Malware-packed phishing emails to small businesses are increasing — because they flat-out work. And the fallout for you and your customers can be catastrophic. Learn to spot typical phishing ploys, and follow four best practices to prevent phishing attacks.
Phishing’s strongest weapon is fear. And I hate to emulate that tactic, but I want you to understand what’s at stake when your company isn’t protected against phishing and other social engineering attacks:
I could go on, but instead, let’s fight fear with some facts and best practices to prevent phishing attacks.
I recently saw an excellent presentation on cyber security from Kyle Loven, a former FBI agent now with Computer Forensic Services. We followed up with him to learn more about how to protect businesses that don’t have huge IT budgets and security experts on staff.
I’ve put together advice from Kyle and other sources, plus my own experience with TechGen working with small businesses.
First, let’s detail the types of phishing we’re seeing:
Types of Phishing Attacks and How to Prevent Them
1. Basic Phishing: Mass Email Campaigns
A basic phishing attack sprays an identical email or text to thousands, even millions, of users. The message has one goal: To get you to click on a link or attachment.
Kyle warns that even these basic attacks have come a long way from the laughable emails from the “Nigerian prince” begging for your help to transfer his hidden millions into your bank account.
What to look for:
2. Spear Phishing: Targeting You Specifically
While basic phishing’s main goal is usually planting malware that steals credentials, spear phishing usually targets specific employees, trying to get them to give the fraudsters information directly.
Kyle says this can involve fake phone calls in addition to emails. The goal is to trick you into thinking you’re dealing with a familiar, trusted source. And to get that done, social media is the perfect place to harvest business relationship details.
The quality of identity “spoofing” is generally better in spear phishing attacks. In the IT security world, “spoofing” can have several meanings. In this case, we’re referring to the ability to mimic a legitimate company’s web address (URL), email addresses, website, graphics, and personnel.
Hackers can spoof your company’s identity to make you believe you’re getting a message from a co-worker or boss (as in the “whaling” description below), or an outside entity. The authentic look is designed to make you overlook certain warning signs.
What to look for:
3. Whaling: Targeting and/or Impersonating Top Executives
Kyle recalls that in his FBI days, the most significant phishing losses came from this technique. It’s a higher level of spear phishing in two ways:
1. The target victims are usually your company’s CEO, CFO, HR exec, or someone else with access to your most critical accounts and data.
2. The fraudster’s goal is a much higher payoff than a standard phishing scam.
Because the thieves are going for a big score, they’ll often put far more time and effort into customizing their messages with accurate information about your company and/or executives. They’ll create more believable fake login or wire transfer sites.
What to look for:
What to Do if You're Suspicious About an Email
Look for the S
Look at the address line and see if the site URL starts with HTTPS. The S means “secure,” which all pages that require your login information should be. Hackers can sometimes create false HTTPS addresses — but most fake login pages probably don’t have the S.
Double-check the domain
Hover your cursor over the sender’s email address. Look at the domain name, that is, the part that follows the sender’s ID and a dot, and usually ends in .com, .org, etc. Sometimes hackers spoof a legitimate domain name to make it difficult to spot, but sometimes it’s clearly a fake.
Identify the file type of attachments
If an email contains an attachment, before you click on anything or follow any instructions, look at the attachment’s file type at the end of the file name.
Virtually any file type can contain malware, but in particular, watch for files ending .zip, .exe, .bat, and .scr. Here’s a good list of the Windows files types most often used for delivering malware.
If an email is actually a phishing attack — especially if it’s a basic, mass-email campaign — chances are good that if you do an online search of the email’s subject line, you’ll see articles and notifications that confirm your suspicions.
What to Do if You Think You’ve Fallen for a Phishing Attack
Get offline PRONTO
If you think you’ve clicked on a phishing link or attachment, immediately take the device you used to do that offline. It may take installed malware some time to do its dirty work, such as sending out spam emails from your account, or infiltrate your company’s servers. If the infected device is offline, you have a chance to get it cleaned before any of that happens.
Notify your email provider and your IT staff or outside IT services provider
Unless you’re experienced in handling malicious programs, don’t try to go it alone. You may need to have your business’s network inspected, all connected devices scrubbed, and your operating system and files re-installed from backups.
Of course, it’s critical to most businesses to get all of that done very quickly. But again, unless you really know what you’re doing, don’t rely on quick fixes you find online. Call an expert.
Report potentially fraudulent electronic money transfers to law enforcement immediately
Kyle says fraudulent money transfers can sometimes be frozen if the victims get the information to authorities quickly.
He recalls the FBI working with overseas financial institutions to get transfers frozen — but the chances of that happening decrease with every passing minute.
Don’t pay a ransom
Some phishing attacks infect your company’s devices and/or network servers with “ransomware.” It can freeze individual computers that hold critical information, and encrypt all the files in your servers. Pay up to unlock your data, or we’ll wipe it out, you’re told.
Don’t pay the ransom, Kyle recommends. Even if you do get your data back, you’ll just open yourself up to further attacks. And if you have a proper backup system in place, your data can be recovered after the malware is removed.
4 Ways to Prevent Phishing Attacks and Protect Your Business
With some clients, TechGen works with KnowBe4, a firm that provides online training modules, reinforced by fake phishing campaigns to see how many employees learned the lesson.
Kyle points out that this type of training gives you baseline data of your employees’ awareness, and you can then measure their progress.
The Worst Damage From Phishing is to Your Reputation
Just about every article and blog post I read about cyber crime against small businesses uses a variation on the scary statistics I listed at the top of this post. And for good reason. As a small business owner myself, however, it isn’t statistics like these that frighten me most. My greatest concern is my clients’ data.
After all, thieves aren’t after just your business’s data, they’re after the data you store for all of your customers and transactions. So, ultimately, the greatest cost of a cyber attack on a small business might not be stolen funds — it will be the damage to your reputation.
Phishing exploits the weakest link in IT security for most businesses: human nature. Cyber thieves have an endless bag of tricks, but we’ll look at how to spot some of the most common red flags of the three main types of phishing emails.
(For more information from Kyle Loven about cyber security for small businesses, read his Upsize Minnesota magazine article at Upsizemag.com.)