Phishers — unscrupulous Internet lurkers who try to get your username, password, credit card number and other sensitive information by posing as trusted sources — know there’s a big pool of money out there. And, more often than not, to get it, all they need to do is cast a line and wait for prey to bite.
Even Mattel, that household-name manufacturer of children’s toys, took the bait in a recent high-profile phishing scam. When an unnamed executive at Mattel received an email (ostensibly from CEO Christopher Sinclair) requesting a $3 million bank transfer, she approved it without a second thought.
Had the executive not made an off-handed remark to Sinclair later that day about the transfer, Mattel would have been on the hook for those millions.
Phishing may be the oldest trick in hackers’ playbooks, but — as demonstrated by Mattel’s recent snafu — it’s remarkably effective. In fact, phishing cracks the door for more than 90 percent of hacking attacks.
The most devious of these phishing attacks are spear- phishing attempts such as the kind perpetrated on the toy company. A clever variation on traditional phishing, spear phishers collect information about a target’s network to create email bait that appears to be from a trusted source.
And while most companies think they’re equipped to handle these advances, more and more businesses are being tricked by phishers into releasing confidential information.
Little fish make big markets.
According to FBI data, business email-compromise schemes, such as phishing, cost companies $1.2 billion in 2015. And while one might assume that these low-tech, high-yield scams take disproportionately from the pockets of corporate giants, data shows small businesses to be the primary prey.
In 2015, the National Cybersecurity Institute found that 38 percent of spear-phishing attacks targeted companies with fewer than 250 employees. In comparison, just 25 percent of attacks were perpetrated against companies with more than 2,500 employees.
The reason? Hackers know that small businesses are more worried about getting off the ground than spoofed emails or international scammers. Essentially, entrepreneurs don’t expect to be targets.
Entrepreneurs who utilize two-party authentication of transfers are somewhat protected, but even that security measure couldn’t save Mattel from a clever attack. The only way entrepreneurs can truly prevent phishers from snagging them is through cultural awareness and communication.
Get phishers’ lines out of your pond.
No matter how much training employees receive, a specious sender can still slip under the radar. Entrepreneurs, here’s how to create a secure environment that keeps phishers out:
1. Step away from the inbox.
As soon as a request for classified information or a wire transfer hits an employee’s inbox, his or her first step should be to pick up the phone. This applies in particular to commonly targeted departments, like accounts payable or account services.
And if anyone, regardless of the department involved, receives a request for passwords or credit card information — the proverbial “keys to the business” — he or she should contact the supposed sender immediately to verify the request.
For example, when my CFO received an email asking for approval of an invoice, he Slacked me to check that I had indeed sent the invoice. Upon investigation, we discovered the invoice to be a phishing attempt, and, worse, it was loaded with a Trojan virus. Our double-check system paid off, and the invoice was deleted.
2. Trust, but verify.
The recent DocuSign scam was a huge wake-up call for business and individuals. Even when working with a trusted third party, check that the browser’s “https” has switched to “httpss,” which signifies a safe, encrypted connection. When you’re in Google Chrome or Internet Explorer, a lock icon in the URL bar verifies you’re in safe territory.
It may seem like wasted time, but a minute spent verifying a software request in your inbox is better than explaining to your team how you let a scammer steal $3 million. If in doubt, show the request to an IT professional; these are people who’ll never fault you for being cautious.
3. Make caution your guide.
If something seems amiss, it probably is. For instance, if you receive an email from your office manager who writes that she “forgot her password,” don’t just fork over the information. Until you’ve investigated, assume it’s a scammer in disguise.
Think back to your playground days: Even if the man with the candy seemed nice, your mom told you to assume he was out to get you until you learned otherwise. So, be cautious: Make a phone call to the organization, individual or help desk. The extra work was worth it when you were a kid; it’s worth it now.
No one wants to be paranoid, but with so much on the line, it pays to pay attention. When in doubt, get out of the inbox and on to the phone, watch for insecure connections and trust your gut about fishy requests. Don’t get hacked; get smart.