Business Scams – A Learning Series Lesson 6: Phishing

INTRODUCTION

Confidential AND sensitive information is the holy grail for cyber scammers. Passwords, bank account numbers, and other monetary info are what they’re after, and phishing is a quick and easy way to reel it in.

What is phishing? It’s not a misspelled form of fishing-but it’s related to the concept of baiting or tricking a prey by making something that is deceptive look like it’s real.

Phishing is the fraudulent practice of sending emails or other messages purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.  Phishing comes in many different forms as scammers target a large group of victims; and just like real fishing, these scammers like to prey on large “ponds”, like Amazon or other e-commerce businesses.

Since the pandemic, phishing is up as much as 600%. In 2021, large companies lost, on average, nearly $15 million to this scam.  Phishing scams can cast a wide net, and it’s up to you not to get caught.

HOW THE SCAM WORKS

One of the simplest phishing attacks is Spoofing.

Spoofing is a where an attacker impersonates a business with a fake website or email domain. While the domain appears to be legitimate, a closer look reveals it’s fake.

Let’s explore how spoofing works by examining the following example: William Weaver Business Solution invoices you by email every month as Billing@wwbs.buis. A convenient link for your electronic payment is included. So, when this month’s bill comes in early because of the holiday, an accounts payable employee opens the email from Billing@wvvbs.buis, clicks the link and sends off the payment.

However, did you check that email address? Was it Billing@wwbs.buis or Billing@wvvbs.buis? A closer inspection reveals a slight difference in the second email address; instead of “ww” it has “wvv;” it uses the “v and v” together so the eye can be tricked into thinking it is “ww.”

If you missed it, chances are your accounts payable clerk will too. Except they just made a payment, and that scammer now has access to your banking information. That link that your employee used to pay the invoice could also install Malware or Ransomware on your system.

Another type of phishing attack is Spear Phishing. Spear phishing targets a specific person in your organization, and the email is customized to increase the chances of the victim opening an attachment or clicking a link that infects your systems.

You may also encounter Whaling, where scammers go after your company’s big fish…the C-suite.

Other phishing scams include Smishing, Pharming, Evil Twin Phishing, Man-in-the-Middle, Angler Phishing…honestly, the list is exhausting, and this is just a few of the most common scams. While you do not need to know the details of each scam, you do need to know how to protect yourself when your business is attacked.

HOW TO DEFEND YOURSELF

The first step is to use good security software to protect all your systems. Make sure the software updates automatically; and do the same for your mobile systems. These updates could give you critical protection against security threats.

Beyond that, vigilance is your best protection. Be skeptical of emails you receive asking for you to perform specific tasks. Never click on a link. Go directly to the source of the ask by typing in the company’s website address.

If a request from a trusted vendor seems unusual, reach out to the sender in another way (such as by phone or text) to verify the request.

Check all links by hovering your mouse over them…but don’t click. Hovering will let you preview where that link is really sending you. If the URL is suspicious, delete the email at once.

Always protect your accounts with multi-factor authentication (MFA). These additional credentials often fall into one of the following categories:

Something you have — like a passcode you get from an authentication app or a security key.

Something you are — like your fingerprint, your retina, or your face.

Multi-factor authentication makes it more difficult for scammers to log in to your accounts if they do get your username and password.

Finally, always back up your data. Use an external hard drive or cloud storage, but don’t connect your backed up data to your network.

If you do get attacked, your first step is to report it. You can forward phishing emails to the Anti-Phishing Working Group at reportphishing@apwg.org. You can also report attacks to the FTC on their Fraud Reporting Website.

Every phishing attack you report could help catch a scammer. Even more importantly, you may help save a fellow small business owner from an attack.

We use cookies to give you the best experience.