Protecting Your Small Business from Scammers and Hackers
As technology continues to advance, it’s important for business owners – no matter the size – to ensure their data and information are protected. And recent events (the 2017 Equifax data breach and the 11-year-old hacker) have shown just how important cybersecurity is.
Let’s take a look at some numbers:
- Half of all small business had data breaches between 2016 and 2017
- Nearly two-thirds of attacks are on small or medium businesses
- $84,000-$148,000 is the average cost of a data breach for small businesses
- 90 percent of small businesses don’t use cyber protection
With these numbers in mind, let’s break down the types of cyber attacks your small business may encounter and how to safeguard against them.
With the frequency of cyber attacks on the rise (and the costs so high), here are 13 defenses to utilize and protect your business.
- Implement firewalls to act as a barrier between information and hackers.
- Invest in anti-malware software.
- Train employees on cybersecurity best practices.
- Change passwords every 60-90 days.
- Require strong passwords including longer character length, special characters and more. (81 percent of attacks were due to weak, lost or stolen passwords)
- Use multifactor identification to ensure user verification.
- Implement application and patching tests.
- Use artificial intelligence to predict and identify threats.
- Practice hacking scenarios to ensure employees are up-to-date on the latest scams and procedures.
- Backup your data and information.
- Create a mobile device action plan.
- Secure Wi-Fi networks.
- Limit access to data and information to employees.
Below, we’ll cover three of the most popular types of cyber attacks, what they are and how to avoid them for your business and customers’ protections.
Phishing refers to multiple ways to steal or trick individuals into sharing personally identifiable information (PII) or financial information. Scammers will disguise themselves as a trusted source through official-looking emails or through Caller-ID Spoofing, which lets them use the same number as the organization they’re posing as. Phishing through phone calls is known as vishing (or, voice phishing).
These types of scams can be hard to identify because they adapt frequently. However, these types of attacks are usually tied to popular services or current events. For example:
- Impersonating the Internal Revenue Service (IRS) and requesting additional information or payments
- Spoofing your own phone number and disguising themselves as your mobile carrier, demanding payment on a delinquency
The Federal Trade Commission (FTC) especially warns against scammers posing as debt collectors. Watch out for:
- Mention of a loan you don’t recognize
- Refusing to give you a mailing address or phone number
- Asking you for any form of PII
How to avoid phishing
There are a few ways to avoid being a victim of a phishing attack.
First, confirm the source of the information. This is broken down into two areas:
- Via email
- Look at the sender’s email address.
- Cross-check the language, tone and requests with an email you’ve previously received from the company (that you know is valid).
- Look for misspellings and grammatical errors.
- Hover over the link (do not click on it). If the link does not look legitimate, it’s probably not valid.
- Are you being addressed by name? Most companies will address customers directly by name.
- If the email requests personal information, it’s a scam. Legitimate companies will not ask for PII via email.
- Contact the company yourself (via trusted email or phone number) to confirm the claims.
- Via phone
- Ask the caller for their name, company, address and phone number.
- If the caller refuses to give you information, hang up.
- Look up the trusted number on the company’s website and call them to confirm the claims.
- Be wary of an automated voice. These are usually used for reminders (appointments, for example) and not for payments.
- If personal information is requested, hang up.
How to report phishing
Reporting a scam is just as important as avoiding it. Scammers need to be stopped, and you’ll be helping protect another person from having their information stolen. There are a few ways to go about reporting a scam:
- If the scammer poses as a brand or a bank:
Call the company directly at a trusted number and notify them of the scam. They’ll notify the FTC if it’s an email scam or the Federal Communications Commission (FCC) if the scam is done over the phone. Companies will welcome any and all information to help protect their customers.
- If the scammer poses as the IRS:
First and foremost, the IRS will never call you about taxes you owe without first mailing you a bill. If you’ve received an IRS scam call, report the incident to the Treasury Inspector General for Tax Administration (TIGTA) and using the FTC’s Complaint Assistant (add “IRS telephone scam” to the comments).
- If the scammer poses as your business:
File official complaints to the FTC and the FCC. To file a complaint with the FTC, use the Complaint Assistant or call 1-877-382-4357. To file a complaint with the FCC, use the Consumer Complaint Center or call 888-225-5322.
Ransomware is a type of malware (malicious software) that threatens you with harm. Usually, this means it denies you access to your data and demands a ransom to restore the data (although they may not always give you access after you pay). Some well-known examples of malware include:
While people may think only large companies and organizations are at risk for these attacks, that’s not the case. Some ransomware attacks spread automatically across the web, and often times, attackers are looking for people and organizations that have smaller security systems in place.
Most law enforcement agencies say not to pay ransomware attackers (they’re usually not truthful in giving you access to your data and it encourages them to keep these scams going). Instead, should you be a victim of ransomware, reboot your system to “Safe Mode”, install antimalware software (that is verified), scan the system and restore your computer to the previous state.
If you’re unsure of any of these steps, contact a professional to help you remove the malware.
How to avoid ransomware
Ransomware can be quite costly to businesses. So, here are four tips on protecting your sensitive information from hackers.
- Ensure your operating system is patched and up-to-date.
- Only install software and give out administrative privileges if you know exactly what the software is and what it does.
- Back up files on a frequent and automatic basis. While this doesn’t stop attacks, it does diminish the damage caused by one.
- Install antivirus and whitelisting software. Antivirus software can detect ransomware as soon as it arrives, and whitelisting prevents unauthorized applications from executing.
SOCIALLY ENGINEERED MALWARE
First, social engineering is the method of creating “traps” for internet users who begin to trust hackers and give them personal information. This is done through psychological manipulation on the hacker’s end. There are various methods that these hackers use to gain this deep level of trust, one of which is socially engineered malware.
With socially engineered malware, hackers will send links, images or email attachments asking you to click or download them. If you do so, you’ve just downloaded malware to your computer that will collect and send all of your information to the pre-configured IP address. While this is similar to phishing, it’s not quite the same, especially since not much emphasis is needed to have users fall into the trap.
How to avoid socially engineered malware
Social engineers send trusting emails, which can make it hard to detect scams from verified emails if you’re not sure what to look for. Here are … precautions, so you can avoid being attacked.
- Invest in a solid email services provider to detect and move scam attempts to your junk or spam folders.
- Use a secure web browser.
- Invest in verified security software.
- Continue to read up on the latest scam attempts.
- Never download or click links until you know they’re verified. Hover over links to see if they look fishy.
- Double check the emails from the sender. For example, if you use Microsoft Outlook, you may receive an email telling you to free up space in your inbox. This is a scam. You can tell by the email address. It should end in “microsoft.com”, not “microsoft.something.com”. If anything is in the “something” section, then it’s most likely a scam.
It’s important to get ahead of attacks before they happen. By doing so, you’ll create a deeper trust between you and your customers/clients and save you on any costs an attack may cause. Keep an eye out for these types of scams while improving your cybersecurity efforts, and start putting an action plan in place in case your data is breached.