Cybersecurity for small business: Phishing


By:


Andrew Smith, Director, FTC Bureau of Consumer Protection

Phishing scammers have gotten more sophisticated. They still send out mass emails asking consumers for credit card numbers or bank account information. But they’re also targeting small businesses by imitating the look of messages your employees routinely receive. The FTC has new resources to help small businesses address cybersecurity, including the risks posed by phishing.

How phishing works

PhishingWhen phishing scammers hit small businesses, they often send you or your employees emails or texts that appear to come from a familiar source – perhaps a vendor, a client, or even a co-worker at your company. To add to the apparent authenticity, crooks may mimic recognizable email addresses or embed cut-and-pasted corporate logos. What’s more, enterprising fraudsters may search publicly available sources for the name of a colleague at your business, and use it to overcome an employee’s initial suspicions. (“Fred from Accounting said I should contact you.”)

Once the phishing scammer has an employee on the hook, they’ll ask for account information or insist that a company higher-up needs money wired immediately for a business transaction. Or they may direct your staffer to click on an innocent-looking link that secretly installs malicious code or even ransomware.

What you can do

Train your staff to take five before responding. They should mention the message to a co-worker, who may have been targeted, too. They should call the purported client, company, or colleague using a phone number they know to be genuine to determine if the email or text is legit. The FTC’s factsheet includes more practical tips to impart when educating your employees about the ways and wiles of phishing.

How to protect your business

Keep your security current with the latest patches and updates. Install a safety net by using additional means of protection. For example, email authentication software can help prevent phishing emails from reaching your company’s inboxes in the first place. Intrusion prevention software can serve as a sentry to keep cyber crooks at bay. In addition, back up your data regularly by saving important files to a drive or server not connected to your network. The factsheet features additional suggestions.

What if a phishing scheme strikes your company?

Have a copy of the FTC’s Data Breach Response: A Guide for Business on hand before you need it. As the Guide recommends, limit the damage by disconnecting from the network any computers or devices infected with malware. Follow your company’s procedures for looping in staff members or contractors who help with IT. If personal information has been compromised, notify the affected parties. They could be at risk for identity theft.

Report phishing attempts to the FTC’s emailbox, spam@uce.gov, and to ftc.gov/complaint. Also notify the Anti-Phishing Working Group – a public-private partnership that includes ISPs, security companies, financial institutions, and law enforcement agencies – at reportphishing@apwg.org. And let the company or person who was impersonated know their good name is being used in a phishing scheme.

Next: Business email imposters