Jamie Herzlich Newsday columnist Jamie Herzlich

Herzlich writes the Small Business column in Newsday.

Email is one of the top tools used by management to communicate with employees, and hackers are using that to their advantage.

According to a recent report by Proofpoint, the number of malicious emails sent to businesses increased 66 percent from Q4 2015 to Q1 2016, and more than 800 percent over the same quarter a year ago.

In particular, “spoofing” emails — emails that appear to come from a person or company you know — can be among the most costly for businesses.

“These aren’t like the typical spam emails,” explains Ryan Kalember, senior vice president of Cybersecurity Strategy at Proofpoint, a Sunnyvale-California, security and compliance company. “These are very well crafted and highly personalized.”

The report found that 75 percent of imposter email phishing attacks rely on spoofing to trick employees into thinking messages are from their CEO, manager or another company executive.

Total losses to businesses as a result of these type of emails is over $3 billion worldwide, says Kalember, citing FBI figures.

Frequently with small businesses, the spoofer pretends to be a vendor requesting a wire transfer payment, he notes.

advertisement | advertise on newsday

One piece of advice Kalember gives: Never initiate a wire transfer based solely on an email.

The threats from these emails can come when the recipient either downloads an attachment or clicks on a link in the body of the email asking them for proprietary information, says Daniel Harris, a researcher at Austin, Texas-based Software Advice, a site that offers IT security product comparisons and reviews.

With phishing attacks in particular, the hackers are trying to get login credentials or financial information in most cases, says Harris.

Unfortunately, identifying these emails isn’t always easy, but there are some tell-tale signs, he says.

For example, if you’re redirected to a form asking for log-in credentials, that’s typically a phishing attack, says Harris.

Educate employees on what these attacks look like, says William Collins, president of NST Inc., an East Northport information technology firm.

“Anything that looks out of place, ask your IT person if it’s legitimate,” he suggests.

Adopt a layered approach that incorporates good antivirus software and good internal security policies, he says. A firewall isn’t enough, he adds, noting you need secure email gateways, which can stop malicious email and unwanted email from even getting to users.

Providers of secure email gateways include SonicWALL, Barracuda and Clearswift, says Harris. Proofpoint also offers a solution on a subscription basis.

Other security options include using a domain-name filtering service such as OpenDNS to scrub malicious URL’s (ie. web addresses) in your system, says Collins.

advertisement | advertise on newsday

Beyond that, employees need to be wary about who they’re accepting as their social media connections.

Only 24 percent of employees surveyed say they “never” accept invitations from strangers on social media sites, according to a survey last year by Software Advice.

Such connections can give hackers insight into companies, their vendors, employees, and clients so the hackers can craft more targeted email attacks, says Marc Schein, cyber practice leader at Farmingdale-based Integrated Coverage Group, a commercial insurance agency.

He says he’s seen a significant uptick in the number of ransomware claims from clients. These typically originate from opening a phishing email—an email that appears to come from a trusted source. Malware basically locks down a computer system by encrypting files until a ransom is paid to the hacker, usually in the form of Bitcoins, says Schein.

Attacks such as these can be costly and firms may want to consider cyber liability insurance to help cover costs such as hiring legal counsel following a breach, he says.

advertisement | advertise on newsday

“You can have the best IT in the world,” says Schein. “In 2016, it’s not a matter of if you will have a breach, but rather when you will have a data breach.”