Spear phishing lessons for small businesses


Andy Hinxman discusses how small companies can protect themselves against the latest scam. 

 Spear phishing lessons for small businesses


Andy Hinxman discusses how small companies can protect themselves against the latest scam. 

‘Just when I thought I was out…they pull me back in’. If you are a fan of the Godfather films you will know this line comes from Michael Corleone, head of the family, who is trying to turn his father’s criminal business into one which is legitimate.

It often feels like that when you are dealing with spammers. Just when you have got one system sorted out and you think everything is ok, guess what? The fraudsters come up with something new. To beat the spammers you have to be on constant alert and make sure that whoever is looking after your IT is ahead of the game.

The latest scam is known as spear phishing. It is an email that appears to be from an individual or business that you know. It may even appear to be from you as the managing director of the company. Only it isn’t. It’s from the same criminal hackers who want your credit card and bank account numbers, passwords, and the financial information on your computer.

Any of us are a potential target but more so if you work in finance and accounts. Having access to your company’s bank account details will put you number one on the list of people the cyber thieves will try to reach.

Here are a few ideas on how to stop those phishing expeditions.

  • Have controls in place so more than one person is needed to approve any payments. This makes sense whether the amount is large or small. The reason is that once you have paid out, the spammers will then have confirmed your company’s details and can use that to drain the account. If it is your own company it would be devastating to think of all your hard work going to benefit criminals who have no qualms about stealing from you or your business. The good thing about running a small business is you will know your staff, your accountant, your bookkeeper and your suppliers so you can always pick up the phone to double check.
  • Look at the language that is used in these spear phishing emails. Fraudsters may have done some research on your LinkedIn or Facebook profile to be able to copycat either yours or your employee’s email. When I say copycat I mean they simply copy your email to make it look like it was sent by you. They can’t actually steal your email but to anyone on the receiving end it will appear to be genuine. A good way of you and your employees checking this is by actually reading the content carefully. Most spam emails are generated automatically so the wording may sound robotic or alien. Are those phrases the sort of language you would expect in an email supposedly from a supplier, bank, accountant? Also get your staff to look out for sentences where the sender asks for a “wire transfer” which is not a typical British expression. We tend to talk about BACS or bank transfer.
  • You may of course be working remotely so won’t actually be able to see your colleagues to ask about a potential scam email. What you can do to double check is ask the email sender to give you their telephone number so you can call them yourself and ask them to validate their email for a transfer. If they don’t reply or make some feeble excuse then you know you have got them. If they do give you a number that doesn’t mean they are not from the criminal fraternity. It simply means they have installed a phone line. If you get to speak to them use it as your own fishing expedition to glean more information to give to your boss/IT team to check it out. Banks often have an email address to which you can forward the spam and a helpline too if you are concerned about dodgy emails. If you are asked for money then ask the sender of the email to send you an invoice. No legitimate business operates without invoices.
  • If you find yourself working from home a good deal, and of course many small businesses do, make sure the IT security measures you have in place are as robust as those in the office. Malicious websites can download information from your computer without you even knowing, so some form of web protection or control is crucial. Be as strict about passwords on your home computer as you are in the office. Passwords need to be long and a mix of letters and numbers plus a few characters thrown in for good measure too. Make them difficult to guess and change them every 90 days.
  • Check your anti-virus, anti-spam and web protection is up to date. It can save you thousands of pounds and hours of heartache. SPF – not the sunscreen but the Sender Policy Framework we use – means anyone trying to send from your address – in our case @keybridgeit – will be picked up and matched against the records we have on our server. If it doesn’t match the server will fail the test and send it straight to junk.

So in short it is all about having the right protection, being vigilant and checking and double checking and that includes any email address before you reply. The scammers, spammers and spear phishers are working hard to catch you out.

Further reading on cybercrime

Comments (0)