In a recent warning, the Federal Trade Commission (FTC) has cautioned consumers and small businesses about the continuing and growing threat of phishing scams. In the statement, the FTC has expressed that while cybercriminals continue to send out mass emails asking bluntly for personal information, they have become more sophisticated in their attempts. Small businesses are now being targeted by emails that their employees could expect to routinely find in their inbox.
How does a phishing scam work?
There are many ways scammers may try to trick small business employees with a phishing email. Often times, scammers pose as a member of upper-level management. Another tactic used by cybercriminals is to pose as a vendor, client, or co-worker that the business may work with as to not raise any suspicion with the target. To make their attempts seem even more legitimate, the scammer may create an email address that looks very similar to the true source’s or may embed the company logo into the email. At times, scammers will also use social engineering tricks to analyze their target and find more information on them to make the request seem even more convincing.
What’s the request?
The request is often an immediate transfer of funds for various reasons relating to the business. Depending on the scammer, a malicious link may be included in the email in hopes of getting the victim to click, which may or may not install malicious code or ransomware on their computer.
What can you do?
Training your employees on how to spot a phishing scam is crucial in preventing them. Although the request often has a sense of urgency, it is important that staff is trained to take a minute and analyze email requests before acting. In addition, if an email seems unusual or requests any sort of unexpected transfer or business transaction, the employee receiving the email should consult with management, or contact the company/sender directly to confirm its legitimacy.
Humans make mistakes, have a backup plan
Despite training, cybercriminals are diligent and often very convincing. Ensure that your organization backups your data regularly and that those backups are kept separate from your network. Keep your network up-to-date with the latest security patches and updates. Look at implementing additional safeguards, such as email authentication to keep phishing emails from being delivered successfully to your inbox.