Stay Safe from Phishing: A Guide for Business Owners

Phishing schemes are the digital equivalent of a wolf in sheep’s clothing. They lurk in your inbox, ready to pounce and trick you into handing over your sensitive info. Phishing can quickly lead to financial chaos, identity theft, and a breach of trust that rips through your personal and business life like wildfire.

Recently, our bookkeeper was duped by one of these crafty cons, almost leading to a fraudulent payment. Our bookkeeper received an email that looked legitimate but was a phishing attempt. The email asked for a bill to be paid urgently, and because it seemed to come from a trusted source, our bookmaker scheduled the payment. Another attempt involved a fake email posed by an employee trying to get our bookkeeper to switch bank accounts.

Luckily, we had systems in place at Big Storm that flagged these suspicious activities and stopped the attempt before it was too late. Steps such as verifying the sender’s email address, cross-checking with known contacts, payment verification, notifications, and using multi-factor authentication helped us identify and stop the attempts before it was too late.

These scams are becoming increasingly sophisticated, making it imperative for us all to stay vigilant. To protect yourself, your team, and your business from the chaos of phishing, we’ve created this guide to understanding phishing, which includes eight essential tips for how you can ward off phishing wolves.

Recognizing Phishing Scams

Phishing scams often appear in the form of emails that appear to be from trusted sources. These emails might ask you to provide sensitive information, click on malicious links, or download harmful attachments. While these links and attachments may seem normal and safe at first glance, they are designed to deceive you and perform malicious activities such as stealing your personal information, spreading malware, or compromising your computer’s security. Cybercriminals are skilled at mimicking emails from colleagues, clients, or well-known companies, making it difficult to distinguish these scams from legitimate communications. Here are a few examples we have seen:

• Fake Invoice Scam: This is an email that looks like a legitimate invoice from a known supplier urging immediate payment to avoid service disruption.
  Account Suspension Notice: An email claiming that your account has been suspended and requesting you to click a link to verify your identity to restore access.
• Tax Refund Scam: An email that appears to be from a tax authority, promising a refund and asking for personal information to process the refund.
• Payment Request from CEO: An email impersonating your CEO or another executive, requesting urgent payment to a specified account, often targeting the finance department.
• Job Offer Scam: An email offering a lucrative job opportunity, asking for personal information or an upfront payment for processing fees.
• Security Alert Scam: This scam involves an email warning of a potential security breach that prompts you to click a link to secure your account immediately.
• Delivery Notification Scam: An email pretending to be from a courier service claims a package delivery issue and asks you to click a link to provide more details or reschedule.
• Bank Account Change Request: An email posing as an employee requesting to update their banking information for direct deposit, asking for details to be changed to a fraudulent account.

8 Tips to Protect Your Business from Phishing Scams.

1. Clean Your Digital House
2. Watch out for Email Impersonation
3. Trust But Verify Payments, Every Time
4. Report and Block Untrustworthy Emails
5. Educate and Arm Your Team
6. Be Aware of AI and Automated Phishing Tactics
7. Strengthen Your Security with Multi-Factor Authentication
8. Plan for the Inevitable

1. Clean Your Digital House

Your computer, phone, or device could be harboring malicious code, like a bad tenant hiding in the attic. To keep your digital house in order and secure from phishing attacks, follow these essential steps:

• Schedule regular virus and malware scans: Regular scans help detect and eliminate any malicious software that might have infiltrated your devices, keeping your data safe from hackers.
• Enable automatic updates for your antivirus software and check for updates periodically: Keeping your antivirus software updated ensures you are protected against the latest threats, as new viruses and malware are continuously being developed.
• Scan PDF attachments before opening them, and use a secure PDF reader: PDFs can contain harmful scripts. Scanning them helps prevent malware from executing, while a secure reader ensures enhanced protection against potential vulnerabilities.
• Install reliable antivirus software with real-time protection: Real-time protection works continuously in the background to intercept and prevent malicious activities as they occur. This offers immediate defense against phishing and other cyber threats.
• Regularly update your operating system and all software: Updates often include patches for security vulnerabilities that, if left unaddressed, could be exploited by phishers and other cybercriminals to gain unauthorized access.
• Enable and configure your firewall; use a strong Wi-Fi password: A firewall helps block unauthorized access to your network, and a strong Wi-Fi password protects against intruders looking to intercept your data or infiltrate your network.
• Download files only from trusted sources and scan them before opening: Downloads from untrusted sources can lead to malware infections. Scanning files before opening ensures they are free of malware, reducing the risk of a security breach.

2. Watch out for Email Impersonation

Phishers are masters of disguise, often using email addresses that look legitimate at first glance. Always verify the sender’s email address carefully. Look out for subtle changes or unusual domain names. To protect yourself, pay attention to the following details in the emails you recieve:

• Verify the sender’s email address carefully: Phishers may create email addresses that mimic legitimate ones by altering just one or two characters. Checking the email address in detail can help you spot these discrepancies.
• Look out for subtle changes or unusual domain names: Sometimes, phishers use domain names that closely resemble those of reputable companies but with minor alterations, like ‘.com’ becoming ‘.net’ or adding a hyphen.
• Check for slight misspellings or extra characters: Phishers often rely on the hurried nature of email reading. Small typos or additional characters in the email address or domain name can be a red flag of a phishing attempt.
• Hover over links to see the actual URL before clicking: By hovering over a link (without clicking), you can see the actual URL in the bottom corner of your browser. This helps verify if the link leads to a legitimate site or a potentially malicious one.
• Be cautious with unexpected attachments or requests for sensitive information: Phishers may include attachments that contain malware or mimic legitimate requests for sensitive information. Always verify the authenticity of the email before responding to these types of requests.

3. Trust But Verify Payments, Every Time

Never process a payment without verbal confirmation, especially if it’s urgent. To ensure safety:

• Always confirm payment requests verbally: Ensure that any requests for payments are confirmed by speaking directly with the requester. This helps avoid falling victim to email spoofing or business email compromise (BEC) attacks.
• Call the requester for same-day payment requests: For urgent payment demands, always call the requester using a known phone number to confirm the legitimacy of the request, as phishing attempts often create a false sense of urgency.
• Verify details through a known contact method: Use contact information you have previously verified, not the contact details provided in the suspicious email or message, to ensure you’re communicating with the actual person or company.
• Be skeptical of any urgent or unusual payment requests: Phishers often attempt to create a sense of urgency to provoke quick action. Always double-check and verify any requests that seem out of the ordinary or unexpectedly urgent.
• Implement this rule as standard practice: Make these verification steps a mandatory part of your payment processing procedures to ensure consistency and security across all transactions.

4. Report and Block Untrustworthy Emails

As a rule of thumb, if you or your team get a suspicious email, block and report it immediately. To protect yourself and others:

• Use your email provider’s tools to report phishing attempts: Many email services offer built-in tools that allow users to report suspicious emails directly. Using these tools helps improve the service’s ability to detect similar threats in the future.
• Block the sender to prevent further emails: Blocking the sender’s email address prevents any further communication from that source, reducing the risk of receiving more phishing or malicious content.
• Encourage your team to report suspicious emails: Creating a culture of security awareness within your organization can significantly reduce the risk of phishing attacks succeeding. Encouraging everyone to report suspicious emails helps in collectively improving defense mechanisms.
• Stay aware of common phishing tactics: Being informed about the most commonly used phishing tactics, such as urgent language or requests for sensitive information, can help individuals and teams quickly identify and avoid potential threats.

5. Educate and Arm Your Team

Your employees are your frontline defense against phishing. To keep your team prepared:

• Train employees to recognize phishing attempts and promote safe browsing habits: Educating employees on how to identify phishing emails and practice safe browsing can significantly reduce the risk of successful phishing attacks and enhance overall cybersecurity.
• Highlight unsolicited requests for sensitive information: Train your team to be wary of unexpected emails or messages that ask for personal or company-sensitive information, as these are common tactics used in phishing scams.
• Emphasize spotting poor grammar and unfamiliar senders: Teach employees to identify potential phishing attempts by noticing poor grammar and spelling, which are often telltale signs, and to be cautious of emails from senders they do not recognize.
• Encourage skepticism and double-checking: Instill a culture of caution where team members are encouraged to verify the legitimacy of suspicious emails by contacting the sender through official channels or discussing it with their IT security team.
• Provide ongoing education and updates: Regularly update your team with the latest phishing techniques and provide continuous education to keep security top of mind, ensuring they are prepared to recognize and react to new threats as they evolve.

6. Be Aware of AI and Automated Phishing Tactics

The rise of AI and automation is a double-edged sword. To protect yourself against evolving threats:

• Stay informed about the latest AI-driven scams: Cybercriminals are increasingly using sophisticated AI tools to create and execute scams. It’s crucial to keep abreast of emerging AI technologies and tactics that might be used against your organization.
• Educate your team on how AI can mimic writing styles and generate realistic emails: AI algorithms can analyze writing styles and craft emails that closely mimic legitimate communications from trusted sources, deceiving recipients into thinking the messages are authentic.
• Be aware that AI can automate attacks, making them harder to spot: AI can enable attackers to automate phishing campaigns, producing large volumes of personalized and convincing messages at scale, increasing the likelihood of someone falling prey to the scam.
• Regularly update your security protocols: As AI-driven threats evolve, it’s essential to continuously update and strengthen your security measures to protect against new and emerging tactics.
• Foster a culture of continuous learning and vigilance: Encourage an organizational culture where staying informed, being cautious, and continuously learning about cybersecurity are valued. This proactive stance can significantly enhance your defenses against sophisticated AI-driven attacks.

7. Strengthen Your Security with Multi-Factor Authentication

Multi-factor authentication (MFA) is like having a bouncer at your digital door. To enhance your security:

• Implement MFA wherever possible: Enabling MFA on all systems, especially those accessing sensitive data, significantly reduces the risk of unauthorized access, as it requires more than just a password to log in. MFA adds a critical second check to verify a user’s identity, such as a text message code or biometric verification, protecting sensitive data even if a password is compromised. With MFA, attackers must obtain multiple credentials for successful unauthorized access, which complicates their efforts and deters potential breaches.
• Regularly review and update MFA settings: Keeping MFA settings up-to-date ensures compatibility with new security threats and technologies, maintaining the effectiveness of this security measure.
• Educate your team on the importance of using MFA: Training staff on how MFA works and its benefits builds a stronger security culture and compliance within the organization, ensuring everyone understands and correctly uses MFA.

8. Plan for the Inevitable

No system is foolproof. To be prepared for phishing attempts:

• Develop a response plan for phishing incidents: It’s essential to have a predefined strategy that outlines the steps to take when a phishing attack is identified. This plan should include identification, containment, eradication, and recovery processes to minimize damage.
• Secure affected accounts quickly: Immediately securing accounts that have been compromised is crucial. This might involve changing passwords, revoking access tokens, or temporarily disabling accounts to prevent further unauthorized access.
• Communicate effectively about the threat: Clear communication is key when a phishing attack occurs. Inform affected users and IT teams promptly about the nature of the threat, what actions to take, and any preventative measures to avoid future incidents.
• Regularly review and update your response plan: Cyber threats evolve rapidly, and so should your response strategies. Regularly reviewing and updating your phishing response plan ensures that it remains effective against new and emerging tactics used by cybercriminals.

Phishing Education Resources

Here are a few reliable websites to keep up with the latest phishing scams and cybersecurity threats:

• PhishLabs – PhishLabs provides threat intelligence and reports on the latest phishing scams, offering insights and analysis to help organizations stay ahead of cybercriminals.
• Krebs on Security – Written by cybersecurity expert Brian Krebs, this blog covers a wide range of security topics, including detailed reports on phishing scams and other online threats.
• Anti-Phishing Working Group (APWG) – The APWG is an international coalition focused on unifying the global response to cybercrime. Their website features news, research, and resources on phishing trends and preventive measures.

Be Prepared to Defend Your Business from Digital Threats

In the end, we’re not cybersecurity experts. We’re a web design and marketing firm, and, just like you, we are navigating the treacherous waters of digital communication. Phishing scams are a constant threat, evolving in complexity and deceit. But with vigilance, education, and a healthy dose of skepticism, we can fend off these digital predators. It’s about building a culture of awareness and resilience, where every team member is a sentinel, alert to the dangers lurking in their inbox.

Remember, it’s not about being perfect; it’s about being prepared. At Big Storm, we empathize with your struggles and share your determination to protect what matters most. Let’s stay vigilant, stay informed, and keep our defenses strong. After all, in this digital age, a little paranoia can go a long way in keeping our businesses safe. Stay sharp, stay safe, and keep those phishing scams at bay.