In addition to Ransomware, one of the most common attacks against small businesses are the various forms of phishing—put simply, using online methods (typically email, but sometimes instant messaging) to gather sensitive data from a victim. There are three common variants:
- Phishing: This is the ‘plain vanilla’ attack, where large numbers of potential victims are emailed or messaged in an attempt to manipulate them into revealing personal information. Usually the messages will either invoke the fear of some impending doom (tax penalties, account cancellation, fines) or greed and excitement (lost inheritances, grand prizes) but in either case the goal is to get you to either click a link which delivers malware to your computer, or to access a fraudulent website and enter sensitive information. The variations are infinite; click here for some recent examples.
- Spearphishing: This is similar to regular phishing, except the target group is a specific one, often the employees of a company or department. Because of the constant networking most Entrepreneurs do and the professional organizations and groups they attend, there are more opportunities for cybercriminals here than may be obvious at first glance.
- Whaling: Even more targeted than spearphishing, in a whaling attack a high level executive (e.g. CFO) is impersonated in an attempt to cause enough urgency for a lower-level employee to transfer money or data without confirming the authenticity of the source. While this is less likely than other phishing attacks for smaller companies, situation s where owners are out of town frequently and give instruction via email may create some vulnerability.
Small businesses are frequently targeted for phishing because attackers know that they seldom have dedicated IT staff at all, much less full-time IT security personnel. Also, compared to other more technical forms of attack which usually center around gaining access to the victim’s network and/or servers, a phishing attack is not dependent on the existence of any infrastructure at all— because phishing is really a cyberattack against the user, creating a scenario where the individual will (unknowingly) give the information sought, instead of the hacker taking it through a technical breach. However, this is actually good news, because it means the defense against phishing is simple vigilance and preparation, which are affordable for everybody. Here are some key tips:
Beware of any email which asks you for account information.
As a rule, because companies are acutely aware of the phishing risk to their users, they will never ask you to provide any sort of sensitive information through electronic communication. If someone is asking you to ‘confirm’ or ‘verify’ account information and you were not expecting the email (e.g. if you initiated a lost password request), then go directly to the website in a new browser window, instead of through the link, and confirm the authenticity.
Pay special attention to the web address and the page layout.
Fake websites will often use try to use addresses that are one letter off—like substituting a lower-case l for an upper-case I, or have page elements they have copied and pasted, which may result in images being out of place or not scaling correctly, etc. Good rule of thumb: If you used an email link, and you are also about to log in (i.e. enter your credentials), or provide personal information, then take an extra moment and a close look before you proceed. If something doesn’t feel right, then as above, access the website manually (enter the address yourself).
If you read my previous articles on basic information security and ransomware, then you already know these things. If you skipped them (or need a refresher), then remember these best practices:
- Use Two-Factor Authentication on any website that offers it, especially things with sensitive info like health or financial data. If you expect a two-factor prompt when you log in and then don’t get one, that should be an enormous red flag that something is not right.
- Don’t re-use passwords. A common use for basic phishing attacks is to get one set of login credentials, like email or social media accounts, and then use the credentials on financial sites. Use strong, unique passwords for all your logins—consider using a password manager like LastPass if you are tempted to duplicate.
- Confirm secure browsing. In any case where you are entering credentials or other sensitive information, make sure you are connected to a site with the https:// prefix. Many modern browsers will display a lock or other icon to let you know the connection is secure. While this is not absolute evidence that a site is authentic, it is usually a good indicator.
Finally, use some common sense.
If an offer is too good to be true, then it probably is. Be suspicious of any emails designed to threaten or create urgency; the IRS does no business by email, and will never ask you for sensitive information that way. If you need to reset the password for your bank, the best place to do that will not be through the link you received via Twitter. Be aware that these scams are out there, and very common. Stick to the guidelines above and make them habits. Like most other cyberattacks, in the case of startups phishing is largely a crime of opportunity, not targeting. So a little bit of vigilance can go a long way to keep you off the hook.