Tactics for Combatting Phishing Attacks for SMBs

What’s old is new again.

Phishing—“a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data”—has been around for two decades.1  

Main Content

Plenty of Phish in the SMB Sea

Sep 16, 2019

Tactics for Combatting Phishing Attacks for SMBs

What’s old is new again.

Phishing—“a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data”—has been around for two decades.1

But phishing is now more of a threat than ever before, thanks to an increasing array of polished and sophisticated attacks—including those directed at small- and medium-sized businesses (SMBs).

Recent statistics tell us that “phishing attempts have grown 65 percent in the past year”; that “phishing now accounts for more than 90 percent of data breaches”; and that “76 percent of businesses reported being a victim of a phishing attack in the last year.” That sounds like a remarkably high percentage, until you consider that “30 percent of phishing messages get opened by targeted users.”2

And while individual consumers are also frequent targets of phishing attacks, hackers are always looking for the easiest and most lucrative ways to exploit stolen personal information (or information that has been discovered online), which explains why SMBs are attractive targets.

For one, it’s easy to send out all manner of phishing messages, especially as compared to many other types of business-oriented cyberattacks, which can require cyber expertise and the ability to compromise systems protected by multi-layered security solutions.

Meanwhile, SMBs typically have more to lose than any one individual; in addition to money, hackers may also be attracted by the prospect of gaining access to data, intellectual property, or even strategic plans.

If it seems far-fetched to think that a phishing attack could yield, say, intellectual property or strategic plans, keep in mind a hacker may have a multitude of potential targets, including your employees, outside contractors, or other third-parties. And it only takes one victim for a hacker to secure login information and access to your systems, which is typically achieved when a victim opens a malicious link or downloads a malicious attachment. Worse yet, a compromised individual can potentially be blackmailed, enabling ongoing access to your data, systems, and accounts.

Common types of phishing attacks aimed at SMBs

As for the different types of phishing attacks aimed at SMBs, today’s phishing emails and web pages can be difficult to distinguish from those produced by legitimate organizations and may include many genuine links amongst a single illegitimate link.

So, for example, if you’re a SMB, a hacker may determine which companies you do business with, and then replicate one of your vendor’s emails in hopes of prompting intended victim(s) to enter account information and login credentials, which are then harvested. 

Yet another common technique is spear phishing, where the message is designed to engender a rapid response from the victim. Typically, a spear phishing email will purport to come from a CEO or other executive and target lower ranking workers. For example, an email to a CEOs assistant might contain an urgent request to buy electronic gift cards, or a human resources director might receive a message with an urgent request to change bank account information.

This can be contrasted with whaling, which is not unlike spear phishing except that the intended victim is usually a CEO, CFO, or COO (a “big whale”), who may be easier to target than a lower level employee if there’s a lot of publicly available information about them.

Then there’s angler phishing, where the hacker masquerades as a customer service account representative. The way it works is: When an individual posts a complaint somewhere on social media, the fraudster receives an alert and then reaches out to intended victim, hoping he or she doesn’t notice that the fraudster doesn’t have a legitimate company social media account. Typically, the intended victim receives a link that is said to facilitate a solution or provide help but clicking on the link installs malware or otherwise enables the theft of money or information.

Finally, hackers also sometimes attempt vishing attacks (phishing done via voice/phone), though smishing is much easier and therefore much more common. In a smishing attack, the perpetrator might send the intended victim a text containing a link, one which sends the victim to a page that installs malware or attempts to collect account information or login credentials.

Tips for combatting today’s phishing attacks

All that said, it’s now more important than ever before to educate your employees and vendors about phishing and how to spot fraud. Many SMBs now go so far as to simulate attacks, testing the vulnerability of employees and using successful mock attacks as a teaching tool.

It’s also wise to give your employees and vendors an easy way to report suspicious emails, texts, and other messages so the messages can be investigated by your IT team. At the same time, it’s also advisable to provide extra training to employees who have high-access privileges or are responsible for social media.

Meanwhile, you also want to continue to take common sense measures to protect your business, like making sure you know which individuals in your organization have access to sensitive information, and to back up your data frequently and completely.

Finally, it’s worth monitoring social media as closely as you can for any activity relating to or purporting to originate from your business. In doing so, you may discover other threats to your business, like bad reviews or even chat bots spreading misinformation about your organization and its people, practices, or products & services.

Questions about security?

If you have questions about things you can do to protect your SMB from harm—financial and otherwise—give us a call at 1.888.845.9457. TSYS and its partners offer a suite of security solutions designed to help protect your small business from cyber criminals and to insulate you from the potentially overwhelming costs of a data breach.

1. What is Phishing? https://www.phishing.org/what-is-phishing
2. 2019 Phishing Statistics and Email Fraud Statistics, Retruster, https://retruster.com/blog/2019-phishing-and-email-fraud-statistics.html

Contact Us
About Our
Merchant Services

Get your Free Quote, Now!

After you have submitted your information, a TSYS representative will contact you.

All fields are required to submit form. Your information is private and secure. We do not accept adult businesses

Customer Support Form