Whether you are a small business or a large corporation (or something in-between), you are at risk for phishing – a form of social engineering using email or malicious websites to solicit personal information by posing as a trustworthy organization.
Phishing Scams To Look Out For When Running a Small Business
When phishers target small businesses, they often send employees emails or texts that appear to come from a familiar source (a vendor, a client, or even a co-worker at the company). The scammers may mimic recognizable email addresses or embed corporate logos. These scammers may even search publicly available sources for the name of a colleague at your business and use it to overcome an employee’s suspicions.
In July 2018, an internet security company, Comodo, disclosed a phishing scam targeting small businesses. Over 3,000 small businesses and employees received phishing emails with the subject line, “Shipping Information”. Thinking it was a UPS tracking code, employees would click on the link, which contained malware and released a virus.
Phishing Scams Targeting Real Estate Professionals
More and more phishing scams are targeting real estate professionals and their clients. A report from the cybersecurity firm eSentire found that real estate was the second most-targeted industry hit by malware events in the second quarter of 2018.
Phishers scam real estate professionals by taking public information available on real estate sites and use it to then target victims. They may see listings that are “under contract” and then use the contact information of the real estate agent to insert themselves into the transaction, posing as the agent.
The FBI states that you should be “wary of any communication that is exclusively email based and establish a secondary means of communication for verification purposes.”
Phishing Scams To Look Out For When Running an Accounting Firm
If you work for an accounting firm, you may have noticed a rise in phishing attacks during tax season. In 2017, one phishing scam involved an attacker pretending to be from the IRS. They asked for legal or tax forms, such as a W-2 or W-9. The attacker then used the employee W-2 or contractor W-9 to file fraudulent tax returns.
Businesses should always be cautious when sharing passwords, login names, Social Security numbers, or other personal information by email.
Phishing Scams in the Healthcare Field
Phishing attacks are frequent in the healthcare sector, and it’s easy to see why. Phishers want information about people’s health history, their personal identification information, and their financial data.
In 2014, a company called Ameriforge Group Inc. was the victim of CEO phishing attack that cost them close to half-a-million dollars. The company’s accountant received an email from someone pretending to be their CEO. They instructed the accountant to work with a lawyer from another company on a highly sensitive matter. This matter “required” the accountant to wire $480,000 to a bank account in China. By the time the accountant realized something was not right, the money and the scammers were gone without a trace.
How Can I Protect My Business?
In many phishing attacks, employees comply with the request before seeing if it was legitimate or valid. If you suspect a message is a phishing scam, reach out through other official channels or methods (like using known phone numbers to call the person directly, contact their assistant, or even just speaking with the alleged requester face to face).
Implement employee cyber security awareness training.
Cyber security awareness training can be offered face to face or online. Periodic phishing testing should be performed to determine the success of the training and identify areas to focus on in future trainings.
Try using email signing certificates.
Email signing certificates enable all employees to digitally “sign” their emails so their recipients can easily verify that it’s them. These certificates are issued by industry-trusted certificate authorities (CA). By making email signing certificates mandatory, it is easier to verify the identity of the email sender.
Look Into Cyber Insurance
Without cyber insurance, recovering from a phishing attack can be incredibly difficult. Cyber policies can include everything from identity theft to cyber extortion, data breach, cloud data breach and credit card fraud. In general, cyber insurance covers your business for risks relating to information technology infrastructure and activities. Also, from data breaches involving sensitive customer and employee information such as Social Security numbers, credit card numbers, health records, etc.
Cyber insurance coverage can be a far-ranging list, however there are two main categories: first-party and third-party. First-party covers expenses when your network is hacked or your data is stolen. Third-party protects you when a customer or partner sues you for allowing a data breach to happen (either because of something you did or failed to do). Based on your industry, Honig Conte Porrino can help guide you toward the provisions you should be most concerned about.