If your small business is the victim of a phishing scam, then your critical data—as well as personal information about your customers—could be at risk. Of course, that’s why cybercriminals target some small businesses, hoping to get customer credit card and banking information.
Anyone can be the victim of a “phishing” attack—a label that describes the way criminals are fishing for information—but small businesses can be especially vulnerable.
Why are small businesses more in danger of phishing scams?
For starters, they often don’t have an IT professional or online security consultant on the payroll, updating their systems and looking out for suspicious activity. But they do have customers… And that means they have customer data. At the end of the day, what criminals want is data that can be linked to identities, passwords, email accounts, and cash.
Email phishing scams aimed at small businesses are often designed to look as if they come from federal or state agencies. One phishing scam that made its way quickly around small businesses a few years ago was an alleged email from the Federal Trade Commission telling business owners that they were being investigated because of consumer complaints.
Like most phishing scams, this one relied on fear as a motivator. Unsuspecting victims clicked through the links as instructed, until they unknowingly downloaded a malware infection onto their computers.
In the first quarter of this year, at least 55 companies revealed they were victims of a phishing scheme that put all the U.S. tax records related to those companies’ employees at risk.
Those companies were lured into the scam with a phony email that appeared to come from a CEO or a payroll representative. The Internal Revenue Service has issued many warnings to beware phishing scams where business owners are told they owe a sizable tax bill. On the IRS website, the agency outlines the many ways it has been misrepresented in phishing scams, and advises businesses on how to avoid IRS phishing scams.
(For starters, the IRS doesn’t send out unsolicited emails.)
Phishing emails aren’t new, but they are taking on a new look.
In the good old days, they used to be filled with typos and promises of piles of free cash: obvious signs the recipient should trash the email immediately.
Nowadays, phishing emails often look legitimate, with corporate logos and icons that look just like the one your bank uses. The letter might be well written, without typos or glaring errors. The pitches are more sophisticated. Today’s phishing emails may be personalized and polite. And they’re on the rise.
As attackers have figured out how to use more sophisticated methods and enjoyed some success, security experts say the email phishing industry has been reinvigorated.
Still, there are warning signs to watch out for when opening any email. Here are the basic categories of phishing and the ways to spot them:
A traditional phishing attack casts a wide net and attempts to trick as many people as possible. One example of this is PayPal scammers. Victims receive a request to confirm their account information, but the bogus site hijacks their login information.
Spear phishing attacks are designed to target a specific individual or small group of individuals. For example, a spear phishing attack might be addressed to you individually, or make reference to a regional event you attended, or refer to an article you read on LinkedIn. All of that information is potentially available online.
Whaling attacks, which have become increasingly popular in recent years, are targeted at high-profile victims like C-level executives and their teams. A typical whaling email may look like it was sent from the CEO or regional director of your company.
Here are a few tips on how to spot a phishing attack and avoid becoming a victim:
Always remember that reputable businesses and agencies do not ask for personal information—such as social security and credit card numbers – via email.
If so, don’t click on any links. Oftentimes just typing in the name of an alleged collection agency and the word “scam” will turn up a long list of people who have received the same phishing email. If it is a legitimate name, such as the Better Business Bureau, then call the number on the agency’s website (not the one in the email) to determine whether the email is authentic.
If you receive an email from an organization that includes a link in it, hover your mouse over the link without clicking and you should see the full web address appear. If the address does not include the organization’s exact name, or if it looks suspicious in any other way, delete it. Oftentimes, the address will actually have the word “malicious domain” or other obvious phrase in it. Also, make sure the address begins with “https” rather than “http,” which indicates that the site is secure.
Like “Valued Customer” or “Longtime Group Member,” the well-known phrase “To Whom It May Concern” probably means the sender has no idea who you are. These days, legitimate companies know their customers’ names.
If you open an email from someone you don’t know and it’s asking you to act now in order to win something or avoid penalties, it’s probably a phishing email. Delete these emails immediately without clicking on any links or attachments or forwarding them to any other email addresses.
(Get more tips on how to protect yourself from phishing and ransomware scams, too.)