Companies that back up files once a week are caught off guard by the scam and are often willing to pay the ransom.
"It's the choice between paying 500 bucks or losing a week's worth of work — for maybe more than one person, says Stu Sjouwerman, cofounder of security training company KnowBe4 LLC in Clearwater, Fla.
While the scammers used a phony AT&T address in the law firm case, other telco companies saw variants of the phishing scam, too, Sjouwerman adds. Symantec estimates that ransomware like Cyberlocker earned criminals over $34,000 in one month alone in late 2013.
Small and medium-size businesses with fewer than 500 employees account for 41 percent of all spear-phishing attacks, compared to 36 percent in 2012, according to Symantec. Large enterprises with more than 2,500 employees accounted for 39 percent of all targeted attacks, compared with 50 percent in 2012 and 2011.
Small and mid-size businesses run into two challenges, says Scott Greaux, VP at PhishMe.com in Chantilly, Va.
"One is the perception that I don't have anything people would want. [Two], they might have the traditional [security] tools in place but they might be behind the times, even if they are using web-filtering."
Before it happens to you — "make sure you do have backups and test your restore function on a very regular basis," Sjouwerman says. Also, invest in security awareness training for all employees.
2. IVR and robocalls for credit card information
Interactive voice response systems and "robocalls" play a central role in new social engineering scams seeking credit card or password information. Bad guys steal thousands of phone numbers and use a robocaller to call unsuspecting employees.
"It's fully automated, Sjouwerman says.
"The message goes something like — 'This is your credit card company. We are checking on a potential fraudulent charge on your card. Did you purchase a flat screen TV for $3,295? Press 1 for yes or 2 for no.'" If the person responds no — the script then asks the victim to enter his credit card number, expiration date and security code.
In some cases, employees worry that their company credit card has been compromised and they might get into trouble, so they play along.
"Just to add insult to injury, they ask the victim to enter a cell phone number so that a customer service rep can call you back about this and they'll reverse the charge," he adds.
While the scam seems to be aimed at consumers, the concept of combining robocalls and IVR has implications for businesses, too, says Chris Silvers, owner and principal information security consultant CG Silvers Consulting in Atlanta.
Sign up for CIO Asia eNewsletters.