The SMB Guide to Phishing Attacks

When we hear the word “cyberattack,” we usually envision a high-level threat at a global corporation that seeks to steal credit card information or intellectual property. But one of the most common forms of hacking, known as phishing, is carried out through faux emails sent to unsuspecting employees at smaller businesses.

Symantec’s 2018 security report found smaller businesses had more instances of these attacks than larger enterprises: Companies with less than 250 employees averaged one in 323 instances, while companies with 1001 to 1500 averaged one in 823.

It’s a good bet most of your employees don’t know what phishing is or how to detect it, yet they’ve probably received a fishy email at some point. Phishing scams may fly under the radar of many threat-hunting efforts, so the most effective way to combat these attacks is promoting employee awareness and vigilance.

Overview: What is phishing?

Phishing refers to cyberattacks carried out through communication outlets. The attacker contacts the target via email, text, or telephone and attempts to collect personal information allowing them access to sensitive personal and financial data. The information often is used in subsequent identity and financial theft.

The good news is many phishing attacks can be prevented by educating yourself and employees about common methods, so you don’t fall prey to impostors. The bad news is you’ll need to rely on educating yourself and your employees, so you don’t fall prey to these impostors.

Types of phishing attacks

All types of phishing attacks rely on “social engineering.” In terms of cybersecurity, this means using personal information and outreach to coerce an individual into exposing more personal information that can be used against them, usually for the attacker’s financial gain.

Despite repeated warnings from IT staff and widespread coverage of such scams in the media, it’s amazing how often even the savviest individuals fall for these tricks.

Deceptive phishing

In deceptive phishing, the most common type of phishing attack, the attacker impersonates a trusted company or contact via email and asks the victim to share credentials. These attacks are random, and the emails are sent to large numbers of potential victims.

The emails often request the recipient fill out a survey or direct them to click on a link to rectify a discrepancy in their account. The emails usually end with a dire warning urging the recipient to act quickly to avoid serious consequences.

Although this may be the least sophisticated of cyber scams, it is often the easiest to fall for, as the emails will incorporate legitimate links to the organizations they are spoofing. Tell-tale signs of fake emails are spelling mistakes, incorrect grammar usage, or email addresses, unlike the real organization’s domain name.

Spear phishing

Spear phishing is much the same as deceptive phishing, except the attacker is targeting a specific individual or company, usually out of a personal grudge or vendetta. Typically, the attacker has already collected some information about the target via social media or a simple Google search.

The goal is to inflict maximum damage, so rather than simply accessing social security numbers or bank accounts, often the threat actor seeks to install malware or ransomware in your network that can cripple and even bankrupt some businesses.

Whaling

Whaling uses similar phishing techniques as mentioned above, but the target is usually a high-level or public figure, such as a member of the C-suite. The attacker’s methods need to be a bit more polished, however, since many high-profile targets are well-trained in cybersecurity matters. Additionally, many don’t handle their email or phone calls directly, instead relying on their executive assistant to do so.

The main difference between whaling and spear phishing is the higher stakes involved: The threat actor may trick the target into initiating wire transfers, exposing intellectual property, or accessing a customer database rife with valuable information that can be sold on the black market.

Vishing

Vishing (short for “verbal phishing”) extends the ruse to phone contact. We’ve all clicked on a link at one time or other that triggered a pop-up message reading, “Virus Alert! Your computer may be infected. Call 1-888-XXX-XXXX to speak to a technician.” That’s a tried-and-true vishing tactic.

Once you call the number, the “helpful” technician will ask all kinds of questions about your computer, your contact info, account information, and other personal details, so they can “follow up” on your issue.

Attackers may also place unsolicited calls from unknown numbers. Sometimes they pretend your car was involved in a crime (they’ll have the license plate number or vehicle description) or they claim to be a government agency threatening to suspend your social security number if you don’t comply with their requests for information. Never give out information to unsolicited callers.

Smishing

Smishing is similar to vishing, except it happens via text (the name comes from mixing “SMS” with phishing). Often, these texts will appear to come from your bank, requesting your account or bank card number for verification. Or they may appear to be a friend sending you a link to check out -- a link that will infect your phone with malware when you click on it.

Users often fall for these scams easily because when they use their mobile phone, they likely are on the move and paying less attention. Additionally, people make the mistake of thinking phones are more secure than their computers and laptops. Think again.

Angler phishing

Angler phishing is probably the most targeted of all phishing scams. The attacker poses as a customer service rep and reaches out to people who have complained about a company on their social media accounts. These scams are particularly effective because most consumers post their complaints because they want the company to respond.

When that very convincing rep reaches out, the customer is more than willing to share account information, expecting a refund, future discount, or bonus. This is a common ploy for hackers seeking sensitive financial information, as research has found that 55% of angler phishing victims think the rep contacting them is from their financial institution.

6 phishing protection tips to help protect your small business

While it may sound as if phishing scams are everywhere you look, they may be among the easiest to prevent or at least mitigate. You can do so without expensive technology or disruptive solutions. Your first step in developing your phishing security strategy is educating yourself on what a potential threat looks and sounds like so that neither you nor your employees invite a hacker into your business.

1. Educate employees

The No. 1 tip for protecting your business from phishing attacks is educating your employees. Do it immediately and do it often. Teach them what a phishing attack is, how it can impact the business, and how to differentiate between a real email and a fake:

• Advise them to never give out personal information over the phone or via email.
• If they receive a suspicious call, recommend that they ask for a callback number and try phoning the caller.
• Remind them to hover on links before clicking them, examining the web address for misspellings or unknown domains that don’t match the purported company.
• Warn them not to share personal info on social media.
• DO NOT open any attachments from senders you don’t recognize.

Stay abreast of the latest phishing emails making the rounds (a quick Google search should tell you what you need to know) and inform employees of the details by sending out an email, posting a memo in the breakroom, and announcing it in staff meetings.

Some employers find it helpful to create a mock phishing email to send to employees to test the effectiveness of training. If an employee falls for it, they sign up for additional security training.

There’s no such thing as too much security training, even if employees whine it’s repetitive. In the throes of a busy workday, even the most conscientious employee could click a link without thinking. The constant reminders could help you avoid devastating consequences.

2. Use a spam filter

This is an easy one. Your email application most likely provides one, and you may have set up additional permissions when you created your email server and employee email accounts. Spam filters will filter out suspicious emails, so employees don’t have to make judgment calls on possibly nefarious communications.

3. Keep all security patches current

Remind employees to close out of applications and shut down their computers at least once a week. This ensures their computers and other devices will update to the most recent versions of firmware, which usually deliver security patches that address newly discovered vulnerabilities. If you have onsite servers, be sure your IT team is regularly patching infrastructure software as needed to keep data and other assets safe.

4. Two-factor and multifactor authentication

Guarding against phishing attacks is just one more reason to deploy two-factor or multifactor authentication for all connected devices. Consider it the Energizer Bunny of preventing cyberattacks, because just about every how-to article on good cyber hygiene, standing up endpoint security, or IoT security recommends it.

If a hacker gets an employee’s password to log in to your network, it’s doubtful they will also have access to that worker’s phone, ultimately fending off a breach of your systems.

5. Deploy antivirus software

This is another tactic critical to securing your network and systems. If an employee clicks on a malicious link that delivers a virus or malware to your systems, the antivirus software will identify it and remove it, again mitigating a breach before any serious negative impact to your business.

There are free antivirus software options out there, but they rarely offer complete and thorough protection. There are a number of affordable choices, however, so with a bit of research into the best endpoint security platforms and endpoint detection and response (EDR), you’re sure to find an option that’s a perfect fit for your business needs.

6. Use a VPN

Requiring employees to log into your network through a VPN may offer the best possible protection against phishing scams. VPNs can detect malicious websites, prevent hackers from monitoring an employee’s web browsing, and prevent phishing emails. In this day and age, if you connect to the internet, you should do so through a VPN.

The best phishing defense is common sense

Phishing schemes are effective because they prey on the wild card of your security strategy: your employees. You can help them operate safely by providing technology that is armed with software, firewalls, scans, and other built-in mechanisms that automatically defend your network and systems.

But it’s up to you to train them on using these tools and promote hyper-awareness through ongoing training and frequent reminders. People are, after all, only human, and with all of the distractions in today’s work environments, it’s easy to overlook even the most obvious of tricksters.