How to protect your small business from phishing scams

Phishing scams are on the rise across the US. They target companies of all sizes and industries, regardless of the safety measures you take. But there are ways to protect yourself and your employees— if you know what to look for! 

Since March 2020, 81% of businesses around the world have been targeted by email-based phishing attacks. While all kinds of businesses face phishing attacks, small businesses have the highest rate of fraud— even more than large companies and non-business owners. But despite the growing threat, only one in five businesses train their employees on anti-phishing tactics each year. It’s no wonder then that nearly 25% of major data breaches are caused by an employee falling for a phishing attack. 

Phishing has always been a problem. But in today’s work-from-home world, the risks are higher

Google reports that there are now 75 times as many phishing websites (sites that pretend to be reputable but actually steal information) as there are malware sites. In other words, your employees are 75x more likely to stumble upon a fake website trying to steal their credentials than a site that could infect their computer with a virus. Advanced anti-virus software can protect them from malware, but phishing preys directly on your employees’ sense of judgement. 

Today’s scammers have come up with exceptionally clever ways to fool your employees. Often, phishing emails will come with a subject line like HR: Please complete this benefits document or [your company name]: quick IT request. In 2021, one of the most common phishing attacks was an email from “HR” asking employees to complete a satisfaction survey. That survey required them to enter their company credentials, giving scammers access to thousands of employee accounts around the world. 

How to spot a phishing attack

Most phishing attacks are delivered through email. But they can also come through your video-conferencing software, your messaging system, your file-sharing platform, or text. When it comes to phishing emails, the majority of these malicious messages are sent through free email providers. And over half come from Gmail accounts. 

Here are a few tipoffs you and your employees should be on the lookout for: 



• Be wary of emails that include strange typos or language. Especially if the typo is in their company’s name, email address, or website. Many scammers will mimic reputable companies by changing the name or logo slightly. If you don’t read carefully, you can easily mistake a malicious email for a safe one.



• Phishers often pose as reputable companies offering a helpful service, following up on a bill, or performing a system checkup. The company scammers impersonate the most often is Microsoft . If you receive emails asking for sensitive information about your computer, passwords, or payment information, do not submit those details. If you think the request could be legitimate, always look up the company and call them directly to verify the request. 



• If you receive an email asking for payment, confirm the invoice first. Scammers often get away with submitting phony invoices to companies that process invoices without double-checking their legitimacy. Even in small teams, if your accounting department is isolated from the rest of your business, it’s easy for a fake invoice to sneak in.

How to protect yourself and your employees from small business phishing attacks

The number one thing you and your employees can do to keep yourself protected is to avoid sharing sensitive information through email, clicking on links in emails, or submitting forms sent to you via email. In short, exercise caution when using email! This is the most common— and easiest— method attackers use to harm small businesses. If you or one of your employees does uncover a phishing scam, tell your whole team. Typically, scammers will target several employees at the same organization around the same time, using the same tactics. 

The Federal Trade Commission also offers a detailed brochure you can order for free to distribute to your team. This publication is full of tips and best practices to keep your small business safe from cyberattacks. 

When it comes to stopping phishing attacks, education and awareness are key. Cyber-attacks are expensive, but prevention is free!