Spear Phishing: Three Things You Need to Know
Editor’s Note: The following article was originally published by the National Federation of Independent Business (NFIB).
As a small business owner, you have lots of things on your to-do list. Cybersecurity might not be at the top of that list, but it should be. Phishing emails from scammers can harvest lots of sensitive information-and small businesses are increasingly an appealing target.
For example, in October 2018 the FBI warned of a scam in which hackers use targeted information to log in to a company’s HR and payroll platforms to change and funnel an employee’s direct deposits into their own accounts. Known as spear phishing, these targeted online attacks can be common in the months preceding tax season when employees frequently flood their employers with requests for W-2s and other tax-related information.
“Spear phishing often comes from international organized crime groups that have now come to the realization that a small business is a really juicy target,” says NFIB member Joe Balsarotti, founder of Software To Go in St. Peters, Missouri. “It’s about the same procedure as going after an individual, but, for them, the payoff is higher.”
Here are three things to keep in mind next time you check your inbox.
1. Spear Phishing is Sophisticated
You’re probably already familiar with the term phishing, in which would-be identity thieves send an “infected” email in an attempt to gather personal information or infect devices with malware. Spear phishing has the same end goal in mind, but the approach tends to be much more targeted and personalized, says NFIB member Allen Perk, founder of XLN SYSTEMS Inc., in Columbus, Ohio. Instead of sending the same email to a huge crowd, the thief will direct a personalized email to one individual.
“For instance, about 18 months ago the administrative assistant to the director of a large organization received an email that she thought came from the director,” says Perk. “The email asked the assistant to send back a spreadsheet containing all of the W-2 information for their employees, which the assistant did.”
If that email had been sent to everyone at the organization, it’s doubtful anyone would have thought it was legitimate. Because it was specifically directed toward the assistant, it seemed more authentic, he says.
2. Employees May Be Your Best Defense
There are software options on the market to spot and block phishing attempts, says Perk, but for spear phishing, it’s really hard to get a large percentage of them pulled out of your email queue. While larger businesses with big budgets might task the IT department to more closely monitor emails, that extra expense isn’t an option for many small businesses or entrepreneurs.
Luckily, the most effective alternative also happens to carry a low price tag: employee education. “Training your employees is easily the most effective way to fight spear phishing,” says Perk. Too often, employees aren’t taught even the basics on how to spot potential email scams or how to react, but business owners must realize that their business email accounts may be more enticing for scammers than someone’s personal email.
Teaching employees to better defend your business starts with training them to take a pause before they fire off a response to every email. In fact, one sign of spear phishing is that the emailer wants the recipient to send something important-immediately, says Perk. “The request comes across as crucial, alarming, and big,” says Perk. As a result, people react quickly rather than taking a second to question who sent it.
3. There Are Telltale Signs to Spot
As you work with your employees, it’s important to share best practices to ensure that cybersecurity efforts aren’t a one-off event. For example:
- Read through the email carefully for misspellings or sloppy grammar that could be a red flag.
- Double check the “from” field to make sure that it’s accurate and there aren’t any visual tricks at play (such as replacing the “o” in Bob with a zero).
- Use the mouse to hover over any links-before clicking.
“A spear phishing email might include a link that looks like it will direct you to chase.com, for example, but if you mouse over it, you’ll see that it goes to a completely different website,” says Perk.
Keeping your small business safe from cybersecurity threats is easier than you think. Sharing best practices and taking proactive measures can help keep risks at bay.