With phishing on the rise, don’t get hooked

In 2017 Australians lost $340 million to scammers, according to the Australian Competition and Consumer Commission (ACCC) 2018 Targeting Scams Report, equating to a $40 million increase compared to 2016. Today, more than 200,000 scam reports have been submitted to the ACCC, Australian Cybercrime Online Reporting Network and other federal and state-based government agencies.

With the rapid rate of digitisation and our ever-increasing reliance on services to store valuable information, cybercriminals are given more incentives than ever to work their way into your data and make use of it for personal gain.

Previously, successful cyber attacks (say, through someone’s email account) had access to the data of one person. While that’s concerning enough, the integration of our digital environment has multiplied this threat immensely. If your small business uses shared drives, cloud services (like Dropbox or Google Docs) or servers, it takes just one weak link in your cybersecurity chain for highly sensitive company-wide information to be compromised.

What is the main threat of phishing?

Phishing attacks are tech savvy attempts to trick you into sharing personal information such as bank accounts, passwords and credit card numbers. These attacks come from scammers pretending to be legitimate and genuine businesses and you can be contacted via email, social media, phone calls or even a text message.

According to Webroot’s Mid-Year Threat Report, phishing attacks have risen by more than 60 per cent from January to June 2018. It continues to be an effective method of breaking into small-business networks, taking one person to be fooled and the threat actor to obtain all credentials and perpetrate data. This attack can have tremendous consequences ranging from reputational damage, financial losses and even legal action.

What can be done about it?

Cybercriminals don’t stand still. It’s worth their time and effort to seek innovative ways to break digital defenses of small businesses, so it’s important to keep protected.

Here are my top tips for keeping your small business safe from phishing attacks.

  • Always be educating: With threats continuously evolving, so must employee cybersecurity training. Training during onboarding isn’t enough. Employees need ongoing security awareness training to address the latest and most dangerous attacks.
  • Email from my boss or my attacker? Phishing is the top attack vector, with cybercriminals becoming sneakier than ever. Even if the sender looks familiar, be sure to check the sender’s email address is legitimate and don’t click unknown links in social media, email, or text. Regular phishing attack simulations maximise awareness of different phishing methods and minimise the many consequences.
  • Evaluate your risk profile: Every business has different risk factors. If you don’t have the expertise, a Managed Service Provider (MSP) can assess your security posture and work with you to develop a plan for ongoing risk mitigation.
  • Plan for the worst: Develop a data breach response plan that includes security experts to call and a communications response plan to notify customers, staff, and the public. Make sure you are regularly backing up your data with hard data and offline versions. According to Webroot’s SMB Cybersecurity Preparedness report, Australian mid-sized businesses estimate a cyber attack would cost on average $994,025 – a huge loss for any business.

Dan Slattery, Senior Information Security Analyst, Webroot