If you haven’t been hit with a phishing attack, your business is in the minority. According to a 2021 Cybersecurity threat trends report put out by CISCO, at least one person clicked a phishing link in around 86% of organizations.

That one malicious link could cost you a lot. The average phishing attack will set your business back $4.65 million. More advanced types like Business Email Compromise (BEC), which actually hack into your corporate email or do a really good job mimicking it, cost companies $6 million per year in recovery efforts alone.

And while the prevalence of phishing scams has a lot to do with how profitable they are, their success rate hinges on strategic manipulation and susceptibility.

Phishing emails are increasingly more realistic, using personalized language and innovative approaches to throw users, law enforcement, and IT teams off their scent.

The messaging looks legitimate, the brand impersonations seem real, and the malicious sites appear credible.

With phishing scams becoming more dangerous and harder to spot, what can you do to stay vigilant?

Understanding Why Phishing Targets SMBs

Like many misdeeds, phishing is a crime of opportunity. When you run a small business, minimal security resources, expertise, and training can make you a sitting duck.

As explained by eCommerce Times, “Companies with less than 100 employees are 3x more likely to be the target of a cyberattack, but many still lack sufficient security, cybersecurity measures, and resources to avoid or manage risk.”

Want to get better at all of the above? Focus your efforts on avoiding these three phishing hooks:

Be Cautious: Navigating Domains & Websites

It’s easier than ever to create and launch a website. Cybercriminals know that too, and they’ll use every tool available to stage fraudulent phishing sites.

Based on a Fortra analysis of over 100,000 confirmed phishing sites:

  • 38.3% used compromised websites
  • 37.4% abused free hosting services
  • 24.3% used maliciously-registered domain names

Noticing URL redirects or small differences in a website’s design, content, or layout? Be on alert. They could be signs you’re about to get hooked by a potential phishing attack.

Get Secure: Bolstering Wi-Fi, Firewalls, & Filters

Creating a safer digital environment requires layers of protection. That starts with filtering out as much phishy content as possible.

Investigate reputable anti-phishing add-ons that can be added to your browsers, firewalls, and security platforms. Many are free and can provide a strong line of defense when coupled with training on how to identify a potential problem.

Next, take steps to secure your network. You may choose to hide your network name by setting up a wireless access point that creates a wireless local area network, or WLAN. Be sure to create a strong password that differs from the default that comes with your router since many models can be looked up online.

Make sure all your security software stays patched and up-to-date, including any antivirus programs, spam filtering tools, firewalls, and web filters, all of which can prevent a phishing attempt from becoming a successful attack.

Stay Sharp: Training for Spotting a Fake

Of course, even the world’s best security software needs a human element to be truly effective.

Skilled manipulators are often preying on your most vulnerable emotions. To safeguard against exploitation of user trust, craft comprehensive security training that is updated and conducted on a regular basis. See that it covers new schemes (identified inside your org and elsewhere), best practices for monitoring and identifying an issue, and ways to test the user’s knowledge.

You may even create a cheat sheet that covers tips for spotting fake emails like:

  • Keep cautious of PDF attachments. They’re the most common type of malicious file.
  • Inspect the sender. If you don’t know them or notice that even one letter is off in their name or domain, skip until you can confirm it’s legitimate.
  • Note the subject line. Seeing any of the following words should raise your hackles: Urgent, Request, Important, Payment, Attention.
  • Beware of the generic greeting. Name misspellings and nonspecific terms like customer, employee, or patient should be cause for concern (or at least caution).

The Rise of Cybercrime and Scamming as a Service

The dark web is full of scamming services for hire. That means you don’t even need to be skilled enough to orchestrate an attack, just resourced enough to pay for it.

Forbes builds on this by noting that, “2023 will see a rise in one-stop-shop fraud services. Underground virtual marketplaces are on the rise with end-to-end services that allow low-skill threat actors to target SMBs.”

It’s difficult to defend against an enemy you can’t see, but with aware cybercitizens and the right security resources, you’ll be off the hook.