Stay Connected
Blog Detail
  • Phishing Scams – How to Protect Your Small Business

    January 31, 2023

    Phishing emails manipulate people into downloading malicious software, sharing sensitive information, or providing access to a computer or network. Phishing scams have become the most common form of social engineering, with a 61% increase between 2021 and 2022. 

    According to IBM’s Cost of Data Breach report, phishing attacks rank in the top five vectors for data breaches. It is the most common method to deliver ransomware to organisations and the most costly, with data breaches reaching an average cost of $4.65 million (US).

    Cybersecurity Protection for Phishing Scams

    As phishing attacks increase, so does the chance that your company will become a target. Understanding how a phishing attack works and how to protect against it is the best way to ensure that your business does not become a victim.

    Types of Phishing Emails

    Phishing email scams fall into three categories:

    • Bulk Phishing
    • Spear Phishing
    • Business Email Compromise

    Each group uses slightly different methods to appeal to the intended targets. 

    Bulk Phishing Emails

    Bulk phishing attempts use what is called the “spray and pray” approach. Hackers create malicious emails that appear to come from a real company. Usually, these are large organisations such as financial institutions, online retailers, or software vendors. The bad actors then send the email to millions of people, hoping that someone will click on a link, download an attachment, or reply to the email.

    Cybercriminals have become quite good at mimicking legitimate emails. The email uses the logo of a reputable company. It’s formatted to resemble a specific organisation. Subject lines such as the following are used:

    • Account Locked
    • Invoice Attached
    • Verify Account Information

    The subject line is designed to attract attention and convince the recipient to read the email. There is always a sense of urgency in each email. The phishing attempt tries to panic the recipient into clicking on suspicious links. Their objective is identity theft. 

    The email will then explain how to unlock an account or verify confidential information. Usually, the instructions will tell the user to click on a link and follow the instructions to update or unlock an account. They are directed to sites that look legitimate but are fake websites where confidential information is captured. The data may include user credentials such as username and password. It may even ask for answers to security questions. 

    Alternatively, a phishing attack may use an attachment as a way to download malicious software onto a computer. The virus or malware is then spread through the network to allow hackers access to sensitive data such as credit card numbers. To avoid falling for a phishing scam, check the sending email addresses carefully to ensure they are from reputable sources.

    Bulk phishing scams depend on recipients being too busy to question an email. As they hurry to clear their inbox, employees click on a link or respond to a malicious email without thinking. It’s not staff do not take security seriously. They are distracted by messages from customers and coworkers.

    Spear Phishing

    When phishing emails target a specific individual, the attack is called spear phishing. The targets are typically individuals with privileged access to a company’s digital resources or in a position of authority.  Spear phishing attacks take more time and require research into the target’s interactions, but they can result in higher financial gains for scammers.

    Cybercriminals will use social media, online forums, or networking sites to gather information on the intended target. Sometimes, they pose as the target. For example, an executive is travelling. Scammers follow social media to know where the person is. They then send an email from a destination on the travel itinerary. The email message may say that a password isn’t working, or it may indicate that there’s a problem with accessing the network. The suggested action exposes the network to compromise.

    More often, hackers target employees. With more employees working remotely, scammers can pretend to be someone from another location. They use information published on media sites to lend authenticity to emails. Eventually, they ask for help accessing a file or folder. Once they have access, they can navigate through the network stealing data. In some cases, individuals don’t realise the breach until much later.

    Business Email Compromise (BEC)

    This phishing effort is a more dangerous form of spear phishing.  BEC targets businesses that pay bills through wire transfers. Cybercriminals may target someone who authorises payments, such as the head of accounting or chief financial officer (CFO). They acquire the target’s credentials, so they can use the email account to request a wire be sent to a legitimate vendor but using different bank information. When the funds arrive in the fraudulent account, the cybercriminal quickly transfers the money. 

    The Australian Cybersecurity Centre issued an alert to the property sector in mid-2021, warning of an increase in BEC scams targeting real estate transactions. By the end of 2021, Australian businesses across all sectors had lost $227 million to redirected payments. For small businesses, the average loss per scam was $8,000.

    Cyber attacks continue to increase

    How to Protect Small Businesses from Email Scams

    Protecting against phishing email scams begins with user training. Employees should be alerted to possible scams and trained to identify phishing emails. Some characteristics of a fraudulent email include the following:

    • Request to update an account or personal information.
    • Requests for payment to new account numbers.
    • Include unexpected file attachments.
    • Urgent requests to avoid fines, penalties, or similar punishments.
    • Poor grammar and spelling.
    • Fraudulent email addresses.

    When employees receive suspicious email requests, they should check the sender’s address carefully. Hackers will add a character to a familiar address, so it appears legitimate. 

    Businesses should have a fail-safe process for verifying an unusual request for payment or a change in account numbers. The process should not involve the internet or text messaging. Emails can be intercepted, and text messages are often used for phishing. 

    Technology can be used to protect your business against phishing scams:

    • Spam Filters.
    • Antivirus Software
    • Antimalware Software
    • Web Filters

    Finally, implementing multifactor authentication (MFA) adds another layer of protection for user credentials 

    Tech Seek’s IT support team can help you protect your business and prevent your employees from falling victim to a phishing scheme. Contact us to discuss cybersecurity options.