This article was updated on Oct. 15, 2018.
Caught by a phishing scam? Getting untangled isn't cheap. According to Infosecurity Magazine, the average cost of a spear phishing incident is $1.6 million — enough to ruin most small businesses. But as scammers become more sophisticated and employees more connected, you can't afford to take a pass on small business phishing scams. Here's what you need to know about avoiding the hook.
Casting the Line
As noted by Infosecurity Magazine, one-quarter of companies still don't consider phishing a significant threat. Part of the problem is scale: Most attacks aren't orchestrated by big hacker organizations but smaller actors looking for a quick payday or easy access to your network. Scams often focus on fraudulent emails with links sending users to real-looking bank or e-commerce sites; once there, employees are prompted to enter personal account information, which is then sent to the scammers.
As attackers develop new ways to dupe users, avoiding small business phishing scams becomes more difficult. Network World notes that scammers are taking social engineering to the next level by sending emails to employees and HR representatives from spoofed company executive accounts asking for personal information. The IRS has received several reports of W-2s unintentionally emailed to cybercriminals.
Newsweek reports another avenue of attack: Sending HR personnel fake resumes filled with malware. Scammers are intelligent enough to scan your website for job postings and tweak their offerings appropriately, making it hard for employees to separate fact from fakes. Old-school methods are also making a comeback; over the last year, there's been a substantial increase in "macro malware." Users receive a Word document attachment that asks them to enable Macros, allowing Virtual Basic for Applications (VBA) code to execute and infect computers. Popular 15 years ago, users unfamiliar with this old scam are getting a crash course in bad emails.
Shake the Line
So how do you take steps to help avoid becoming a victim of small business phishing scams?
- Look for telltale signs: poor grammar, spelling or formatting in the email body and oddities in the sender line.
- Check to make sure addresses that look like they're from company accounts actually match their real address.
- If you get an odd email from a known contact, call them before opening any attachments.
- Pay attention to what's being asked by the sender. If the email demands immediate action or wants high-value private or corporate information, it's worth taking a second look.
- If opening attachments is a must, always use an image previewer to take a risk-free look first.
- Train your employees to follow the above instructions. Consider posting them in an easily accessible location.
Bottom line? As phishing scams increase and become more sophisticated, getting hooked is more likely. Take steps to help limit your losses by refusing to take the bait.