74% of organizations have suffered phishing attacks. – TechRepublic
"Go fish" just got a whole new meaning.
Phishing scams are getting harder to detect. Pronounced "fishing," phishing is a way for hackers to get you to turn over passwords, sensitive company data, and bank account information. Usually, it comes in an email, but it can also be web-linked.
Hackers are master counterfeiters and will plagiarize bank and payment services. They’re not shy about using logos and email templates from companies like PayPal, Chase, or Amazon to look like real emails. That's why they're so hard to detect!
These phishing emails can look like they’re coming from nearly any organization.
Hackers are master counterfeiters. For example, a couple of years ago, a phishing scam that looked like it came from the Federal Trade Commission (FTC) made its rounds through the business world and affected multiple companies.
What makes small businesses more vulnerable? Hackers are working under the assumption that you don't have a dedicated IT professional or team. Or even if you do, there's a substantial chance you don't have the necessary foundational security measures, so they use that against you.
🔎 Related: 17 Foundational Cyber Security Measures Small & Midsize Businesses Need
Educate Your Team
Hackers don't necessarily have to be web-masterminds. They often don't have the state-of-the-art Internet knowledge you’d expect. But what they do well is trick you and your employees.
Cyber criminals usually aren't some person in a dark room with a hoodie hunched over their computer. They are more like Leonardo DiCaprio's character in Catch Me If You Can. Charming and outgoing, and excellent at conning you.
Educating your employees on what to look for can go a long way in avoiding scams.
A Few Different Types of Phishing
- Traditional Phishing Attacks – Hackers present themselves as a bank or money service. They’ll ask for your account information to "confirm" your account. Or they’ll pose as a shipping provider, asking you to click for "tracking" information.
- Spear Phishing – "Email from a friend" approach. The hacker presents themselves as an organization or person you know personally.
- Whaling - Targeting C-levels, emails look as if the CEO or regional director emailed you for "help."
How to Avoid Phishing Scams
When training your employees on email safety, a checklist to keep at their desks might be helpful.
Here's a list of 5 ways to avoid phishing scams:
- Do not click on links, attachments, or downloads without verifying the sender. A nice rule of thumb is to not download or click on anything that you weren't expecting.
- Check all sender reputability by looking for clues. Mismatched or suspicious web addresses and email addresses that are similar, but not quite right, are dead giveaways of a scam.
- If the email isn't directly addressed to you, delete it immediately. "To Whom It May Concern" or "Valued Customer" may imply they don't know who you are. These are all potential scams.
- If the email asks you for personal or company information, it's a scam. NEVER enter personal information in an email, pop-up, or web address. Legitimate companies will never ask you to do that.
- Any email that asks for money or claims you won a large prize (especially if it's in the subject line) should be approached with major caution and reported to your IT professional ASAP. This can be a bit tricky if you are in the accounting department. Always verify your records and communicate with your customers before sending or receiving.
Related: Cyber security training for you and your team
Bonus Tip: Check Your Accounts
Check your online accounts frequently.
Check for unauthorized transactions, especially ones that seem like very low amounts. Sometimes hackers will test accounts by taking small amounts of money. They want to know how aware you are.
Build Your Defense
It'd be even better if phishing scams never even made it to your inbox, but unfortunately, it's a reality in which you need to be prepared.
- Ask your IT department about firewalls, anti-virus, content filtering, and anti-spam.
- Make sure any software you are currently running is up to date.
- Find out how often your security measures are updated - could it be more often?
This is your simplest, yet most effective scam defense.
Mobile Devices & Bring Your Own Device (BYOD)
Mobile devices are often overlooked as we see them more as an extension of ourselves than a computer. This creates blinders for the threats they can carry.
Most of us check our email from our phones, which makes mobile devices a solid platform to launch all kinds of attacks. Mix that in with the fact that hackers know that generally, Android's open Chrome and iPhones open Safari, so they know exactly which search engines to mimic.
You should always use the same best practices on your phone as your computer. This includes anti-virus, challenging passwords, and updating software. Yes, iPhone, anti-virus for you too.
Anyone can be a victim of a phishing scam and small businesses are especially vulnerable. Consult your IT professional on how to minimize these threats and education your employees with best practices.
Need some IT or cyber security guidance? Contact us any time.