“Phishing...that’s just something the big guys need to worry about, right?”
While this is a common belief among many small and mid-size businesses, unfortunately, it couldn’t be farther from the truth. Cybercriminals don’t discriminate—even companies that aren’t earning Microsoft-sized money can be targeted by phishing scams. In fact, many phishers have made the little guys their bread and butter, making anti-phishing software more important than ever.
Why Phishers Target Small Business
Unlike large corporations which may have Fort Knox-level anti-phishing security countermeasures, many small businesses have a much smaller staff with little (if any) cyber security staff, so their processes for proper email and technology usage are often less formalized; sometimes, there’s no plan in place whatsoever. This makes small businesses attractive to cybercriminals, who bank on the belief that a random small business employee is likely to respond to an email or click a link without question. Sadly, it happens all too often.
According to a 2019 Verizon report, small business owners were victims in nearly 45% of all data breaches tracked between November 1, 2017, and October 31, 2018. The report tracked security breaches caused by phishing across all industries; the most vulnerable sectors were retail, hospitality, and healthcare. Of course, they’re not the only ones; phishers have been known to target the most unlikely of candidates, such as a school’s PTA organization.
4 Recent Small Business Phishing Attacks
Think it can’t happen to you? Here is a look at a number of phishing scams that successfully targeted small business within the last year, costing millions of dollars.
1. The “Shipping Information” Phishing Scam
In July of 2018, more than 3,000 small businesses were sent an email with the subject line, “Shipping Information.” The email stated that a UPS delivery was on its way, and included a link to track it. Of course, there was no package, and the link contained malware, injecting a virus into the computer of all those who clicked on it.
2. The Tax Phishing Scam
Tax time is prime time for phishers, as they know that most companies are filing and many employees won’t think twice about clicking a link or opening an attachment in a tax-related email. The 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center reveals that more than 400 million consumer records were hacked in 2018, an increase of 126% over 2017.
3. The “IRS W2” Phishing Scam
Going hand-in-hand with the tax phishing scam, the spear phishing W-2 scam involved cybercriminals sending small business employees phony emails designed to look like they were coming from a company executive. These Business Email Compromise attacks requested the personal information of employees for purposes related to tax and compliance. Since it was tax season, many recipients didn’t think to question the request. Unfortunately, this resulted in more than 120,000 employees’ information across more than 100 companies being compromised.
4. The Google Docs Phishing Scam
In May of 2017, more than three million people around the globe became the target of phishers. These cybercriminals sent out millions of fraudulent Google Doc emails, each inviting the recipient to review them and make edits. Of course, when the recipients opened the invitations, they were taken to a third-party app. Once there, hackers were able to access the individual’s private Gmail account for nefarious purposes.
How Anti-Phishing Software Can Protect You
So how do you protect yourself and avoid becoming a phishing scam victim? While the easy answer is employee training, it is rarely 100% effective. Although holding regular anti-phishing training sessions should be part of any small business’ security training, relying upon a human firewall puts too much burden on employees—and of course, to err is human. Mistakes will be made even among the savviest of employees regardless of training.
To ensure your company's safety, consider anti-phishing software such as Clearedin. Clearedin phishing protection software works in the background, assessing emails to determine whether they pose a threat. Clearedin uses artificial intelligence and machine learning to develop a model of an organization’s communications network; this way, when new messages come in, ClearedIn can validate them against a social trust graph based on the flow and frequency of past communication. Clearedin phishing prevention also checks embedded links and analyzes email addresses for spoofing attempts.
To learn more about how you can protect your small or medium-sized business from today’s growing cyber threats, contact Clearedin to learn about our anti-phishing services.
Protect Your Organization From BEC Phishing Attacks
Download our guide to learn everything you need to know about BEC attacks.