Email is a staple of operations for small and medium-sized businesses (SMBs)—and for scammers, too. Cybercriminals remain primed to use phishing emails to target organizations of all sizes, hoping that unsuspecting employees will take the bait and give them access to a treasure trove of company information.
Phishing emails impersonate legitimate companies and try to entice employees to click an email link or open an attachment. A single click can direct users to a fraudulent website where criminals can obtain confidential information such as login credentials or other data or infect users’ computers with malware.
While bulk phishing campaigns seem to have receded, criminals have upped the ante with spear-phishing—emails that target a particular individual at a company in hopes of committing more fraud. Proofpoint indicates that nearly 90% of organizations experienced targeted phishing attacks in 2019.
Small businesses may think they are immune, but with fewer resources and often less stringent technological defenses, small business is a big target for phishing scams. In fact, the Verizon 2020 Data Breach Investigations Report shows that phishing is the biggest threat for SMBs, accounting for more than 30% of breaches.
Cyberattacks can hit SMBs hard in terms of cost. Cofense reports that the average cost of a phishing attack to a mid-size business is $1.6 million, but monetary loss is only part of the damage. Phishing attacks can also disrupt company productivity, result in a loss of intellectual property loss, and even cause damage to brand reputation if customer data is compromised.
Types of Phishing Attacks Targeting SMBs
What are the latest phishing threats? Here are some of the latest tools in the criminal arsenal:
- SaaS and Webmail Attacks: The Anti-Phishing Working Group (APWG) reported that the biggest category of phishing attempts so far in 2020 targets webmail—email that can be accessed over a web browser—as well as Software-as-a-Service (SaaS)—office applications and collaboration tools that are accessed over the Internet.
- Form-Based Attacks: According to Barracuda, these popular attacks impersonate file-sharing and storage sites such as Google storage.googleapis.com and docs.google.com or Microsoft’s onedrive.live.com, sway.office.com and forms.office.com to trick users into giving login credentials. Those credentials can then be used to access an organization’s internal documents and processes, sensitive customer data or financials.
- Business Email Compromise (BEC) Attacks: With this type of spear-phishing, cybercriminals steal the credentials of a key employee (like the owner or CEO) and then impersonate that officer in an email to others in the company, requesting wire transfers or other payment transactions like gift cards on their behalf. In 2019 alone, the FBI reported that BEC attacks resulted in more than $1.7 billion in losses.
- Direct Deposit Diversions: In this version of a BEC attack, criminals use spear-phishing emails sent to HR professionals, impersonating employees and requesting that their payroll direct deposit be changed to the cybercriminal’s account.
- COVID-19 Phishing Scams: In the wake of the pandemic, phishing emails proliferated, often targeting businesses that applied for relief funding opportunities. In addition, Menlo Security reported on spear-phishing emails that appeared to come from the CEO outlining COVID-19 employee benefits, but which linked to a fraudulent site to nab employee usernames and passwords.
- Other Forms of Phishing: Phishing isn’t restricted to email. Fraudsters also use smishing, which targets text messages, and vishing, which targets users of voice over internet (VOIP) services such as Skype, to commit cybertheft.
How to Protect Your Business from Phishing Attacks
While cybercriminals show no signs of stopping predatory phishing attacks, there are steps any SMB can take to defend against fraud:
1. Schedule Regular Phishing Training
Employees are your first line of defense against phishing attacks, so it’s important to make cybersecurity training a priority. Regularly scheduled training sessions can help raise employee awareness of the tell-tale signs of phishing:
- Hover over email links to see if the destination URL is what you expect. Don’t click on links or attachments in a suspicious email.
- Looking for the “lock” on HTTPS sites is not enough. The APWG Report showed that in the first quarter of this year, three-quarters of all phishing sites used secure SSL certificates that were easy for cybercriminals to obtain.
- To counter cyberattacks using corrupt HTTPS sites, employees should click on the lock icon to open a window which shows the Certificate Authority (CA) that issued the certificate and the company to which it was issued.
Training is an effective tool in the fight again phishing attacks. Proofpoint reports that nearly 80% of organizations that have conducted security awareness training have reported improvements. Keeping cybersecurity top-of-mind gives your employees the edge in identifying and reporting suspicious emails.
2. Counter BEC Attacks By Double-Checking Information
Spear phishing BEC scams try to create a sense of urgency for employees to follow through quickly with payment requests or payroll diversions. Encourage employees to double-check with an executive by phone before wiring any payment or funding requested in an email.
3. Strengthen Passwords
Protect your data against compromise by encouraging employees to create strong passwords—those that include letter, number and symbol combinations and which are not used on other accounts. Multi-factor authentication, which requires employees to use more than one method to login to their accounts, can add another layer of protection.
4. Choose the Right Secure Email Gateway
A Secure Email Gateway can help prevent unwanted mail such as spam or phishing. It also reviews outgoing mail to ensure that sensitive data isn’t leaving the company. Choose whether an onsite vs. cloud-based data storage option best fits your environment.
5. Maintain Your Systems
Make sure your operating systems, antivirus and antimalware software are up-to-date to ensure you have the latest protection against malware. In addition, backing up your data both onsite and in a secure cloud location can provide peace of mind for data recovery in case of a security incident.
With all of these strategies in place, it's also important to always keep the dangers of phishing top-of-mind—for both company leaders, as well as front-line employees. As cyberattacks become more prevalent, SMBs need to become more vigilant. It’s easy to get complacent about cybersecurity, but with the stakes for a breach occurring from just one phishing email so high, SMBs need to stay attentive to protect their business assets and reputation.