Skip To The Main Content

Don’t get caught – how small businesses can avoid phishing scams


By Paul Vlissidis, senior advisor at NCC Group

Phishing scams are arguably one of the oldest and most effective attack methods around, and for good reason – as awareness of classic spam emails has risen, attackers have shifted their approach to become far more targeted in their attempts to gain access to sensitive data from organisations.

Gone are the days of clumsily put-together, generic emails from an unnamed CEO asking for money to be transferred. Modern-day phishing attempts are frequently highly sophisticated and very convincing.

Using data that’s often freely available online, such as addresses, job titles and email addresses, experienced cyber criminals can put together personalised emails purporting to be from colleagues or others in a company’s supply chain. These emails often address users by name, are tailored to their responsibilities and mention internal services used by the target organisations. Websites that users click through to will often use a branded domain name to appear more realistic. 
The success of this means that phishing scams are still among the most common ways for businesses to be attacked. Analysis of emails sent using our phishing simulation tool, Piranha, found that 23% of employees clicked through to a credential entry form when sent a phishing email at work. With 60% of these individuals going through to enter their details, phishing scams remain a significant threat to businesses of all sizes.

The small steps of clicking on an email and entering personal details can provide attackers with the foothold that they need to infiltrate an organisation, often with devastating consequences. And although the government and cyber security industry are taking strides towards reducing the success of phishing campaigns – The National Cyber Security Centre (NCSC) recently released a report which revealed that it took down more than 120,000 unique phishing websites in 2017 – small businesses can still take steps to stay secure.
Employee awareness is key – it’s important for small businesses to invest time in training staff to identify malicious emails and question those which ask them for usernames, passwords, or other sensitive details. 
In case an employee does accidentally click on a link in a phishing email, it’s also important for small businesses to implement measures to reduce the impact of this. One way of doing this is to prevent users from having access to resources that they don’t need by restricting the use of admin passwords, so that attackers will also have less of a chance of accessing sensitive data.

Password managers can also help to prevent password reuse, which can provide criminals with an easy way to access data across an organisation.
The prevalence of phishing emails – and the likelihood that employees will click on them – means that small businesses need to remain vigilant when it comes to these targeted scams and ensure that all systems and apps are fully patched. If staff awareness is combined with strong security measures and processes, including having an up-to-date antivirus product, it will stand organisations in good stead in the face of these increasingly tailored attacks.