By Matt Davis
VP/Director, Chief Information Security Officer, ESL Federal Credit Union
In 2020, following the onset of the COVID-19 pandemic, the FBI estimated in an Internet Crime Report that the cost of cybercrimes reached $2.7 billion in that year alone. Closely mirroring that statistic, the U.S. Small Business Administration found that within that same timeframe, roughly 88% of small business owners expressed concerns that their business may be vulnerable to a cyber-attack.
Fraudsters or hackers looking to obtain sensitive information for personal or financial gain will often take advantage of current events or situations, using those headlines as a tactic to craft different types of cyber-attacks or phishing schemes that target our fears or vulnerabilities.
At the onset of the pandemic, it was widely reported that there was an uptick in fraudulent activity as bad actors exploited individuals’ fear of the virus and desire to learn more, crafting customized attacks that left personal and financial information susceptible to fraudsters. Similarly, on a global scale, Russia’s invasion of Ukraine in February led to increased warnings for potentially malicious cyber activity from federal agencies such as the Cybersecurity & Infrastructure Security Agency, prompting organizations to shore up their IT infrastructures against data-wiping software and other potential cyber-attacks deployed amid the conflict.
Small businesses are essential to the social and economic fabric of any community, but they can also be ideal targets for hackers, as they typically lack the IT and cybersecurity resources larger organizations use to protect their business against ever-present cyber threats. However, regardless of size or scale, including the financial or political intent behind any cyber-attack, all organizations should be equipped with the knowledge and resources to reduce the financial and reputational risk these threats can pose to business operations.
Ransomware vs. Phishing
Two social engineering tactics most commonly impact small businesses: ransomware and phishing.
Ransomware is when an attacker encrypts a business’ critical files until a monetary fee or ransom is paid to retrieve the stolen information. Phishing is when fraudsters send legitimate-looking emails to small businesses or employees designed to mislead individuals into disclosing confidential information or click on suspicious links and attachments that deploy malicious software and infect your devices. In phishing attacks, fraudsters may also implement phone or text-messaging schemes that are designed to take advantage of employees’ trust in their organization by tricking them into purchasing gift cards or taking some other time-sensitive action that exposes critical data or information on behalf of the organization.
Phishing tends to be the most common attack method. In reports published this year, it’s been estimated that roughly 90% of all data breaches for organizations can be attributed back to some type of phishing technique or approach. However, both phishing and ransomware pose equal risk to your business operations. From a financial standpoint, paying a ransom fee to retrieve your files or having sensitive financial information used to make unauthorized purchases or transactions can incur steep costs. In addition, each day you have to shut down operations to address a cybersecurity breach negates your ability to bring in revenue, impacting your bottom line.
Reputationally, consumers and employees also put a great deal of trust in businesses to safeguard their information. Therefore, when that trust has been compromised, there’s a risk it could erode your customer base over time, furthering the negative financial impacts posed by cyber-attacks.
Strengthening Your Defenses
With cyber threats now a more frequent occurrence in daily life, there are several safeguards you can put in place to shore up defenses for your business.
- Provide Security Awareness Training: Your employees are usually the first stop or the first target of a cyber-attack, but they can also be your first line of defense against a cybersecurity threat. That’s why it’s critical to provide cybersecurity awareness training for your employees to help further educate and train them about common red flags or what to look for in these types of attacks.
For example, in many social-engineering schemes, phishing emails or text messages will be very time sensitive to try to rush people into an action or quick decision. Often times, hackers will also request confidential information that most organizations don’t typically request in that manner or context (e.g., social security number, financial account information, passwords, etc.). If something seems off about the request, requires very unusual confidential information or is time-bound, it’s probably not legitimate.
Another method to test the legitimacy of an email claiming to be from another business is to give that organization a call directly. However, be sure to look up their phone number separately from any contact information provided, as more sophisticated phishing schemes will set up call centers to field questions to try to bolster legitimacy. In general, I always recommend you go to Google and type in the company’s name to retrieve an independent phone number. Once you have that information, call the organization and ask them to verify the email or request being made to confirm its authenticity. Empowering your employees with the education and resources to defend themselves in these situations will turn them into your biggest cybersecurity advocates to safeguard your business.
- Practice Cybersecurity Hygiene: Another useful preventive measure that will go a long way in helping protect your business from common cybersecurity threats is to ensure your IT systems are patched and up to date, with proper backups in place. Running frequent phishing tests to your employee base will also help you identify areas of concern that could be improved or individuals who may need further education. These tests ultimately help familiarize employees with what to look for in fraudulent emails, how to identify when they’re being targeted and how to report these incidents.
If your business doesn’t have the means or IT infrastructure in place to implement these practices, there are several organizations, including CISA and SANS, that provide accessible tools, tips and resources you can use to further educate and train your employees on cybersecurity awareness best practices.
If you believe you’ve been a victim of fraud or malicious cyber activity, visit our fraud prevention page for additional support and resources.