Gone phishing: Protect your company against cyber crime

It’s no secret that cyber attacks are on the rise and becoming more sophisticated every day. In fact, according to The 2019 Hiscox Cyber Readiness Report™, 53% of US firms were victims of cyber crime in the past 12 months, up from 28% in 2018.

There’s one type of attack that small business owners should be particularly aware of, because it is both simple and effective for hackers. It’s phishing, and here’s what you need to know to avoid falling for it hook, line and sinker.

What is phishing?

Phishing is a way that hackers gain access to a computer system or sensitive information. They send an email that may look as though it comes from a familiar address – perhaps even one that’s inside the organization – that includes a link. The link looks like it will open an important file or take you to a website, but in fact it may infect your computer system with a virus or malware. Some phishing attempts will ask you for log-in credentials which are then used to access your accounts.

There are different kinds of phishing, including spearfishing (targeted phishing emails), smishing (phishing by text message), and others, but they are all forms of social engineering designed to separate consumers or companies from their sensitive data or assets.

How can it be prevented?

The first step in preventing phishing is to recognize it. Here are some telltale signs that an email may be a phishing attempt.

1. An email address that doesn’t look quite right. If your company uses First DOT Last AT company DOT com for email addresses, don’t open one that is addressed to FLast AT company DOT com. But keep in mind that valid email addresses can be spoofed, so even if the address is correct, the email may be fraudulent.

Verify the sender’s email address by hovering over it in the preview pane. The actual address the message came from will appear. If it’s not what you were expecting, don’t open it!

2. There’s a link in the email that you’re instructed – or even threatened – to click on. As with the sender’s email address, you can hover over the link to see where clicking it will take you. If it’s a phishing attempt, the web address will be different from what you’d expect to see.

Never click on a link in an email unless you’re absolutely sure it’s legitimate. Instead, type in the website address yourself.

3. The request is out of character for the sender. An urgent message from the CFO to an accounting clerk asking for an immediate wire transfer of funds is a huge red flag. So is a request that is described as ‘secret’ or sent outside of business hours, or a request from a vendor to wire payment to a different account.

Confirm any request to transfer funds with the requester, either by phone or face to face.

4. The language or format of the message may be unsophisticated or incorrect. A message that appears to be from a large corporation but includes spelling or grammatical errors is suspect.

That said, hackers often steal the logos of major companies and spoof their email addresses. Don’t assume that an email that looks like it’s from your bank actually is.

What if someone in my company gets a phishing email?

The first instinct is often to delete the message, but a better plan is to notify your IT department or consultant. Don’t open the message beyond the preview pane, and certainly don’t click on any links. Once IT gives you the all-clear, delete the message and, if you forwarded the message to IT for investigation, delete the forwarded message as well.  If you handle your own IT issues, follow your internet service provider’s guidelines for reporting suspicious email.

Notify everyone in your organization so they know to be on the lookout – hackers will often target many employees in the same company.

Staying one step ahead of hackers can seem like a full-time job, but it’s critical to keeping your business safe from cyber crime. For more on how to be cyber ready, download the 2019 Hiscox Cyber Readiness Report.