Cyber scammers have upped their game. The emails they send out to trick people into turning over confidential info (like usernames and account numbers) look more legit than ever. And the messages have become more sophisticated and more targeted, making busy professionals especially vulnerable.
But here’s the thing: Everyone seems to think they wouldn’t fall for a phishing email—a fraudulent message that seems reputable on the surface. We work with many small businesses that figure they’re an unlikely target, when hackers could go after bigger businesses with bigger bank accounts.
The fact is, though, small businesses are prime targets for phishing scams. Here’s why: They have smaller staffs and their processes tend to be less formal than that of larger companies. This increases the odds that an employee of a small business inadvertently responds to an email con in haste. And, in a sense, small businesses have more to lose—they cannot easily absorb mistakes that affect their bank accounts.
To minimize the risk, small businesses need to be vigilant and aware of what’s going on—and keep their employees educated about what to look out for and how to react. In particular, they need to implement internal controls to avoid falling prey to phishing schemes.
In the phishing crosshairs
Phishing through mass emails isn’t new, but incidents of “spear phishing”—carefully crafted messages sent to an individual or business—are rising. In 2016, spear-phishing scams went after more than 400 businesses every day, according to a recent report from Symantec (a RoseRyan client). And small businesses were a key target: 1 in 2,897 emails received by companies with fewer than 250 employees was a phishing attempt, the report said.
Effective phishing emails look like others you might receive in your inbox. They appear to come from someone you trust—your favorite ecommerce retailer, your accounting software provider, your bank or the head of the company.
Last February, for example, payroll and HR departments received emails asking for W-2 information. The emails read like internal requests from a senior executive but were actually sent by outside scammers. Unfortunately, some companies fell for it and unwittingly sent out sensitive information about their employees—and also wired out thousands of dollars. “This is one of the most dangerous email phishing scams we’ve seen in a long time.” IRS Commissioner John Koskinen said.
How to avoid taking the bait
Be sure phishing emails remain a nuisance rather than a nightmare by putting processes in place that prevent employees from falling for them. We recommend keeping in mind these 3Cs for curbing cybersecurity risks: cyber awareness, controls and culture.
Cyber awareness: Without a dedicated IT department, small companies have to take it upon themselves to keep informed about the latest threats. Reach out to trusted advisers who can keep you apprised of cybersecurity trends and scams. They can provide guidance on new tools, such as password managers and anti-phishing software, that can help minimize the risk. And such experts can provide best practices, alerts and updates for protecting the company.
Also regularly remind employees to use caution with emails, when visiting websites and interacting on social media. It’s better to pause and question a message—and verify its request through other means (like a phone call), than to hand over the keys to the castle (such as a password typed into a fake website).
Controls: Internal controls help protect companies and the employees who oversee the finances and sensitive information. Proper processes can guide employees when it’s time to share data—you can put restrictions over who exactly gets access to certain types of information and who needs to sign off on transfers of a certain amount, for example.
What protocols exist, if any, around how employees access company files on their mobile devices, and how are those devices protected if they get left behind? Do they have two-factor authentication enabled on all accounts they access at work? Should you limit the use of USBs? Should you set up rules around who and how certain information (like W-2 data) is shared? Would it make sense to limit what sites employees access while at work (social media can be privy to phishing scams)?
A focus on controls goes beyond the inside walls of the company. Reach out for assurance from any service providers you use that they have proper controls as well—and will keep your information, including those of your clients’ and employees’, safe. Always know how third parties will use and protect your data.
Culture: When a company is made up of employees who communicate often and freely, they also feel comfortable questioning each other if, say, an email—even from the CEO—doesn’t seem quite right.
Companies that think they’re too small to be a target of phishing scams are off the mark. Businesses of all sizes need to be cautious of the risks, across all areas of the organization. Outside experts who understand small business can help you stay on top of the risks and build a fortress for keeping the company as protected as possible.
Diana Sayre has a soft spot for small businesses in Silicon Valley. Her strengths include operational accounting, budgeting, financial statements, audits and back office support. Previous clients she’s worked for include Box.com, Ceterix and Hydronovation.