Many small and medium-sized businesses put cybersecurity on the back burner due to the additional costs on business operations, which is understandable given the limited capital available to SMEs. However, the value of consumer trust and valuable business data is far greater than the costs of implementing a proactive cybersecurity strategy for the company.

As a business owner, you must take precautions against cybersecurity threats such as data breaches caused by malware, ransomware, and, most importantly, phishing attacks, which accounted for 90% of all data breaches in 2019.

 

What is Phishing?

Phishing is a fraudulent activity carried out by a cybercriminal to obtain secure and sensitive business information, such as user passwords, credit card numbers, user names, security pins, and so on. In this scenario, the threat actor sends you an email posing as a trustworthy person or organization to trick you to click on a malicious link or attachment that grants them access to the data they seek.

That being said, not all phishing attacks are the same; some are more sophisticated and complex than others. Becoming familiar with its various forms, particularly those aimed at businesses, is the first step in protecting your company from the cybersecurity threat it poses. They are as follows:

 

1. Spear Phishing 

Threat actors use familiarity to trick the recipient of a spear phishing attack into thinking a person of authority in the organization sent the email.  Spear phishing targets are often chosen because they have access to sensitive data that the threat actor requires, such as trade secrets. Fortunately, these types of forgeries can be easily identified when using an email client, also known as secure email gateways (SEGs), and if you know what to look for – more on this later.

 

2. Business Email Compromise (BEC)

BEC, or business email compromise, is a rapidly growing type of phishing scam in which fraudsters impersonate company executives or owners to trick employees into revealing confidential information or transferring money. In other words, the thief infiltrates or impersonates a legitimate business email account in order to defraud a company, particularly one that accepts or uses online payment gateways.

What makes this type of phishing attack more dangerous than spear phishing is that BEC email messages can easily bypass SEG protection, mainly because they do not contain attachments or links. Payroll diversion is a prominent example of BEC in action. The threat actor poses as an authority figure and sends instructions to an organization’s HR, requesting the change of an employee’s direct deposit details to an alternative account – theirs.

 

3. Whaling Attack

Whaling is a targeted phishing attack on high-level executives that masquerades as a legitimate email in the hopes of stealing sensitive company data or money from another high-level executive.

 

In this case, the threat actor will prod the target for information that will allow them to gain access to sensitive areas of the company’s financial and data networks. This technique utilizes social engineering to the letter. After all, it is easier for the threat actor to steal a large sum of money directly from the people with the power and access to authorize payments.

 

4. Credential Phishing

Credential phishing emails are designed to look like legitimate communications about an existing business account on platforms such as LinkedIn and Office 365. The goal is to trick victims into logging in to a bogus website. Once this is accomplished, the attacker gains access to legitimate login credentials, which they can then use to compromise additional services on the aforementioned cloud-hosted apps.

 

 

How to Protect Your Business from Phishing Attacks

Start with the most essential component of any successful data protection plan – a cybersecurity-aware workforce. That is, you need to train employees to be able to spot and report phishing emails red flags as soon as they come across one.

The following tactics are some of the most obvious red flags of a phishing email:

• The message sounds scary. Be cautious if the email contains a charged sense of urgency or alarmist language urging you to “act now.”
• Grammatical mistakes. Watch for subtle misspellings in otherwise legitimate-looking websites. It is always preferable to type out the URL rather than click on an embedded link in an email.
• Attachments with suspicious file extensions, such as.jar,.exe,.cmd,.bat, and.vbs. Or strange-looking PDF attachments. Be suspicious of unsolicited links and attachments.
• Unsecured website links – only enter login information on websites that have an SSL, which is represented by a padlock icon in the search engine website link bar, as shown below.
• You recognize the sender, but it’s someone with whom you don’t normally communicate, especially if the email’s content has nothing to do with your regular job duties.

 

 

On the IT Infrastructure End:

Deploy Anti-Malware and Anti-Virus Solutions

Anti-malware and anti-virus software serve as a firewall, detecting emails with malicious attachments, links, or spam, that may have gotten past SEGs.

Why does this matter? 

Most antivirus/malware security software can detect when a link or attachment isn’t what it appears to be, so even if an employee falls for a clever phishing attempt, they won’t end up sharing sensitive business information with the wrong people.

Encrypt Sensitive Company Data

Encryption is a digital version of cryptography used to scramble messages so that only parties who have the sender’s key/cipher can decrypt a file. Depending on your needs, encryption can be performed on a full disk (all files, sensitive or not), in large volumes, or at the folder/file level. That said, investing in third-party encryption programs may be a more viable option for larger organizations. In any case, we recommend consulting with a cybersecurity expert about the best encryption options for your company.

Proactively Update Company Passwords

To begin, perform some housekeeping by ensuring that passwords for each business account are unique and strong and use multi-factor authentication for added security. After that, update these passwords when:

• A password has not been changed in more than a year
• Following a third-party data breach notification. 
• When malware is detected in software or hardware
• When an account is shared with someone who no longer requires the login (e.g., an employee leaving the company)
• When credentials are entered into a website clone

The Bottom Line

Unlike other types of cybersecurity threats, phishing does not involve advanced technical knowledge, but its ease of use is where the danger lies. This is because phishing attacks are designed to target the most vulnerable computers on the planet: humans. So be proactive, take precautions, train employees, and keep an eye out for anything suspicious.