Saving Your Business from Phishing in 2021

October 15, 2021

If you’re a business owner, then you’re a bigger target to scammers that an average joe.

This is why you need to know about the full extent of these attacks…

And how to protect yourself from them!

Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure.

Whether it is getting access to passwords, credit cards or other sensitive information, scammers will use emails, social media, phone calls and any other form of communication they can to steal their victim’s valuable data.

Thus, businesses prove to be a worthwhile target for scammers, as it is easier to find specific information on a business through a few searches online.

Meaning that scammers are able to launch personalized attacks on their victims that may seem more genuine than your average phishing scam.

Common Phishing Attacks Against Businesses

Here are some of the main methods that scammers use to target businesses:

Company impersonation

This is one of the most common forms of phishing, where scammers impersonate a brand or business. Scammers create an email that is connected to a domain which is very similar to that of the target company, e.g. first.name@amazon-support. This has proven to be one of the more difficult attacks to identify as you won’t know until someone falls for it or alerts you.

Spear phishing

This type of attack involves scammers using a fake company name (also a form of impersonation) but also possesses key information about the target. Businesses and their employees are continuously looking to make connections through online means. This is usually done through sites such as LinkedIn, which requires employees to share their personal information (current job title, past work experience, educational qualifications, etc.). Thus, making it easier for scammers to use these details to personalize their phishing attacks. This is almost like it is in sales, where a sales rep finds the name, position and other personalization and then includes this in a pitch email. Scammers copy the same pattern and then use it to compel more victims to fall into their trap.

Email takeovers

All members of a business’ executive and management level team are susceptible to this attack. Once a scammer acquires the email login details of an executive or management level team member, they will most probably target anyone they can using these credentials. Some of the potential targets could be colleagues, other team members and even customers (if scammers have already obtained this information via their attack).

Phone phishing

Scammers may use Voice over Internet Protocol (VoIP) technology to impersonate brands or businesses. Scammers use this technique together with spear phishing (using personal details of the targets) to make the scam more believable. Phone phishing scams usually impersonate individuals of the company (e.g, the CEO) being targeted to get a higher take on the overall scam.

How to Avoid Common Phishing Attacks

In order to help you understand how to avoid phishing attacks on your business, we have listed out the most common ways that a business may be subject to these attacks and how to best prevent them.

Two of the main mistakes that businesses make that leaves them vulnerable to phishing attacks is not having the required tools in place and also failing to train their employees on their role in information security.

Employees possess credentials and access to confidential data and information that is vital to the success of a breach in a business’ security. Intruders are able to obtain this sensitive information via a phishing attack. Scammers would then use this sensitive information to gain access to otherwise protected data and networks.

A scammer’s success is reliant on establishing trust with its victims. Since almost everything we do is through digital means, it has become much easier for scammers to gather sensitive information and utilize this information to launch phishing attacks that are easier to believe.

There are a majority of businesses that utilize Slack (a messaging app for businesses that allows effective communication and collaboration between its employees) within their relevant teams and units. Similarly, phishing scams on this platform are becoming increasingly common, with scammers launching their attacks through direct messages or even appearing as a Slackbot reminder.

Phishing attacks of this nature were widespread across a number of blockchain and cryptocurrency companies. In 2017 alone, scammers were reported to have made close to $225 million off these scams, with half of this being stolen through phishing attacks on Slack alone, affecting more than 30,000 victims.

In the same way, in 2020 it was reported that up to 50,000 Office 365 users were targeted by a phishing campaign that gave users a notification of a ‘missed chat’ from Microsoft Teams. Victims received an initial phishing email with a subject that displayed ‘There’s new activity in Teams’, which made it seem like the usual automated notification sent by Microsoft Teams.

To access this activity, scammers included a ‘Reply in Teams’ button within this phishing email, which redirected victims to a phishing login page for Teams.

Unsuspecting victims who entered their Teams login details were hacked by these scammers, leading to a compromised account and a breach in their company’s security, as the victim’s Teams login credentials were the same as their official work credentials.

Further, these are various other phishing techniques that are commonly used by attackers:

Embedding a link in an email that will redirect its victim to an unsecure website that requests sensitive information.

Installing a Trojan via a malicious email attachment or an ad, which will then allow the scammer to exploit loopholes and obtain the victim’s sensitive information.

Spoofing the sender address so that it appears as a reputable source in the phishing email, which scammers would use to gain the victim’s trust in order to request sensitive information.

Attempting to obtain company information over the phone by impersonating a known company vendor or even a colleague from the IT department.

Here are a few steps a business can take to protect itself against phishing:

Train and educate employees using mock phishing scenarios through mandatory sessions.
Deploy a SPAM filter that will detect viruses, blank senders, etc.
Ensure that all systems are updated with the latest security patches.
Installing an antivirus solution, schedule regular updates and monitor antivirus status on all equipment within the company.
Develop a security policy that includes, but isn’t limited to, password expiration and complexity.
Develop a web filter to block malicious websites.
Encrypt all sensitive information pertaining to your business.
Convert HTML email into text only email messages or even disable HTML email messages.
Require encryption for all employees that are teleworking.

Careless Internet Browsing

Most employees would usually use their personal devices to check their work email or even access a work website or attachment. These devices are also used to access their personal emails and social media channels. However, this leaves room for a phishing attack, compromising a victim’s personal and official data on their devices.

It is advisable for businesses to institute a policy that prevents certain sites from being accessed through personal devices, which would then greatly reduce a business’ chance of having their security compromised.

Phishing and Social Engineering

Phishing is one of the key components of social engineering. These phishing emails are crafted to mirror correspondence from a trustworthy or reputable source (the government, legal, HR, bank, etc.) and often trick victims into clicking on a malicious link embedded within the email body.

More sophisticated phishing emails may even execute hidden code if the email is simply even opened on the victim’s computer.

This emphasizes the importance of employees understanding the risks of opening email attachments or even clicking on links received from unknown sources, as these can lead to malware or virus infection.

Awareness is Key

It is vital to ensure that all employees are educated on phishing attacks and how to avoid them. Training on security awareness should be a mandatory component of employee orientation.

Some of the main aspects that employees should realize is that credible websites would never ask for their passwords over an email, nor should they open attachments from people that they do not know.

Further, secure URLs that don’t utilize https are fraudulent, as are sites that instead begin with an IP address. Scammers will try their luck on all digital platforms, so it is important that all employees understand how they could avoid being a target of these attacks, while protecting their personal and official information and data.

No matter how many articles or news updates an employee may see on a regular basis, when faced with a phishing attack, they may not know what separates the phishing attack from genuine communication.

In order to improve awareness on phishing attacks, businesses should regularly test employees with fake phishing emails. This technique enables employees to recognize genuine correspondence from a phishing attack.

There are also multiple steps that a business can take to protect itself and its employees against phishing. Businesses are advised to keep a track on the current phishing strategies (for tips on how to identify and avoid phishing attacks through email, websites and social media, you can check out these blogs on Telepathz).

It is also vital to regularly update current security policies in place within your business in order to eliminate threats. Educating and training employees to understand the various types of attacks they may face as well as how to address them is important going forward. Informed employees and properly secured systems are key to protecting your business from phishing attacks.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.