A common form of fraud that occurs for online businesses is phishing. This happens when cybercriminals send out emails or social media messages in order to steal confidential business data. The stolen information can then be used by the phishers for fraudulent activities. According to the 2015 Q3 report by the Anti-Phishing Working Group (APWG), phishing attacks continue to rise, a threat that businesses need to seriously be aware of. We have compiled some quick and easy tips for you to protect your business from this type of fraud:
Spot phishing emails
Cybercriminals steal data by tricking businesses to click on a certain link or website found in an email message. In order to make readers do that, phishing emails typically have messages that may, at times, sound too good to be true. Common phishing emails have these subjects:
- Messages from people/customers claiming to be stranded in another country, asking you to wire money to their location so that they can come home.
- Messages from organizations such as banks, insurance companies, and government agencies, asking you to provide business details to check on financial transactions and insurance claims.
- Customer complaints, with links as reference to your business’ faulty products/services.
- Threats that claim to harm a business or its employees, unless confidential information is provided or money is deposited to a given bank account.
Aside from these subjects, phishing emails often have spelling/grammar errors, contain exploit-laden attachments (as a virus, or a way to grab the reader’s data), use generic greetings, have emails similar to corporate ones (ex. legitimate email: email@example.com vs. fake email: firstname.lastname@example.org), and contain misleading links in the body that redirect readers to fake websites. As a rule of thumb when spotting phishing emails, if it sounds too good (or bad, for threats) to be true, then it probably is a fake message sent out to your business.
Train your employees
Aside from the messages mentioned above, phishers (with access to a company’s employee database) also target a business’ employees with emails that are typically disguised as internal messages from owners or manager.
In fact, the 2015 Carbanak attack, the largest cyberheist discovered by Kaspersky Lab that resulted to a loss of $2.5-10 million from 100+ banks each worldwide, was initiated by phishing emails sent out to bank employees.
With these kinds of losses that phishing can do, business owners need to properly train their employees on how to spot phishing emails, and what to do in case they encounter these messages. You can do this by letting them know how your business handles correspondence (how your emails look like, what your email signatures are, the tone/voice of your company’s emails, etc.), giving them guidelines on the different phishing email traits (as shown in the point above), and letting them know how to report to managers/owners when receiving a suspicious email.
Educating your employees on identifying and knowing how serious and damaging phishing is will help save your business from fraud attacks.
Invest in software
Make sure that your website is protected with anti-phishing software. Some examples of software are Kaspersky Internet Security, Mozilla Thunderbird, and McAfee SiteAdvisor. For online credit card payments, make sure that your website has the latest PCI-DSS (Payment Card Industry Data Security Standard) patches to check and prevent security vulnerabilities. To save on time and for you to focus on your business, integrate with a PCI-DSS compliant payment processor for secured online transactions. More information on payment processing and fraud protection can be found on our article here.
Have trusted partners
Find out more about your business connections, whether these be other businesses, partners such as banks and payment processors, or even your customers. Building working relationships with these connections will help you identify how they communicate to your business: their tone of voice, what their typical correspondence are, their direct lines of communication, and how often they send messages to you. Building trust with your business connections will allow you to contact them directly, if ever you receive a suspicious email for them to check.
Cybercriminals continuously change and improve their phishing attacks. Make sure that you are updated with news on phishing and other online fraud activities, by connecting with anti-phishing industry experts. Some good references on phishing can be found on the APWG website (which releases quarterly phishing reports), and the PCI-DSS website.
You can find more industry and business guides/tips on our blog.