Email Demands Two-Way Vigilance

Hackers are not always the brightest bulbs in the box. Their success depends more on you making mistakes than almost anything else. When they hack or spoof an email account, you’re dependent on your friends and associates to tip you off. Then, it’s up to you to resolve the problem as soon as you can. Here’s how our client handled their issue and how we handled one of our own.

Our client’s hack of their Comcast email started off simply enough. Hackers got their address book and sent an email to everyone asking if they used Amazon. That’s a normal start to a scam. Our client and spouse got tipped off when both got text messages from recipients – and the spouse got emails – suggesting that one of their email accounts might have been hacked.

Both of them were out of the house when they got word of the problem, but one of them was able to get home and start looking into the problem. The first thing they did was to change the password and the secondary email address used for notifications from Comcast. They also set up two-factor authentication (2FA) to the client’s cell phone number and changed the password again.

Those were two good steps to take, but there were two more surprises. First, they discovered that the hackers had set up an email address that they tied to the Comcast account. Our clients checked through all their accounts but didn’t see an email address that corresponded to the one set up by the hackers. They thought they were in the clear, but they hadn’t found the second surprise.

Later in the day, the client noticed they hadn’t been getting any emails on their Comcast account. They could send messages. Suspecting that a forwarding rule had been inserted by the hackers, they contacted Xfinity by telephone and after a few branches on the phone tree, they were able to speak to a security specialist. After an exhaustive security check, the specialist was able to remove the forwarding rule, securing the account.

They were fortunate that no emails involved responding to financial or healthcare websites. Had that happened, they could have been compromised. They did the right thing by changing the password, setting up 2FA, resetting the secondary email address and changing the password a second time. Those are things you can do immediately. They should have contacted Xfinity immediately after to see about any other changes and had them resolved right then and there.

Those are steps you can take if your email is hacked.

Our hack involved our QuickBooks address, and it’s typical of the problems small businesses can face. I noticed an email that looked like junk mail, so I didn’t pay much attention to it. But soon after, I took a closer look because the email address was [email protected]. It still didn’t seem that urgent, but it began to bother me.

So, I called QuickBooks (remember, we always urge people to pick up the phone if a problem seems bad enough) and explained what was going on. We have a merchant account. They said that hackers had set up an invalid account using the bogus email and an invalid tax ID number. It was a bare, basic account, but it was enough to raise a white-risk flag at QuickBooks. Our phone call put it on their radar screen.

This story should be on your radar screen, too. As small businesses – and even as consumers – we constantly get emails that we’ve been “approved” for something or other. We also get a lot of fake invoices that look like they’re coming from companies we do business with.

We need to be on guard against these. It’s easy to impersonate a business, and if the recipient isn’t careful, they might make a real payment to a real bank account that’s not tied to the legitimate vendor account they thought it was. As a business owner, we likely have no responsibilities or liabilities to the company or person that paid the fake invoice. HOWEVER, this is not a discussion I want to have with anybody.

At the end of the day, small businesses remain a huge target for hackers and cyber thieves. We need to depend on our own vigilance and the help of people we do business with to monitor anything that seems out of the ordinary and let someone know. I want you to let me know you got something odd from me – just like our client was tipped off about the bogus email. Any of these breaches can have serious consequences.

If you’ve been hacked in some way, take immediate steps to secure your accounts, including multiple password changes built around other security measures that you can take. Then, you can call us – 973-433-6676 – to let us know about the breach. We can help you investigate if any further damage was done and help mitigate the consequences as best as possible. If you have security questions, you can call or email us to discuss them.

Backup and Security

What happens when you use the cloud to store files encrypted for security instead of backing them up properly? You can face huge expenses, compounded by the consequences of lost data.

Let’s set a scene to show you how things can play out.

When your files are backed up or stored, they can be encrypted. That’s not a bad thing because it can add a layer of security, and it can help your cloud provider make better use of their server space. However, you and anyone who works on your IT system must make sure that all your system software stays intact.

We had a situation with a client that shows how multiple missteps can create exponential problems. The first misstep was that Windows updates had not been installed. We can’t emphasize enough how important it is to install updates, which include security measures and bug fixes. Without the bug fixes, you’ll run into a problem somewhere along the line that causes a performance failure.

The client decided to call in another IT person to fix the problem that arose with their system. During the diagnostic process, that tech erroneously removed a vital part of the system software, which included the encryption key for stored files. The net result was that the data files could not be restored when they thought the problem was fixed.

Fortunately, the client still had their old computer, which had been sitting in the office for a year. It wasn’t ideal, but it helped. Because they had Office 365, they were able to restore their Word and PowerPoint files, but they lost their QuickBooks files and a year’s worth of data because there was no effective backup in place for the files. They had to be recreated – painstakingly – at the cost of time and money.

We see three lessons for everyone based on our client’s experience:

  1. Install your updates. While security updates are top-of-mind for most users because of prevalent hacking, you can’t overlook the bug fixes. Bugs will cause performance problems that you’ll recognize and motivate you to take corrective action, which brings us to the next point.
  2. Use IT consultants who know what they’re doing. Cheaping out on a service provider compounds the effects of not keeping your software up to date. Today’s tech systems are complex, and your IT tech must know where to go and where not to go within your system. When someone uninstalls software, for example, they must have the encryption key to restore software.
  3. Have a good backup program in place. Cheaping out here, too, can have dire consequences. Again, we go back to Azure and Office 365. Together, they store and encrypt your files on secure servers. And because they’re in the cloud, you can access your files from any device that has internet access. Ultimately, that means you should be able to recover your data in the event of a catastrophic event.

We can help you with any technology issues, including system wellness checks, setting up a process for updating your software, and installing and setting up Office 365 with an Azure backup program. Call us – 973-433-6676 – or email us to discuss your needs and their solutions.

New Company, Old Stuff…Old Company, New Solutions

A recent acquisition of a company by one of our clients illustrates the problems you can face with old software as well as old hardware. And our onboarding of a new client illustrates the problems that compound each other after neglect and poor shortcuts. Here’s how we tackled them together.

The software issue, which involved an old, old version of QuickBooks, drove home the benefits of keeping applications up to date. Our client, an accounting firm, recently acquired another firm, and we knew the technology had lapsed, and we even developed a budget number to bring it all up to date. Our question was whether to implement our project now or wait until after the upcoming tax season.

Wanting to do it right, we decided to move forward. Based on the problems we encountered, we made the right decision – because it was not a simple file conversion process. The old version of QuickBooks was from 2008; 2019 is the current version. There was an interim version is 2012. As with Microsoft Windows updates, we had to go through numerous updates because each update was built on a previous update.

In addition to the QuickBooks updates, we had to work with various versions of Windows and aged computers that couldn’t run Windows 10 and the current QuickBooks. Complications arose when people didn’t know the administrative emails and passwords required to set codes and perform updates. We tried numerous combinations, but the problem was solved by talking to the owner of the acquired company, who recalled a Hotmail account for QuickBooks. We had to work through additional emails and passwords – and inconsistencies on security questions.

We finally got it all done after several extra hours of time and another access issue. Our client is set for tax season, but we can’t help but wonder about the cost difference between software updates and the time and expense of the extra work.

Similarly, with old and new, we recently added a client who had been disenchanted with the managed services (monthly fee) program of their previous IT provider. We bid against another company that also offered managed services.

We don’t offer managed services because we believe it shortchanges clients. They pay a monthly fee but never know what the provider is doing for them. When we bill for the hours we work, we always provide a detailed description of our services.

We also don’t like to scare new clients into buying and installing new equipment, such as a server, until we take a deep dive into their systems and their needs. The bidder said the client needed a new one ASAP, which was logical because the server was eight years old. But when we talked to people there and learned how they work, they hadn’t been using the server, which had an old firewall that had never been registered. We registered the firewall and upgraded the software, putting off their need for a new server, which they were using to scan files to send to their printer.

Going forward, we’ll show them a different way of doing things without a server, and it should save them several thousand dollars.

We pride ourselves on being trustworthy, and we build our business on that trait. If you know a company or individual who’s looking for a new IT service provider, we hope you’ll refer us. And if you need a look at your systems, you can rely on us for an assessment that will show you the most cost-effective options. Contact us by phone – 973-433-6676 – or email to set up an appointment for you or a referral.