Skip to main content
Blogs

Phishing: The SMB Plague

By 11.29.17May 11th, 2019No Comments

The most interesting statistic to come out of the cyber security market in the last couple of years is also
one of the most overlooked. This statistic points to one of the most obvious problems facing cyber
security experts today. It is also one of the most affordable and easiest problems to fix.

So what is this statistic? It involves your people and an activity they do at work every day. It is an
awareness problem. It is an education problem. It is a problem faced by every corporation and every
individual that is connected to the Internet.

It’s simple and it’s all about you. “83% of all cyber security breaches are caused by human error.” That’s
right 83%!

One of the most lucrative and simple ways to breach any system is through email. Hackers understand
that small to medium sized companies have fewer resources to guard against attacks. As a result they
have become the low hanging profit fruit for hackers of all types.

The most prolific malicious activity taking place today are phishing attacks. Phishing attacks try to obtain
financial or other confidential information from Internet users, typically by sending an email that looks
as if it is from a legitimate organization, usually a financial institution, but contains a link to a fake
website that replicates the real one. In fact “1 in 131 emails contained malware in 2016, the highest rate
in five years.” (Symantec 2017 ISTR)

According to Symantec’s 2017 ISTR, fake invoice messages are the #1 type of phishing lure. 1 in every 4
major malware campaigns used fake invoice messages in 2016.

Fake Invoice Message...

Why are phishing attacks so dangerous? Because they appear legitimate, it is easy to be fooled into
releasing credit card numbers, social security numbers, account information, and all other types of
personally identifiable information. Once your company has been phished, the attacker may have access
to your entire network. There are a variety of ways for the attacker to then infiltrate your network and pilfer data as needed.
Remember the phishing attack gains entry. Once in, the attacker has all sorts of options. None of them are good for you or your company!

60% of all small to medium sized companies that undergo a cyber security breach are out of business
within 6 months. A phishing attack may open the door to your demise. Yes, it’s that serious! So, what do
you do about it?

Phishing.org offers 10 ways to avoid phishing scams

1. Keep Informed About Phishing Techniques – New phishing scams are being developed all the time.
Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep
your eyes peeled for news about new phishing scams. By finding out about them as early as possible,
you will be at much lower risk of getting snared by one. For IT administrators, ongoing security
awareness training and simulated phishing for all users is highly recommended in keeping security top of
mind throughout the organization.

2. Think Before You Click! – It’s fine to click on links when you’re on trusted sites. Clicking on links that
appear in random emails and instant messages, however, isn’t such a smart move. Hover over links that
you are unsure of before clicking on them. Do they lead where they are supposed to lead? A phishing
email may claim to be from a legitimate company and when you click the link to the website, it may look
exactly like the real website. The email may ask you to fill in the information but the email may not
contain your name. Most phishing emails will start with “Dear Customer” so you should be alert when
you come across these emails. When in doubt, go directly to the source rather than clicking a potentially
dangerous link.

3. Install an Anti-Phishing Toolbar – Most popular Internet browsers can be customized with anti-
phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to
lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This
is just one more layer of protection against phishing scams, and it is completely free.

4. Verify a Site’s Security – It’s natural to be a little wary about supplying sensitive financial information
online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before
submitting any information, make sure the site’s URL begins with “https” and there should be a closed
lock icon near the address bar. Check for the site’s security certificate as well. If you get a message
stating a certain website may contain malicious files, do not open the website. Never download files
from suspicious emails or websites. Even search engines may show certain links which may lead users to
a phishing webpage which offers low cost products. If the user makes purchases at such a website, the
credit card details will be accessed by cybercriminals.

5. Check Your Online Accounts Regularly – If you don’t visit an online account for a while, someone
could be having a field day with it. Even if you don’t technically need to, check in with each of your
online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To
prevent bank phishing and credit card phishing scams, you should personally check your statements
regularly. Get monthly statements for your financial accounts and check each and every entry carefully
to ensure no fraudulent transactions have been made without your knowledge.

6. Keep Your Browser Up to Date – Security patches are released for popular browsers all the time.
They are released in response to the security loopholes that phishers and other hackers inevitably
discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute
an update is available, download and install it.

7. Use Firewalls – High-quality firewalls act as buffers between you, your computer and outside
intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option
is a type of software, and the second option is a type of hardware. When used together, they drastically
reduce the odds of hackers and phishers infiltrating your computer or your network.

8. Be Wary of Pop-Ups – Pop-up windows often masquerade as legitimate components of a website. All
too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you
can allow them on a case-by- case basis. If one manages to slip through the cracks, don’t click on the
“cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper
corner of the window.

9. Never Give Out Personal Information – As a general rule, you should never share personal or
financially sensitive information over the Internet. This rule spans all the way back to the days of
America Online, when users had to be warned constantly due to the success of early phishing scams.
When in doubt, go visit the main website of the company in question, get their number and give them a
call. Most of the phishing emails will direct you to pages where entries for financial or personal
information are required. An Internet user should never make confidential entries through the links
provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to
check the address of the website. A secure website always starts with “https”.

10. Use Antivirus Software – There are plenty of reasons to use antivirus software. Special signatures
that are included with antivirus software guard against known technology workarounds and loopholes.
Just be sure to keep your software up to date. New definitions are added all the time because new
scams are also being dreamed up all the time. Anti-spyware and firewall settings should be used to
prevent phishing attacks and users should update the programs regularly. Firewall protection prevents
access to malicious files by blocking the attacks. Antivirus software scans every file which comes through
the Internet to your computer. It helps to prevent damage to your system.

Finally, the most effective method of avoiding phishing attacks is education. Remember our original
statistic. 83% of all phishing attacks are caused by human error. That means uneducated or unaware
users clicking on links that are dangerous and malicious. Remember it only takes one click on the wrong
link to cause untold business interruption or data loss. Education equals prevention.

For more information on how to prevent phishing attacks or to learn about our comprehensive security
awareness program, contact The Tek.                                                www.thetek.com

Leave a Reply