Malware-packed phishing emails to small businesses are increasing – because they flat-out work. And the fallout for you and your customers can be catastrophic. So, we’re going to share our expertise on how to prevent phishing attacks in your organization.
First, though, a bit about what you’re up against.
In a hurry? Download this phishing cheat sheet to protect your organization.
Strengthen your organization’s defenses against advanced cyberattacks, like ransomware, by elevating phishing awareness with these expert tips and actionable insights.
Table of Contents
The Landscape SMBs Face
Phishing’s strongest weapon is fear. And I hate to emulate that tactic, but I want you to understand what’s at stake when your company isn’t protected against phishing and other social engineering attacks.
2023 & 2024 Phishing Statistics
- 74% of malware is delivered via email (2024 Verizon DBIR).
- Business email compromises accounted for over $2.9 billion in losses in 2023 (FBI Internet Crime Report).
- The human element plays a significant role in 68% of breaches (2024 Verizon DBIR).
- Ninety-four percent of organizations have reported email security incidents in 2024 (Egress Email Risk Security Report).
- The average cost of a data breach went up to $4.45 million in 2023 – a 15% increase over three years (IBM Cost of a Data Breach Report).
I could go on, but instead, let’s fight fear with some facts and best practices to prevent phishing attacks.
Fighting Fear with Expert Knowledge
I recently saw an excellent presentation on cybersecurity from Kyle Loven, a former FBI agent now with Computer Forensic Services. We followed up with him to learn more about how to protect businesses that don’t have huge IT budgets and security experts on staff.
I’ve put together advice from Kyle and other sources. Plus, I’ve combined that with my own experience working with small businesses as the CIO at Teal. First, let’s dive into the types of phishing we’re seeing.
Types of Phishing Attacks and How to Prevent Them
1. Basic Phishing: Mass Email Campaigns
Description:
A basic phishing attack sprays an identical email or text to thousands, even millions, of users. The message has one goal: To get you to click on a link or attachment.
Kyle warns that even these basic attacks have come a long way from the laughable emails from the “Nigerian prince” begging for your help to transfer his hidden millions into your bank account.
What to look for:
A seemingly credible source.
An email or text message that appears to be from Microsoft, Amazon, Google, UPS, the IRS, the state lottery, etc., designed to get your attention.
Urgency.
There’s either some problem you must address RIGHT AWAY — like a hacked email or banking account that requires you to reset your password or “validate” your credentials — or an offer of something really juicy, like a cash rebate.
The “call to action” link.
The text that opens the link often ratchets up the urgency by saying something like, “Act now to protect your account.”
A fake login page.
If you take the bait and click on a phishing link, you may be taken to a realistic-looking page with fields in which to enter an account ID and password.
Or it may appear to be a PDF you can only partially see, with a login box in which you’re required to enter your email account ID and password to “unlock.”
2. Spear Phishing: Targeting You Specifically
Description:
While basic phishing’s main goal is usually planting malware that steals credentials, spear phishing usually targets specific employees, trying to get them to give the fraudsters information directly.
Kyle says this can involve fake phone calls in addition to emails. The goal is to trick you into thinking you’re dealing with a familiar, trusted source. And to get that done, social media is the perfect place to harvest business relationship details.
The quality of identity “spoofing” is generally better in spear phishing attacks. In the IT security world, “spoofing” can have several meanings. In this case, we’re referring to the ability to mimic a legitimate company’s web address (URL), email addresses, website, graphics, and personnel.
Hackers can spoof your company’s identity to make you believe you’re getting a message from a co-worker or boss (as in the “whaling” description below), or an outside entity. The authentic look is designed to make you overlook certain warning signs.
What to look for:
New electronic payment instructions from an existing contractor.
Say your business has been wiring money to a builder for an ongoing project. An email from the builder saying, “Payment instructions have changed,” and providing new account information could be bogus.
An e-commerce site you already use asks for identification and/or financial information via email.
If you buy things on Amazon.com, for example, you enter your ID/password and payment information on a secure site — you shouldn’t be asked for that information via email.
An alarming “legal” notice that requires a quick response.
The IRS and law enforcement agencies don’t use email to notify you of an impending legal situation you need to take care of. For example, an email urging you to click on an attached copy of a court document involving a complaint that’s been filed against you.
Familiar senders asking for account information.
Similar to the basic phishing request for you to reset a password or verify account information, but with more convincing touches, such as accurate logos and your name in the body of the email.
3. Whaling: Targeting and/or Impersonating Top Executives
Description:
Kyle recalls that in his FBI days, the most significant phishing losses came from this technique. It’s a higher level of spear phishing in two ways:
1. The target victims are usually your company’s CEO, CFO, HR exec, or someone else with access to your most critical accounts and data.
2. The fraudster’s goal is a much higher payoff than a standard phishing scam.
Because the thieves are going for a big score, they’ll often put far more time and effort into customizing their messages with accurate information about your company and/or executives. They’ll create more believable fake login or wire transfer sites.
What to look for:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
A slightly different domain name in an executive’s email address.
Scammers will buy a domain name very similar to your company’s and create an email that may have one character different than your executive’s real email. For example, your CEO’s real email is jane.doe@standard.com — would you notice if an email came from jane.doe@stamdard.com?
Emails from an executive who’s out of town.
Scammers can time whaling emails by gleaning from social media when an executive is at a conference or on vacation. They’ll then spoof that executive’s email account and request wire transfers or sensitive information from subordinates.
Urgent requests for electronic funds transfers.
This seems obvious, but if your company frequently sends payments electronically, thieves (literally) capitalize on that routine.
Request for W-2 or other employee tax information.
Tax forms are perfect trophies for criminals because, in addition to employee names, they often include the addresses, Social Security numbers (including spouse and children), bank account information, etc.
Offers for luxury goods or entertainment you wouldn’t normally get on your work email.
Fraudsters use information about your hobbies, favorite drinks, cigars — whatever they find on social media — and try to get you to click on links for “special offers.” Sounds silly, but it works.
What to Do if You're Suspicious About an Email
Look for the S
Look at the address line and see if the site URL starts with HTTPS. The S means “secure,” which all pages that require your login information should be. Hackers can sometimes create false HTTPS addresses, but most fake login pages probably don’t have the S.
Double-check the Domain
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Identify the File Type of Attachments
If an email contains an attachment, before you click on anything or follow any instructions, look at the attachment’s file type at the end of the file name.
Virtually any file type can contain malware, but in particular, watch for files ending .zip, .exe, .bat, and .scr. Here’s a good list of the Windows files types most often used for delivering malware.
Google It
If an email is a phishing attack — especially if it’s a basic, mass-email campaign — chances are good that if you do an online search of the email’s subject line, you’ll see articles and notifications that confirm your suspicions.
What to Do if You Think You’ve Fallen for a Phishing Attack
Get offline, PRONTO!
If you think you’ve clicked on a phishing link or attachment, immediately take the device you used to do that offline. It may take installed malware some time to do its dirty work, such as:
- Sending out spam emails from your account.
- Infiltrating your company’s servers.
If the infected device is offline, you have a chance to get it cleaned before any of that happens.
Notify your email provider and your IT staff or outside IT services provider.
Unless you’re experienced in handling malicious programs, don’t try to go it alone. You may need to have your business’s network inspected, all connected devices scrubbed, and your operating system and files re-installed from backups.
Of course, it’s critical to most businesses to get all of that done very quickly. But again, unless you really know what you’re doing, don’t rely on quick fixes you find online. Call an expert.
Report potentially fraudulent electronic money transfers to law enforcement immediately.
Kyle says fraudulent money transfers can sometimes be frozen if the victims get the information to authorities quickly.
He recalls the FBI working with overseas financial institutions to get transfers frozen. However, the chances of that happening decrease with every passing minute.
Don’t pay a ransom.
Some phishing attacks infect your company’s devices and/or network servers with ransomware. It can freeze individual computers that hold critical information and encrypt all the files in your servers. Pay up to unlock your data, or we’ll wipe it out, you’re told.
Don’t pay the ransom, Kyle recommends. Even if you do get your data back, you’ll just open yourself up to further attacks. And if you have a proper backup system in place, your data can be recovered after the malware is removed.
4 Ways to Prevent Phishing Attacks and Protect Your Business
1. Don’t give any one person unilateral authority to approve and send electronic payments.
Kyle admits this can be difficult in a small company. But he urges business owners to have at least two pairs of eyes on all funds transfer requests. It’s an effective safeguard against internal fraud as well as a way to prevent phishing attacks.
2. Use two-factor authentication.
For your critical accounts, enable a second layer of security in addition to just entering a password. This adds a critical hoop for attackers to jump through.
Hackers who phish you and get your password still can’t log into your account, because in addition to your password, you need to enter a code that’s texted to your cell phone. As with many security measures, you’re sacrificing a bit of convenience for a lot of protection.
3. Get a professional assessment of your vulnerabilities.
Even if you’ve installed a firewall, malware detectors, automatic backup and other security software, you need trained eyes on your entire system. He recommends working with a provider who can assess your IT infrastructure’s vulnerabilities and monitor the system continuously.
4. Go beyond annual training. Create a “culture of awareness.”
The best way to prevent phishing attacks is to have annual cyber security training, but Kyle believes it’s often ineffective by itself. It becomes just a thing employees need to sit through while they’re worrying about getting back to work. He recommends smaller, more frequent reminders about the continuing threat of phishing.
Bring in an expert to explain a recent cybercrime trend, for example, and share current cybercrime topics with:
- Videos
- Articles
- White papers
He calls it establishing a “culture of awareness.” With some clients, Teal recommends working with KnowBe4. It’s a firm that provides online training modules, reinforced by fake (simulated) phishing campaigns to see how many employees learned the lesson.
Kyle points out that this type of training gives you baseline data of your employees’ awareness, and you can then measure their progress.
Learn how to implement an engaging and successful cybersecurity awareness training program.
The Worst Damage from Phishing is to Your Reputation
Just about every article and blog post I read about cybercrime against small businesses uses a variation on the scary statistics I listed at the top of this post. And for good reason. As a small business owner myself, however, it isn’t statistics like these that frighten me most. My greatest concern is my clients’ data.
After all, thieves aren’t after just your business’s data, they’re after the data you store for all your customers and transactions. So, ultimately, the greatest cost of a cyberattack on a small business might not be stolen funds — it will be the damage to your reputation.
Strengthen your organization’s defenses against advanced cyberattacks, like ransomware, by elevating phishing awareness with these expert tips and actionable insights.
(For more information from Kyle Loven about preparing for a breach, read his Upsize Minnesota magazine article at Upsizemag.com.)
Get Cybersecurity Support
If you’re not familiar with handling cyber threats, partnering with a seasoned managed cybersecurity services provider can strengthen your defenses. Teal offers responsive and secure cybersecurity solutions tailored for small and mid-sized businesses across the nation, with local IT support in:
Learn the financial impact of cyber threats on your business’s data. Plus, unlock the financial implications of in-house vs. outsourced cybersecurity.
Additionally, we employ robust data-centric strategies to enhance our resilience against threat actors and we maintain proficiency in multiple security frameworks. Contact us today to learn how we can safeguard your organization’s future against social engineering and other cyber threats.