Phishing scams are becoming increasingly sophisticated—and worse, increasingly pervasive. Approximately 73% of small businesses report some type of cyberattack each year, with phishing scams among the most common. Unfortunately, these scams can cost your business thousands or even millions of dollars, depending on the type and volume of data compromised by the attack.
Originally, phishing scams were primarily email-related. These days, however, those scams can take different forms, including:
- Vishing, or using phone calls or voice messages to perpetrate a scam
- Smishing, or using text messages that appear to be from reputable companies or providers to move forward with a scam
- Traditional phishing scams, or using email to perpetrate a scam and gain access to a system
Knowing how scammers may approach your business can make it much easier to prevent the negative impact these scams can have on your business.
Common Phishing Scams
Phishing scams occur when a scammer pretends to be from a known source to infiltrate your company and access data that would otherwise be kept secure. Scammers can masquerade as customers, vendors, or even employees of your own company. They can also use a variety of tactics and strategies to work their way into your company. However, several scams occur more frequently than others.
Fake Invoices
Scammers may send out an invoice for items that your company never ordered. When the person who does the ordering for your company and the party that pays the invoices are different individuals, the scammer may hope that the person responsible for payment will assume that the order is standard. They may take the time to craft an invoice that looks like goods or services your company would order. In some cases, those invoices may look like those sent out by actual vendors from your company, but request payment to a different account or through a different method.
Tech Support
Tech support scams are some of the most common types of phishing scams because they are relatively easy to implement. The scammer will call in, pretending to be part of the tech support team from your organization. Then, they will ask you to do something for them: access a specific area, give them your password, or visit a specific website. The scammer will be able to acquire any information that you put into the system, and then use it to access it themselves. They may also use that access to mine data or to insert ransomware or a virus into the system.
Scammers may also pretend that they need IT support and use information gleaned about employees to get access to the company’s systems. Take, for example, the recent MGM phishing attack. Scattered Spider used LinkedIn to identify a current employee of MGM Resorts and, while masquerading as them, called the MGM IT help desk to request assistance logging into the account. The scammer spent 10 minutes on the phone with IT and was able to gain administrator privileges to MGM’s Okta and Azure tenant environments—a substantial breach of the company’s systems.
Email Scams
Email phishing scams occur when a scammer sends an email that looks like it comes from a legitimate source. Often, those emails encourage employees to take immediate action on a problem: visiting a website quickly to update their login credentials, for example. Scam emails often come from what appears to be a legitimate source. However, they may have small errors or inconsistencies that will give them away. For example, when you click on the email address, it may show that it does not come from the assumed source or the correct domain.
Impersonation
Many scammers will attempt to impersonate someone who can intimidate you or your employees into giving information or providing payment. For example, they may pretend to be from a utility company and insist that they will cut off your service if you do not provide immediate payment, or they may pretend to be from a government organization and insist that you need to provide payment or information as soon as possible to avoid legal action.
Tactics Employed By Scammers
Phishing scams are often highly sophisticated. At their root, however, they rely on common tactics to increase the odds that you, or your employees, will take the bait and provide them with the information they’re looking for.
False Urgency
Scammers will often try to impress a sense of false urgency on you. This way, they can encourage you to provide them with the information they’re looking for. A fake IT call might try to convince an employee that they need to act fast—and without consulting a manager—to prevent a serious problem for the business, while a scammer pressuring an employee to pay a fake invoice might make noise about taking legal action or adding fines if payment is not rendered.
Specificity
Scammers often have very specific actions that they want employees to take. They want them to click directly on a link in an email, visit a specific website outside the usual company domain, or use a specific payment method—often an unfamiliar one, like gift cards or cryptocurrency. These actions often prey on people’s desire to be helpful. Specificity serves as a red flag that lets employees know they need to avoid taking further action with the scammer.
Scammers may also target highly specific people within your organization, a tactic known as whaling. Whaling typically targets high-profile individuals in positions of authority. Emails, calls, and other content may strive to get access to those individuals directly, rather than being willing to talk with other employees who would otherwise have the ability to answer questions or solve problems.
False Trust
Often, scammers will pretend to be someone you trust. In the case of many types of phishing scams, including spearphishing (a method that targets a specific individual within an organization, often to secure their credentials), they have done their research. They may know a great deal about the target organization and who they do business with. In addition, they will often impersonate individuals seen as authority figures. This increases the odds that employees will react out of a sense of trust.
Protecting Your Business Against Phishing Scams
Phishing scams are becoming an increasingly serious problem for many businesses. It is important to make sure that yours is as protected as possible. That’s not always as easy as it sounds—but there are things you can do to increase your overall protection.
Email Filters and Security Software
Using email security software can ensure that you catch phishing emails before they make it to your employees. With the right filters, you can catch many phishing attempts and stop them in their tracks. Managed security services can help ensure that you have the right security solutions to protect your business.
Employee Training
When it comes to protecting your business from phishing scams, your employees are the first line of defense. Employees who are well-informed about the possibility of scams and what they may look like are better able to protect your business against them. They learn how to spot scammers, how to respond to them, and what to do in case of a threat. Implementing regular employee security training can go a long way toward helping keep your business running and avoiding the potential impact of phishing scams.
Regular Testing
Testing is a critical part of ensuring that your employees are prepared and vigilant against scams. Testers can call or email in an attempt to phish your employees. If they take the bait, you know that they need additional training to help protect them and your company. That testing can also provide employees with a better idea of what scammers may look like. This way, if they encounter one in real life, they’re better prepared to respond.
Clear Processes
In addition to training and testing employees, your business needs to have clear processes for responding to potential threats. What should employees do if they encounter a scammer, especially if they believe that they may have inadvertently provided access to secure information? Ensure your business has clear policies and processes to respond quickly and effectively in the event of a threat.
Get Help Protecting Your Business From Phishing Scams
At NetTech Consultants, we offer managed IT services, including managed security services that can help protect your business against scams. Contact us today to learn more about how we can provide the services you need to increase your business’s security.