Over the last few months, we’ve encountered a growing number of merchants falling prey to phishing scams. It goes a little something like this:
You’re emailed or called by (what seems to be) a legitimate organization informing you about a chargeback issued against your company. Chargebacks are important to deal with, so, sensing the need for urgency, you provide the sender – or caller – with information about your company: your Merchant ID, EIN, contact telephone number and address.
Cut to Gravity: We receive a communication from the attacker, often a phone call, quoting the information you provided, requesting that we change your business banking details and contact information.
It is our responsibility to protect you and we have many safeguards in place to shelter you and your business from malicious attacks like these. But we think it’s equally important that you know how to identify and safeguard against these sophisticated phishing attacks, and stop them before they begin.
In this article you will learn:
- What phishing is
- Different methods of phishing, including:
- Business Email Compromise (BEC)
- Phone scams and vishing (voice phishing)
- Malware attacks
- Social Engineering
- How to adequately protect your business against phishing
What is Phishing?
Phishing is a cybercrime tactic wherein attackers deceive you, or your employees, into revealing sensitive business information, such as login credentials, banking details, or other business data (social security numbers, EINs, MIDs). These attackers typically disguise themselves as trustworthy organizations, often impersonating businesses you work with (your bank, payment processor, software providers), through seemingly legitimate emails, messages, phone calls, or websites.
Types of Phishing Scams
Business Email Compromise (BEC)
Imagine you run a small manufacturing company. One day, an employee who works in the finance department, Simon, receives an urgent email from an email address that, at a glance, appears to be from company leadership. The email tells them that a vendor, Widget, has asked the company to update banking information for an upcoming invoice payment. Simon, believing it’s a legitimate request, takes care of it, also paying off the invoice.
He doesn’t think any more of it until the following week when Widget calls about an unpaid invoice. After an internal meeting, it was figured out that Simon had been scammed. Leadership never sent the request, and now funds have been transferred into the attacker’s account.
Business Email Compromise (BEC) is a sophisticated phishing scam in which the attacker impersonates a known vendor, high level executive or company contact into sending money or sharing sensitive information. These emails are often convincing, based on research that references insider knowledge to appear legitimate.
“Social engineering” is often deployed as a tactic in BEC attacks, and is best viewed as an “old school” conman tactic. Psychology and persuasion is used to gain the trust of a target (often using relevant information such as names of employees, vendors, and other insider knowledge) so they lower their guard and divulge sensitive information.
How to identify BEC warning signs:
- Incorrect sender information. Do the “from” and “reply-to” addresses match the recipient? Does the sender domain match the company? For example, an email from Sam Adams at Widget comes from firstname.lastname@example.org or [email protected] instead of [email protected].
- Unusual requests from senior management. When receiving a request, ask yourself if this is a routine request? Does anything feel unusual? Is this usually the way this manager requests this task?
- Sense of urgency or confidentiality. Does the email ask you to take action immediately? Or is there any attempt to keep this interaction a secret? Attackers will often try and prevent you from validating the request.
- Unusual invoices. Was this invoice unsolicited or unusual in its timing? Is the format and information provided on the invoice (date, account number, contact information) consistent with others from this vendor?
- Typos and Foreign Formats. Are the emails written in broken english (or whichever language your company uses), feature odd sentence structures or spellings? If it is inconsistent with the people or company you work with, this should be cause for concern.
Phone Scams and Vishing
You own a small retail store. One afternoon, you receive a call from someone claiming to be from a well-known banking institution. They inform you that your business account has been compromised. They ask you to verify your account information, adding that “this is an urgent matter.”
Phishing doesn’t only occur through email. Phone scams and vishing (voice phishing) involve attackers impersonating legitimate organizations or authorities (think IRS or the Social Security Administration) over the phone. They aim to extract sensitive information, such as account numbers or passwords, from you and unsuspecting employees. Vishing attacks often manipulate victims’ emotions, urging them to act quickly under the pretext of avoiding legal troubles or security breaches.
How to identify phone scams
While phishing scams on this nature regularly evolve, you can stay vigilant by looking out for the following:
- A manufactured sense of urgency.
- Does the offer sound too good to be true? It’s likely that you haven’t won a cash prize, or a scored surefire business opportunity.
- A request for money. A legitimate organization will not ask you for money over the phone.
- You are solicited for personal information. Unless you have called a verified, reputable organization yourself, do not share personal information – even your date of birth.
- You cannot verify the caller or their organization. A legitimate business will not mind you verifying their information. If you are suspicious, hang up and call the organization back directly.
You manage a small marketing agency. One of your employees opens an email attachment that looks like a client’s invoice. They click on it, accidentally downloading malicious software or “malware”. The malware infects your company’s computer network, causing data loss and disruption to your services.
Malware is another weapon in the phishing arsenal. Cybercriminals use malicious software to infiltrate systems and steal sensitive data or disrupt operations. An employee who inadvertently installs malware on their computer poses a risk to your whole company. Malware can spread through infected attachments, links, or compromised websites, putting small businesses at risk of data breaches and financial losses.
Identifying and protecting against Malware
Malware is difficult to spot, and exposure can be very serious. Here are some tips to help:
- Dubious Links. Scrutinize every link, and review hyperlinks before clicking on them (right click > Copy Hyperlink > paste into a document). Subtle misspellings or letter substitutions, like “g0ogle.com”, may seem fine at a glance, but are indicative of malicious software or websites.
- Take extra care with attachments. Never open an attachment unless you know – and have verified – who has sent it, and what it is.
- Use strong passwords. Using the same password on different sites opens you up as an easy target. Use a password manager (highly recommended, make sure to vet the provider carefully), or use strong passwords with multiple factor authentication to keep your accounts secure.
- Update your systems regularly. Operating Systems like Windows and MacOS regularly deploy patches and fixes based on known vulnerabilities and malware attacks. Set updates to run automatically to keep your operating system current.
- Look for the padlock on your web browser. There should be a padlock displayed in the address bar of every site you visit. When it’s not, the website is not encrypted and your data is no longer safe.
- Does your device seem “off”? Lots of pop ups? Freezing and crashing? Less storage space? These are indicators of malware.
Protecting Your Small Business
- Education and Awareness. We do it regularly at Gravity, and encourage you to do so, too: Invest in employee training to raise awareness about phishing threats. Teach your staff how to recognize suspicious emails, links, and attachments. Encourage a culture of “question and verify”, particularly as it relates to unexpected requests.
- Robust Email Security. Google claims that they prevent 99% of spam, phishing and malware attacks in the gmail platform, but it is worth exploring more advanced email security solutions if you can afford it. These solutions can help filter out malicious emails and protect your inbox from potential threats.
- Multi-Factor Authentication (MFA). Require MFA across all accounts and systems. Even if attackers obtain login credentials, they won’t be able to access sensitive data without the second authentication factor (these are regularly texted or emailed codes, or links).
- Vigilance with Monetary Transactions. Establish strict protocols for all transactions and require secondary authorization for significant transactions. Encourage employees to verify internally before acting on urgent requests.
- Regular Software Updates. Regularly update operating systems, software, and applications to patch vulnerabilities that attackers might exploit. Outdated systems can serve as entry points for malware.
- Firewall and Antivirus Protection. Install reliable firewall and antivirus software to detect and block malware before it can infiltrate your systems.
- Perform Regular Back-Ups. Frequently back up your business data to an encrypted, offsite location. In the event of a malware attack or data breach, you can quickly restore your information without paying a ransom. Avoid using USB drives that can easily be lost.
- Create an Incident Response Plan. Develop a plan outlining steps to take in case of a phishing attack. This plan should involve isolating affected systems, notifying stakeholders, and collaborating with law enforcement if necessary.
If you cannot hire a qualified staff member to take the lead in cyber security, we advise contracting a reputable IT service provider to assist you.
Particularly with the proliferation of AI, phishing attacks continue to evolve in complexity and become increasingly hard to detect. By understanding the different forms of phishing, such as BEC, phone scams, vishing, and malware attacks, and implementing proactive security measures, your business can significantly reduce the risk of falling victim to these cybercrimes.