How to Guard Against Phishing Threats

One of the many forms that malware and online fraud can take is phishing. Nope, it’s not that delicious Ben & Jerry’s flavor; phishing is a scam that targets both consumer and small businesses by mimicking a trusted source and requesting personal information.

On the business end, they can be disguised as outreach from a local vendor, a customer, or even a high-level employee. Email is one of the easiest, most inexpensive ways for hackers to infiltrate your security systems, and one of the most common vehicles for phishing scams.

With cyber crime damages projected to exceed $6 trillion dollars by 2021, and small businesses making up 43% of data breaches based on a 2019 report, you can’t afford to have your business compromised by an accidentally clicked link from a distracted employee. 

Our last article dove into the many ways attacks can take place through brute-force malware and how to avoid them by having comprehensive data protection and recovery systems in place. Even if you have a top-of-the-line security system in place, your weakest link is always going to be human error. Phishing scams often happen through everyday online activities such as surfing the web, checking social media, and other small habits that sneak in during downtime in everyone’s workday. But phishing doesn’t just happen through little time-wasters or other bad internet habits at work; over 1 million people fell victim to the Google Doc phishing scam because it preyed on users through social engineering!

Social engineering is psychological manipulation that tricks users into divulging personal information or otherwise unknowingly acting in a way that helps cyber criminals get what they want. We are so used to putting our personal information into phone apps or other websites, that it is actually not that hard for cybercriminals to pose as systems that look legitimate; it feels so routine to log in to a system on our phones or laptops, that we sometimes don’t give it a second thought. 

This article will dive into the psychology of social engineering, phishing, and how to best train your employees to avoid common small-business phishing scams.

Email Phishing

94% of phishing attempts happen through email. Email is free, making it a convenient way for cybercriminals to request personal information. We’re all aware of the phishing scams of the 90s, the ones that became so common they are laughable now for their obviousness: the international prince, the charity fundraiser, the philanthropic do-gooder that recently came into an inheritance. Those are all pretty easy scams to spot nowadays, simply because they were so prolific (and so often badly-spelled!) in their heyday.

But email spoofing has gotten a lot savvier in recent years. Even though Gmail is known to block 99.9% of emails containing spam, malware, and phishing scams, what about that 0.1%? It can still do an enormous amount of damage if your employee opens an email that appears to be from a known sender and quickly clicks through to a malicious hyperlink or attachment.

Offshoots of email phishing are webpage mimics and link manipulation. This is where a cybercriminal links to a website that mimics a legitimate one, or manipulates a link to hide the site that the link will actually direct to. 

Train your employees to be diligent about verifying email addresses and links before opening emails. The best way to verify that you are going to the correct address, is to bypass the links entirely and do a google search for the website that you want to check out.

Spear Phishing

This is a more targeted version of an email spoof or scam. Cybercriminals that deploy spear phishing do so through extensive company research so that they are able to convincingly create an urgent email that appears to come from someone in a leading role in the organization. These scams play on the urgency of needing to respond to a higher-up, making it more likely for junior members of your staff to mistakenly release sensitive information under the impression that they are following a direct request from a boss.  

While you can’t do much to prevent a cybercriminal from researching your small business, you can still have security and training systems in place so that your employees go through a stringent verification process before releasing any company information.

Web-based Delivery

This is a sophisticated hacking technique that allows a cybercriminal to place a phishing system between a legitimate system and a user. Because this system can exist without you being aware of it, the best prevention is two-factor authentication or a multi-layered security system that requires both a standard password and a one-time password. Having multi-factor authentication can also help you avoid keylogging scams.

Spoofed Calls or Text Messages

Phishing doesn’t just happen over the internet. A common scam that is used against businesses is a call or text message from someone claiming to be from tech support. Social engineering works against us again here as we’re conditioned to trust people in authority, especially when it comes to technical issues that we may not be experienced with. 

It is far too easy for a scammer to create a sense of urgency, demand access to a computer system (“just a quick security scan for your protection”), and with a few keystrokes they have access to all your business information. Again, having a verification system or some other checks-and-balance system internally will help guard against these types of urgency-based scams.

Social Media Phishing

This may not seem related to small business security, but it is important to note that cybercriminals and scammers can still harm your business through social media phishing. They create accounts on popular social media sites such as Facebook, Instagram, LinkedIn, Twitter, and others to trick users into releasing personal data. They can also access a users’ friends list to cast their phishing net wider. LinkedIn is commonly used to gain information for spear phishing or fake recruitment scams. Scams on Facebook, Instagram, and other casual social sites use social engineering to get personal information; a common example is by mimicking popular or well-known business accounts and posing as helpful customer service so that they have seemingly legitimate reason to request your personal information. 

While this may not seem like it poses a huge threat to your business, if an employee uses their business devices rather than their personal one to check a social media account, then there is still a chance that your business could be at risk. This is especially true if your employee phished through LinkedIn or another business-based social media site where they can gain information to create a more targeted phishing or cybersecurity scam. 

Your best line of defense is training your employees to be skeptical and take the time to verify sources that request access to your small business data. And if you are looking to upgrade your cybersecurity system to aid your team in protecting your data, Tech Masters can provide a free security assessment.