Protecting your small business from phishing attacks
Protecting your organization from phishing attacks doesn’t have to be costly or time-consuming, but it is vital for small-medium businesses
Ask anyone and either they or someone they know will have experienced a phishing attack. Not only that, but they probably know someone who’s actually lost money because of one.
Phishing remains the most common kind of cyber attack, with 74% of organizations in the US successfully attacked in the last year. Small businesses are unfortunately particularly vulnerable because they generally lack the resources and knowledge needed to protect against these attacks.
Why do hackers like targeting small businesses?
More often than not, small businesses tend to feel like cybersecurity isn’t relevant to them because they don’t have the vast amounts of data or financial assets that they think hackers are after, so why bother putting in time and effort to protect themselves?
This is exactly the kind of mentality that cybercriminals rely on, however, as these businesses will fail to implement effective security measures, making them soft and easy targets for hackers. Small companies don’t tend to invest in cybersecurity training for their employees so phishing attacks, which are designed to trick people, are much more likely to be successful when the recipient doesn’t have the know-how for dealing with it.
For some attacks, small businesses are not even the final target. The hacker uses a small business as an easy entry point, a stepping stone to bigger companies in the supply chain that will truly reward them. These supply chain attacks are on the rise and almost always start with a small business that just didn’t have the cyber defenses to properly protect themselves.
How does phishing work?
Phishing attacks are still one of the most prevalent kinds of cyber-attack on businesses, with 241,324 incidents in the US alone last year. The UK Government’s Cyber Breaches Survey in 2021 also revealed phishing as the number one threat vector, responsible for 83% of attacks.
Hacking into a system takes time and effort, but getting someone to give you access to those systems by leveraging their trust and tricking them is much easier. Email phishing is specifically directed at humans and often uses social engineering techniques to lure the user into providing sensitive information or clicking on a link that triggers the installation of malware or ransomware on the recipient’s system.
You could be targeted as part of a mass campaign or it may be a more specific, more thought-out attack on your organization. In the latter case, hackers may use certain information about your company or other employees to make the email sound more convincing. This type of attack is known as spear phishing.
Cases of Business Email Compromise make it particularly challenging to spot a scammer because as far as you can tell, you’re receiving a legitimate email from a colleague or business partner. These kinds of attacks are used to encourage employees, customers, or anyone on the supply chain to provide sensitive data or transfer funds (which will of course be directed into the hacker’s bank account).
Financial loss can be a serious repercussion for a small business involved in a phishing attack, but things can get much worse if those outside your organization become targeted through your company. If hackers manage to access the account of an employee and send emails to your business’ suppliers, clients or partners, you could seriously affect these trusted relationships and lose out on business due to concerns that your company isn’t secure.
How to spot a phishing attack
We all think we know how to spot one but phishing emails today are a lot more sophisticated, requiring even higher levels of vigilance.
So what can you look out for?
- Always look closely at the sender. Spoofed domains may just be a trusted domain that has been subtly altered, for example, one ‘i’ into ‘1’
- Check the content. If suspicious promises are made and it looks too good to be true, it probably is.
- Be wary of the tone. Hackers often use urgency in phishing emails to convince you to act before you’ve had a chance to think.
- Spelling and Grammar. Correct spelling and grammar isn’t always a hacker’s strong point, so obvious mistakes may be a sign of spam.
In terms of BEC scams, which are usually much harder to detect, it’s important to exercise caution before sending off any information. Popular scams include sending fake invoices to customers, impersonating someone in upper management to request money from employees, or impersonating lawyers to request money from clients. In general, it’s recommended that you double check any requests for money transfers that come into your inbox.
What can you do as a small business?
The key to protecting your business from phishing attacks is to ensure staff are properly trained, since human error is the reason a phishing attempt is successful. It’s the responsibility of a CEO or owner of an organisation to ensure employees have the correct guidance on phishing attacks, how to spot them, and what to do should you encounter one.
Cultivating a culture of security and awareness and making sure employees have the correct knowledge is especially important when some users may be working from home, because there is less visibility and control in these environments.
Security policies are a good way of conveying this guidance and making sure employees read and comprehend it can be made part of the employee onboarding process. Cyber security exercises are also a good way of testing this knowledge – there are plenty of online exercises that can be used for free, such as the NCSC’s ‘exercise in a box’. For a few dollars a month, other companies can provide security training like phishing simulations, where you can track employees’ responses.
It’s helpful to limit the number of valuable entry points that a hacker could exploit by reducing account privileges across your company. Staff should only be able to access that which they need to perform their job role.
That way, if a cybercriminal should hack their account, they can’t access all of the business’ sensitive data and the breach can be contained. Administrator accounts should be reserved for top level management. To further protect your accounts from breach, practice good password security and ensure multi-factor authentication is activated.
Regularly backing up all sensitive data within your organization will mean that not all is lost if a hacker does manage to gain access via a phishing attempt. Ideally your backup strategy should meet the best practice of three copies: two on different media, with one being off-site, and all backups should be encrypted for extra security. You can choose to back up using a cloud provider or an external drive, but whatever the method, they should be monitored and regularly and checked to ensure recovery is possible.
Ensuring security software is always up to date is a must for protecting against breaches and phishing attacks. These are often set to update automatically but it’s always worth checking the latest patches. Although employee training will play the biggest role in phishing attack prevention, additional safeguards are useful because you cannot always guarantee humans will get it right, no matter how much training and cyber vigilance they have.
Third-party security solutions can be implemented to work in the background, monitoring users’ email activity, login attempts, and file downloads, so any anomalies or breached accounts are quickly found and reported. These can help create a safety net so that even when a company employee makes a mistake, it doesn’t have to be disastrous.
Protecting your organization from phishing attacks doesn’t have to be costly or time-consuming, but it is vital for small-medium businesses to have a layered approach, ensuring staff receive the right training as well as managing and configuring software properly to further build your defences.