Nearly all (91%) of company data breaches start with a phishing email. An ever-evolving, clever, AI-boosted, and money-hungry industry, new methods are always appearing. The weakest link for any company is its employees. There are 4 powerful ways for small businesses to thwart cyberattacks: turn your employees into your strongest defense.
4 Powerful Ways for Small Businesses to Protect Themselves from Cyberattacks
- Understanding the 3 Levels of Phishing
- Training and Simulation
- The Skeptical and Stubborn Pause
- Request a Suspicious Email Review
Understanding the 4 Levels of Phishing
Phishing — the Basic Version: A scammer will email or text millions of people, ask for personal and/or personal information. A link will be included which will capture credit card or banking information. Ransomware is also typically downloaded on the user’s computer or cellphone. Mechanism: Email or text message. Goal: the victim’s money. Email example: a link to a fake Social Security website. Text example: a message about “unpaid highway tolls.”
Spear Phishing: This is the sophisticated sister of the basic phishing attack. It is targeted and researched well to appear from a trusted source, this is a more specific attack that is more convincing and therefore even more likely to be clicked on. Mechanism: Email. Goal: the victim’s money/ installing malware on the victim’s computer. Example: an email from the victim’s “credit card company” with a link that once clicked, automatically downloads malware.
Whaling: This is the most deliberate type of attack where the attackers are going after a big fish: a CEO or celebrity, etc. Typically started with a spear phishing attack providing infiltration into a company’s network, an attacker will observe the company’s workings. They will use inside information and perhaps, information also from social media (LinkedIn, in particular), and craft an attack that is perfect for their target. They will reference a specific conversation or specific amount from a previous money transfer and perfectly mimic a leader’s writing style and signature. Mechanism: email. Goal: company funds and/or highly sensitive/proprietary information. Example: an email from a CFO directing the transfer of funds.
Training and Simulation
Considering that 91% of data breaches start with a phishing email and employees are the front line, training is key. SMB Support Corporation works with clients by using Phish Insight by the world-renown vendor, TrendMicro. This program trains employees on the ways attackers access a company’s network and how employees have a specific role in preventing the three different types of phishing attacks. The efficient training takes place on-site and is computer-based with modules that help staff advance their skills. Many clients utilize this training as a part of their onboarding and as a requirement for consideration of promotion.
As an added bonus, there is a simulation part of the program. To enhance your company’s defenses, to identify which employee is more likely to be tricked, and as a way for employees to experience a fully-automated phishing attack, Phish Insight has an extensive library based on real-world attacks of different natures. Some are personal attacks and some are business-oriented. Topics include failed login alerts, job offers, coupons, travel rewards, company internal incentive programs, software updates, and many more.
The Skeptical and Stubborn Pause
All cyberattacks utilize a psychological tool: the sense of urgency. A simple but very effective defense is a change in mindset. Simply view everything skeptically. Pause and decide whether or not to question the validity of an email, text, call, or letter when the communication asks you to do anything. The second a sense of urgency is attempted to be placed upon you, deny it. Feel rude? Feel disrespectful? Be stubborn anyway. In this day and age, calling or otherwise asking someone if they did indeed send a request, is being protective of a company’s intellectual property and funds.
As AI advances to cover people’s accents, to enhance the grammar in writing, and to produce images and text in another person’s style, this skeptical and stubborn pause puts a wrench in a cyber criminal’s plans.
Suspicious Email or Text? Contact Us for a Free Review
As Ben Franklin once said, “an ounce of prevention is worth a pound of cure.” Contact us if you receive an email or text that looks suspicious or just doesn’t seem right, or asks you to do something outside of normal company channels or protocol. Forward the suspicious email to phish@smb.support to have us review the email. We will respond with information that identifies the email as phishing to assist in further training.
