’s so much at stake, partnering with a managed security service provider (MSSP) such as Tru Technical is like having a dedicated coach and training staff, but without the hefty price tag.

We provide tailored, practical and cost-effective outsourced IT Support and Cybersecurity solutions focused on relevant industry regulations and best practices, and including comprehensive staff awareness training.

We’ll simplify the process of making your business more cyber resilient, making it more manageable for you and your team. Think of us as your sixth man — coming off the bench to provide crucial support when you need it most.

For more insights, get our Cyber Resilience Checklist, download our Cyber Resilience eBook, and read our blog: ‘Top 4 Challenges to Achieving Cyber Resilience and How to Overcome Them’

by Truman Roe

Beware that corrupted email attachment: It could be a scam

You’re scanning your inbox and spot an important email with a Word document attached. Maybe it’s an invoice, a message from a supplier, or even a request from a colleague. You open it without thinking twice… and just like that, you’ve been scammed.

This scenario is exactly what cyber criminals are counting on. Now they’ve come up with another new way to get past even the most advanced email security filters – this time, using corrupted Microsoft Word files.

It’s a clever and dangerous tactic.

Phishing (pronounced "fishing") is where scammers try to trick you into giving away sensitive information, like passwords or bank details. They “bait” you with an email that looks legitimate, maybe from your bank, a coworker, or a company you trust.

These emails often include attachments or links. When you open the attachment or click the link, you could be downloading malicious software (malware) or visiting a fake website designed to steal your details.

Phishing attacks are constantly evolving, and they’re now one of the most common ways scammers break into businesses. Email security filters are usually pretty good at scanning attachments. But since corrupted files can’t be analyzed properly, the Word file is able to sneak into your inbox.

When you open one of these corrupted files, Microsoft Word will “repair” it and show you what looks like a normal attachment. But the document will contain a malicious QR code or link that sends you to a phishing site (often a fake Microsoft 365 login page). If you enter your details, scammers could have access to your account – and potentially your entire business.

Stealing just one employee’s login details can be enough. With access to your cloud systems, scammers could get hold of sensitive customer data, lock your team out of essential files, or even send phishing emails from your account to trick your contacts.

If this happens to you, it could be catastrophic. Your business could face financial losses, legal consequences, and a damaged reputation that could take a long time to rebuild.

Cyber attacks are getting more complicated. But you don’t need a degree in cyber security to help keep your business safe.

The best protection is awareness and caution.

Here are some steps you can take:

  • Slow down and think twice before opening attachments or clicking on links
  • If an email seems urgent, beware – scammers like to rush you, so you’ll act without thinking
  • If you’re not sure an email is legit, check with the person or company that the email seems to be from
  • Never trust an attachment or link just because it looks professional

Most importantly, make sure you educate yourself and your team about what phishing is, why it’s dangerous, and how to recognize the warning signs.

We help businesses like yours with this every day. If you’d like us to help you too, get in touch.

by Truman Roe

Top 4 Challenges to Achieving Cyber Resilience and How to Overcome Them

No business today is completely safe from cyberthreats. Attack vectors are constantly evolving, and despite your efforts, even a simple oversight can leave your business vulnerable to a breach. That's why cyber resilience is so critical, as the very future of your business depends on it.

It's no longer just about preventing cyberattacks but also how you prepare your business to respond to and recover from potential cyber incidents when they do occur.

However, achieving cyber resilience comes with a unique set of challenges, which we'll explore in this blog. But first, let's understand why businesses must implement cyber resilience.

Why is cyber resilience so important?

Here's why cyber resilience is so important for you and your business:

Protection: Imagine losing access to all your critical data or getting locked out of your systems without a backup plan. It's a nightmare scenario, right? Cyber resilience is what stands between your business and this potential disaster.

Continuity: You want your business to continue critical operations even when things go wrong. Cyber resilience keeps you "on" even when everything is down.

Reputation: Cyberattacks can ruin your reputation. Cyber resilience can help protect the trust you've built and shows your customers that you take security seriously.

Compliance: Resilience ensures you stay on the right side of regulations and ensures you avoid legal penalties and lawsuits.

Hurdles in achieving cyber resilience

Often many businesses struggle with building cyber resilience. Here are some common challenges, along with strategies for overcoming them:

  1. Evolving Threat Landscape: Cybercriminals always have new tricks up their sleeves, making it difficult for you to keep up with the evolving threats. However, for the sake of your business, it's important to find a way to beat the hackers at their own game.

How you can stay protected:

  • Do regular patching and keep your systems and software updated.
  • Keep yourself updated on the latest trends in the cybersecurity realm.
  1. Resource constraints: Many businesses often don't leave room in the budget for cybersecurity or hiring a dedicated IT team, leaving them vulnerable to threats. The good news is that there's a lot you can do to make things difficult for cybercriminals.

How to work with what you have:

  • Train your employees to be your first line of defense.
  • Consider partnering with a reliable IT service provider.
  1. Complexity: It can be overwhelming to integrate cyber resilience into every aspect of your business, especially if you don't have an IT background. Understanding tech lingo and jargon can make things difficult for many.

How to simplify it:

  • Adapt proven frameworks like the NIST Cybersecurity Framework.
  • Use automation and easy-to-use security tools.
  1. Awareness: The best security tools are useless if your employees aren't aware of the risks. Often, they lack the training to understand how their actions can compromise your business.

How to fix this:

  • Implement strict password controls.
  • Make security training mandatory for everyone.

Master cyber resilience

Implementing cyber resilience isn't a one-time effort; it's an ongoing process that requires dedication, adaptability and a proactive approach.

Consider partnering with an experienced IT service provider like us.

Contact us to learn how our IT experts can help you achieve cyber resilience. Schedule a free consultation and start securing your business today!

 

by Truman Roe

The two big threats of doing business on public Wi-Fi

Public Wi-Fi is everywhere these days – coffee shops, airports, hotels, trains. It’s super convenient, especially for business travelers or anyone working remotely.

But what if I told you that hopping on that free Wi-Fi could expose your business data to cyber criminals? That’s the reality of using unsecured public networks.

When you connect to public Wi-Fi, you’re opening the door to scammers who know exactly how to exploit these networks. The two biggest threats you need to know about are called Man-in-the-Middle (MITM) attacks and Evil Twin attacks.

Yes, they sound like something out of a spy movie… but they’re very real and can have serious consequences for your business.

Let’s start with Man-in-the-Middle (MITM) attacks. You’re sitting in a coffee shop, sending an email or logging in to your business bank account. You think your device is communicating directly with the Wi-Fi network, but in reality, a cyber criminal has inserted themself between you and the network.

This “man in the middle” can see everything you’re doing – your passwords, your emails, even your credit card details. And the worst part? You probably won’t even notice it’s happening.

Criminals use this stolen information in all sorts of ways. They might sell it to advertisers, use it to impersonate you in phishing scams (where they trick people into sharing sensitive information, like passwords or credit card details). Or even steal money from your accounts. For businesses, this could mean sensitive financial information or customer data ending up in the wrong hands.

Now let’s talk about Evil Twin attacks. Imagine you’re in an airport and see two Wi-Fi networks: One called “Airport Free Wi-Fi” and another called “Airport Wi-Fi Secure”. They both sound legit, but one of them could be a fake network set up by cyber criminals.

When you connect to the fake network, scammers can monitor everything you do online, just like in a MITM attack – but they can go even further. They can steal your cookies (little bits of data that websites use to remember you) and gain access to things like your login details or personal information.

In some cases, they can even install malware (malicious software) on your device without you clicking a single thing. Scary, right? All it takes is connecting to the wrong Wi-Fi network, then your data – and your business’s security – could be compromised.

Using public Wi-Fi doesn’t have to be a security nightmare, but you do need to be cautious. Here are some steps you can take to help keep your business protected:

  • Avoid accessing sensitive information while connected to public Wi-Fi. This includes anything involving passwords, personal data, or financial accounts. If you wouldn’t want a stranger looking over your shoulder, it’s best to save it for when you’re on a secure network.
  • Stick to websites that use HTTPS, which encrypts your data. You’ll know a site is secure if you see a padlock icon in the address bar or "https://" at the beginning of the web address. Most websites use this today.
  • Consider using trusted browser extensions designed to boost your online safety. Many can block cookies, ads, and even malicious websites, reducing the risk of your information being exposed.
  • Turn off auto-join on your business devices. This stops your work phone, tablet, or laptop from automatically connecting to any available network, including potentially dangerous ones.
  • Be wary of suspicious pop-ups. Scammers often use these to trick you into clicking something malicious. If a pop-up feels wrong, don’t interact with it – just close the window.
  • Enable two-factor authentication (2FA) on your business accounts whenever possible. This requires a second form of identification (like a code sent to your phone) to log you in, which makes it harder for anyone to break in even if they get hold of your password.
  • Finally, keep your software up to date. Updates often include security patches that protect your device from the latest threats. Ignoring them could leave your business devices vulnerable.

A little caution goes a long way when it comes to keeping your business protected online. Ask yourself: Is the convenience of free Wi-Fi worth the risk of exposing my data?

If you’d like help keeping your business data protected no matter where you are, get in touch.

by Truman Roe

FOMO is driving businesses to spend more on IT

Ever feel like you’re racing to keep up with all the new tech out there? You’re not the only one. Businesses are spending more on software than ever before… and it’s in no small part due to “FOMO” – fear of missing out.

In fact, a recent report shows that 76% of businesses are bumping up their software budgets for next year, with many planning to increase their spend by 5 to 15%.

Why?

It’s simple: No business owner wants to feel like they’re falling behind while their competitors are jumping on the next big thing. So, businesses are investing in tools that they think will make them better, faster, and more secure.

Artificial intelligence (AI) is at the top of the list when it comes to the tech businesses want to invest in. This is because AI is making it easier to get stuff done; whether that’s automating routine tasks, crunching numbers, or even improving customer service.

But on the flip side, AI is also putting new tricks up the sleeves of cyber criminals. Meaning that businesses are having to spend more on cyber security to keep their data safe.

The hardest part about buying software isn’t usually the actual purchase – it’s what comes after. Using new software takes planning, and everyone in the team needs to learn how to use it. If your team isn’t ready, even the best software won’t help you much.

This is why many businesses are also investing in training tools, such as learning management systems (LMS). This helps bring employees up to speed, so your new tech doesn’t just sit there collecting virtual dust.

It can be tempting to be one of the first to adopt all the latest tools. But moving too fast can lead to headaches. It takes time to figure out what software is right for your business and how to make it fit into your processes. Jumping in without a clear plan could leave you with a tool that’s more trouble than it’s worth.

The good news is that many businesses are getting smarter about how they choose software, using reviews, testimonials, and recommendations from experts (like us) to make informed decisions.

If you’re feeling the pressure to invest in new tools, take a breath. Think about what your business really needs:

  • Do you want to improve efficiency?
  • Keep your business data secure?
  • Help your team work better?

Whatever the reason, make sure you choose tools that are in line with your goals and that your team is ready to use.

FOMO might be driving the trend, but that doesn’t mean you have to let it control your decisions.

We can help make sure the tech you invest in pays off for your business in the long run. Get in touch.

by Truman Roe

How many devices do you use every workday?

It feels like we have a gadget for everything these days, doesn’t it?

The average office worker now carries around three devices to get through the day. Think laptops, tablets, headphones… and even multiple phones.

Technology keeps teams connected and helps us work smarter – but there’s a downside: Managing so many devices can get a little overwhelming.

What happens every time we add a new device to our daily work routine? There’s something else to charge. Another thing to carry. One more item to keep track of.

In fact, carrying around all this tech adds up to an average 9lbs of extra weight. That’s like carrying an air fryer to work every day!

Another issue is the mental load. Many professionals say they feel bogged down by the notifications they get across all their devices. It’s common to get dozens of notifications every day, and the constant flow of alerts can be such a distraction.

One way to get around gadget overload is to try out devices that handle many functions, like foldable phones, or hybrid laptops. This way, one device could do the same thing two or three of your devices are doing.

Another great strategy is to upgrade to a smarter system, like Windows 11.

Windows 11 makes it easier to switch between tasks, reducing the need for extra devices. With a smoother, more integrated experience, your team might not feel they need as many gadgets to stay productive.

Need help streamlining your setup? We can help walk you through the options. Get in touch.

by Truman Roe

Windows 11 uptake is at an all-time high – what are you waiting for?

Still holding on to Windows 10 in your business? It’s time to start thinking about making the move to Windows 11.

Three years after its release, Windows 11 is making major headway, with its market share reaching 35.55% in October 2024. While Windows 10 still holds around 60.97% of the market, change is on the horizon – and there are some compelling reasons to consider the switch.

First, let’s talk about the big news: From October 14, Windows 10 will no longer receive free support from Microsoft. Although this doesn’t mean Windows 10 will stop working, it will stop getting important updates, such as up-to-date protection against malicious software and cyber threats.

Microsoft will be offering extended security support for Windows 10 for an extra year, but this will cost businesses $30 per device and could get expensive. And this is only a temporary solution.

So, why has interest in Windows 11 spiked recently?

For one, the PC market has picked up. This is partly because of the rise of "AI PCs", which use hardware that is more capable of handling AI-based tasks. People want to make sure their devices are compatible with the latest software, including Windows 11. There’s also buzz around the rollout of “Windows Intelligence” – a possible rebrand of some Windows 11 AI features.

Upgrading to Windows 11 isn't just about keeping up with the latest tech, though. Another reason people are moving to Windows 11 is that it offers a more streamlined and user-friendly experience. New features include customizable widgets and an improved File Explorer, helping you to get things done faster.

Another major benefit to businesses is that Windows 11 brings improved security, offering better protection against cyber threats like:

  • Ransomware, where you get locked out of your files and held to ransom for their (possible) return
  • Phishing attacks, where you get tricked into revealing sensitive information through things like fake emails

If you want to stick with Windows 10, Microsoft’s one-year extension could offer you a bit more time. But if you want our advice? You’d only be delaying the inevitable, while missing out on the benefits of upgrading.

We can help make the switch stress-free. Get in touch.

by Truman Roe

The Hidden Dangers of Your Email Signature: A Cyber Security Wake-Up Call

How much thought do you give to your email signature? If you're like most professionals, probably not much. It's just a convenient way to share your contact details and reinforce your brand, right?

Wrong. Your seemingly innocuous email signature could be a goldmine for cybercriminals.

In today's digital landscape, where cyber threats are evolving at an alarming rate, even the most mundane aspects of our online presence can become vulnerabilities. Your email signature, packed with personal and professional information, is no exception.

Let's dive into why this matters and what you can do to protect yourself and your business. Here are seven ways to make your emails more secure.

Spoofing is when someone disguises an email address, sender name, phone number, or website URL — often just by changing one letter, symbol, or number — to convince you that you are interacting with a trusted source. ‘Scams and Safety: Spoofing and Phishing’ - www.fbi.gov

The Art of Email Spoofing

Email spoofing is a type of cyberattack where criminals impersonate trusted entities to mislead recipients about the origin of a message. It's a sophisticated form of digital deception that's becoming increasingly prevalent and costly:

  • A staggering 3.1 billion domain spoofing emails are sent daily.
  • Over 90% of cyber-attacks begin with an email.
  • Since 2016, email spoofing and phishing have caused an estimated $26 billion in losses worldwide.
  • In 2019 alone, the FBI reported 467,000 successful cyber-attacks, with 24% being email-based.
  • The average scam tricks users out of $75,000.

Cybercriminals often combine spoofing with phishing tactics to gain the trust of recipients and increase the credibility of their messages. They create fake websites that mirror legitimate ones, aiming to steal passwords, usernames, login credentials, and other sensitive data.

One particularly insidious form of this attack is CEO fraud, also known as Business Email Compromise (BEC). In these scenarios, attackers spoof the email address of a company executive or owner, typically targeting employees in financial or accounting departments. Even astute, well-intentioned staff can be deceived into transferring funds when the request appears to come from a trusted authority figure.

Your Email Signature: A Double-Edged Sword

Now, let's connect the dots back to your email signature. That neatly formatted block at the bottom of your emails might include:

  • Your full name and title
  • Company name and logo
  • Phone numbers (office and mobile)
  • Email address
  • Physical address
  • Social media profiles
  • Website URL

Each piece of information is a potential data point for cybercriminals to exploit. They can use these details to craft convincing spoofed emails, making it easier to impersonate you or your colleagues. The more information you provide, the more authentic their fraudulent communications appear.

Protecting Yourself and Your Business

So, should you abandon email signatures altogether? Not necessarily. Instead, it's time to approach them with a security-first mindset. Here are some strategies to consider:

1. Simplify and Standardize: Stick to the essentials in your email signature. Standardize the format across your organization to make it easier to spot anomalies.

2. Educate Your Team: Train your employees to recognize the signs of spoofed emails. Teach them to verify unexpected requests, especially those involving financial transactions or sensitive information, through alternative communication channels.

3. Implement Technical Safeguards: Utilize email authentication protocols like SPF (Sender Policy Framework) and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These tools help verify the legitimacy of incoming emails.

4. Use Digital Signatures: Consider implementing digital signatures for important communications, adding an extra layer of verification.

5. Enhance Email Security: Invest in robust email security solutions that can detect and filter out spoofed emails before they reach your inbox.

6. Regular Security Audits: Conduct periodic reviews of your email practices and update your security measures accordingly.

7. Be Cautious with Public Information: Reconsider how much information you make publicly available, not just in email signatures but across all digital platforms.

The Stakes Are High

The consequences of a successful email spoofing attack can be severe. Beyond immediate financial losses, businesses face potential data breaches, reputational damage, and loss of customer trust. In an interconnected digital ecosystem, a breach in your security could also impact your clients and partners.

Don’t Get Caught Out

It's time to view your email signature not just as a communication tool, but as a potential security vulnerability that requires careful management. By implementing these best practices, you're not just protecting yourself – you're safeguarding your entire professional network.

Can your business afford the risk of mistaken identity in the digital realm? The answer is clear: No. Take action today. Review your email signature. Implement stronger security measures. Educate your team. In the fight against cybercrime, every detail matters.

How secure is your email signature? Share your thoughts and experiences here. Let's start a conversation about better email security practices in our professional community.

It’s dangerous out there: we’ve seen every kind of scam in the 30 years that we’ve been helping Silicon Valley businesses protect themselves against attack, so we know what we’re talking about.

Take our Cyber Threat Quiz to see how vulnerable your organization might be, and get in touch if you have any questions.

by Truman Roe

If Microsoft can pull this off, it'll change your workflow forever


Wouldn’t it be great if your Windows 11 computer could handle tasks just like a real-life assistant?

That’s exactly what Microsoft wants to achieve with Windows Agent Arena, its new AI project.

The goal is to create smart virtual assistants, known as AI agents. They will be able to complete tasks on your computer. They could save time by doing repetitive tasks for you, such as managing apps or organizing files.

So, what exactly is an AI agent? And how could it help your business?

An AI agent is a type of artificial intelligence designed to interact with your computer. Instead of only giving you information, AI agents can perform actions for you.

For example, you could train an AI agent to run your morning routine. It would open your calendar, launch your email app, and check the news. When you begin your day, the agent would know what info to share with you, like a virtual assistant.

Imagine having AI agents that update your software, or even edit documents for you. They could enable privacy options in Microsoft Edge, install extensions or update settings. This saves you time and hassle, so you can focus on bigger things.

The project is open source. That means developers around the world can contribute to help these tools evolve. Although they’re still in development, the potential for businesses is exciting.

For now, one of the best ways to see how helpful AI can be for your business is to give Copilot a try. Need help getting started? Get in touch.

by Truman Roe

Windows Hello gets a new look and improved security

Do you dream of never having to remember another password ever again?

That’s what Windows Hello, Microsoft’s biometric sign-in tool is all about. It helps you log in to your Windows 11 devices quickly and securely – with just a glance or a touch.

Now, Windows Hello is getting a makeover, bringing not only a new look but also enhanced security features that are perfect for busy business owners.

If you’re not familiar with Windows Hello, it lets you skip traditional passwords and sign in using:

  • Facial recognition
  • Your fingerprint
  • Or a simple PIN

This means faster access, better security, and a lot less frustration.

Windows Hello is invaluable for businesses, allowing employees to securely access their apps and devices without the risks associated with weak or reused passwords.

The refresh will improve the design of Windows Hello, so it fits right in with the sleek, modern look of Windows 11. The whole experience will feel smoother and easier, whether you're logging in to your computer or accessing the Microsoft Store.

Microsoft have also made it easier to use passkeys – another secure, password-free login method. With Windows Hello’s new passkey experience, you can choose your preferred sign-in method and switch effortlessly between devices.

These updates are currently in testing, but we should see a rollout soon.

Want to give Windows Hello a go? We can help, get in touch.

by Truman Roe

Beware that "support call" – it could be a ransomware scam


If you get a call claiming to be from Microsoft Teams support, think twice before doing what they ask.

There’s a new trend for scammers to pose as “help desk” staff, with the aim of tricking employees into letting them take over their devices.

This is part of a larger ransomware attack, where you’ll be denied access to your business data unless you make a hefty payment to get it back.

Recently, a notorious cyber crime group has taken this scam to a new level.

First, they’ll flood an employee’s inbox with so much spam that it becomes unusable. Then they swoop in with a phone call, pretending to be from IT support, offering to “fix” the problem.

They may ask your employee to install remote desktop software like AnyDesk or use built-in tools like Windows Quick Assist. Once they have access, they can move around your network, collect sensitive data, and launch ransomware on your devices.

Be warned – they don’t only reach out over the phone. They’ve also started setting up Teams accounts to make employees think they’re part of IT support.

They do this by choosing usernames like “Help Desk” and using fake Microsoft tenant domains such as “securityadminhelper.onmicrosoft .com”. Then they send one-to-one messages to employees, saying they need access to their device.

Ransomware attacks are serious business. Along with locking you out of your data, they can also shut down your operations, disrupt customer service, and potentially leak confidential information.

Recovering from a ransomware attack can be expensive, both in terms of paying the ransom and dealing with the aftermath. It can cause loss of revenue, damage your reputation, and it could even have legal consequences.

Make your team aware of this scam and encourage everyone to be cautious with any unsolicited support calls or Teams chats. And make sure everyone knows to check with your actual IT department first, if someone is asking to install software or gain access.

Also, if you use Microsoft Teams in your business, make sure it’s set up securely. Only allow external chats from trusted domains, and make sure chat logging is enabled.

If you want extra help safeguarding your setup, we can do that. Get in touch.

by Truman Roe