Small business owners are overwhelmingly on the receiving end of cyber attacks. More than three-quarters of the companies targeted by malicious hackers are small shops — those without a dedicated security team — according to the recently released Verizon Data Breach Investigations Report (DBIR).
The most common way they get taken advantage of is malicious emails, or “phishing emails,” as they’re commonly referred to. They are “the no. 1 cause of cybersecurity incidents bar none,” said Oren Falkowitz, a former NSA employee and now CEO of cyber defense start-up Area 1 Security.
Disguised as notes from loved ones or even an employer, crooks piece together what appear to be legitimate emails that, as Falkowitz notes “ask you to click on a file or a link or increasingly with fileless or linkless message to take some sort of action,” and then “enter [a] password, transfer money through a fraudulent wire or send W2s out.” These emails can be as painfully obvious as a note from an exotic prince or as deviously deceptive as the fake email alert that led to the hack of the DNC.
The vast majority of security incidents start with cybersecurity threat and a whopping 30 percent of these phishing emails get opened. (The average office worker receives more than a 100 emails a day.) Phishing emails lead to infections that corrupt some of our most sensitive business machines with ransomware — nasty malware that encrypts files — or captures our usernames and passwords.
The risk is real and prevalent. Here are some useful and free ways to help keep your small business safe:
If it looks phish-y, call the sender to verify.
Whenever you receive an email containing a link or an attachment that just doesn’t make sense, check it out. In fact, anytime you receive something that appears important, call the sender to verify what they sent, and ask them to describe the links or attachments.
Related: The Biggest Threats in Your Inbox
Establish strong credentials.
One of the most common-sense — and overlooked — suggestions in the DBIR is turning on two-factor authentication for administrative access to web apps that contain sensitive company or customer information. The process involves signing in with your passcode and then receiving a special code text directly to your phone or app.
Last year, during a meeting at UC-Berkeley, Dropbox’s then-Chief Trust Officer Patrick Heim told the Commission on Enhancing National Cybersecurity that less than one percent of the services’ users take advantage of the extra protection. (Researchers at Carnegie Mellon University recently published a password meter that will help you make your passwords strong. You can find it here.)
Ask yourself if your employees really need access to all of the computers that run your business? As small shop owners scale their businesses, they often give all their managers access to the shop’s computers. My advice — make sure that your managers are following the same rules you are. If you have a single work machine that holds all your invoicing and spreadsheets, you don’t want your manager potentially getting phish’d when she checks her Hotmail.
It’s not just email.
Emails aren’t the only place where you have to be vigilant. Digital con artists also send malicious attachments and links over text messages — so-called SMS phishing, or SMiShing. They attempt to do the same over social media. And, sometimes they even attempt to “socially engineer” victims over phone calls. That’s called Vishing.
Visually validate websites.
Many phishing messages take you to web forms or other sites that look legit, but, on closer inspection, are truly phish-y. Some criminals take over the neglected parts of websites and host malware or other phishing content. It’s called “parasite hosting.”
Even though the recent WannaCrypt0r attacks — which ravaged networks worldwide — weren’t seemingly spread by email, they could have been upended by hitting an update button. Before the ransomware ever compromised the computer systems of the UK’s National Health Service or Spanish telecommunications company Telefónica, Microsoft issued a patch that would have stopped the virus cold.
Indeed, in order to stay safe in Windows, I recommend small businesses that use simple software enable automatic updates. Most importantly, just remember, no matter how many hundreds or even thousands of emails that you receive, never trust embedded links or attached files.