logo [vc_empty_space height="38px"]

Select Sidearea

[vc_empty_space height="18px"] Populate the sidearea with useful widgets. It’s simple to add images, categories, latest post, social media icon links, tag clouds, and more. [vc_empty_space height="31px"] [vc_empty_space height="26px"]

3 Common Phishing Scams that Target SMBs

Follow Us on Social Media!

Before COVID-19 was even designated a pandemic by the World Health Organization (WHO), criminals launched phishing campaigns to steal money and sensitive information by imitating WHO emails. Like a virus, this crime adapts quickly. And small companies are a favorite target.

Two thirds of all small- to medium-sized businesses surveyed by the Ponemon Institute in 2019 had suffered a cybercrime within the previous year. The top threat? Phishing scams, which rose from 48% to 57% of these SMBs over the previous year.

This trend is fueled by emerging phishing scams, and the vulnerabilities created by mobile devices.

Most of us who run companies that store clients’ sensitive financial data and/or process online financial transactions understand that we’re targets for phishing. But even if you’re familiar with the word, it’s worth reviewing the basics and learning about some new tactics.

What is Phishing?

Phishing is a method by which cybercriminals attempt to get one or more victims to divulge login IDs and passwords for critical accounts or IT networks, or to download malware. Scammers use bogus emails, phone calls, text messages, and other communications to appear legitimate to their victims.

The malware a phishing attack delivers to your computer or mobile device can do a variety of dangerous things, such as:

The varieties of malware and the “trojans” they install are constantly changing, as are the phishing tactics used to deliver this malicious code.

Why Phishing Attacks Target Mobile Devices

Phishing scams: Mobile devices are being attacked.

As more SMBs conduct business via mobile devices, cyber thieves have naturally targeted these devices. Even if your employees don’t have sensitive company/client data stored directly on their mobile devices, they’re likely to have access to your company’s IT network.

This means that hackers may be able to gain access to your network simply by snagging your employees’ login ID and password through their smartphones. And phishing scams are a perfect way to attack mobile devices, for two key reasons.

1. Mobile devices hide web page and email addresses

Even experienced cybersecurity experts can be fooled by phishing emails they view on their smartphones rather than on a full-sized computer screen.

One reason this happens is that many smartphones hide the address bar when you open an email, or when you open a browser window, such as for a sign-in page. 

So even if you’re in the habit of checking email and web addresses (a.k.a. the URL) to spot anomalies, you have to work harder to do that when you’re using a smartphone. (For even worse news about spotting fake URLs, see “Punycode” section below.)

2. Many mobile apps aren’t secure

Mobile phishing scams don't just occur with email.

According to a report about the state of mobile security in 2020 by the cloud security company Wandera, 87% of successful mobile phishing attacks take place outside of email. Mobile apps are often the culprit.

87% of successful mobile phishing attacks take place outside of email. Mobile apps are often the culprit.

The report points out that even apps from the two major app outlets, Google Play and the Apple App Store, can no longer be trusted to be free of malicious or easily hackable code. Also, some of your employees may also “jailbreak” their devices to install sketchy apps from outside of these mainstream outlets.

Wandera’s recommendation: Use a mobile security solution that includes an app vetting component and the ability to automatically detect and shut down suspect apps.

Whether phishing attacks arrive via mobile or other computer hardware, learn to detect them by looking for some common characteristics of popular phishing techniques.

How to Spot Three Most Common Phishing Scams

1. Mass email campaigns

You may think you’re immune to attacks in which the identical phishing email is distributed to thousands, even millions, of recipients. You’ve seen so many lame attempts at this tactic over the years. But these emails tend to be more professional-looking now.

Also, remember that these emails are sent to large numbers of people to find just a few that happen to be susceptible to emails from a particular well-known source–and once in a long while, that could be you.

Say you happen to be tracking a FedEx package one day, and you get an official-looking message from FedEx, so you click automatically, and…oops.

What to look for:

2. Spear phishing: Using “spoofing” to target you specifically

While basic phishing’s main goal is usually planting malware that steals credentials, spear phishing usually targets specific employees, trying to get them to give the fraudsters information directly. This can involve fake phone calls or texts in addition to emails. The goal is to trick you into thinking you’re dealing with a familiar, trusted source. Scammers use the details of our lives and businesses that so many of us divulge on social media to create sophisticated phishing scams.

Scammers use social media details to aid their phishing scams.

The quality of identity “spoofing” — which in this context means mimicking a legitimate company’s web address (URL), email addresses, website, graphics, and personnel — is generally better in spear phishing attacks.

Hackers can spoof your company’s identity to make you believe you’re getting a message from a co-worker or boss (as in the “whaling” description below), or an outside entity. The authentic look is designed to make you overlook certain warning signs.

What to look for:

3. Whaling: Targeting and/or impersonating top executives

The target victims of whaling are usually your company’s CEO, CFO, HR exec, or someone else with access to your most critical accounts and data. The fraudster’s goal is a much higher payoff than a standard phishing scam.

Because the thieves are going for a big score, they’ll often put far more time and effort into customizing their messages with accurate information about your company and/or executives. They’ll create more believable fake login or wire transfer sites.

What to look for:

Two New Tactics That Make Phishing Scams More Effective

Those three varieties of phishing have been around for many years, in part because criminals continue to innovate and make these schemes more difficult to detect. Two more recent innovations make it more difficult to spot bogus web and email addresses.

1. Punycode: Making domain names appear legit

“Punycode” is a play on “unicode,” which is the code that determines how text characters are displayed on a web page. 

Hackers have learned to monkey with this code so domain names like “amazon.com” look completely real, but the code underlying the characters belongs to a fraudster’s domain.

2. Certified phishing domains: The “s” in “https” doesn’t always mean “secure” anymore

When you’re using a website to sign into an account or make a transaction, it’s a good idea to look for a padlock symbol and a URL that begins “https” instead of “http.” The “s” stands for secure, meaning the site has been certified to use a specific type of encryption.

However, it’s now possible for domain owners to use free services that issue this certification, which means cyber thieves can now get domain names with the padlock symbol and https at the beginning of their domain’s URL.

Phishing Scams: Padlock symbol and http don't always mean "secure."

Educate Yourself, Your Staff, and Your Clients

Perhaps the worst thing a phishing attack can do to your company is wreck your reputation.

With a successful phishing attack on your IT network, hackers can make your business the platform to launch phishing attacks against your clients, vendors, contractors, and other associates.

Your business can become the platform to launch phishing scams

This is why it’s important not only to train your employees to recognize phishing attacks, but to tell your clients and other key contacts what your firm will and will not ask them to do via email, text, etc., such as:

Encourage clients to follow up on any suspicious communication that appears to be from your firm and get verbal confirmation from their representative. 

I suggest sending this phishing-prevention communication once a year to your key contacts. But make sure you update it every year, because chances are good that phishing perpetrators will have added a new wrinkle or two.

Let's Chat! Contact Us Today.

Fill out the form below and one of our IT experts will be in touch with you shortly to discuss all your IT needs.

Share This Article With a Friend!