By Jennifer Bowring, VP, Sr. Treasury Management Sales Advisor at Camden National Bank

Business email compromises (BEC) and phishing attacks are thriving. With the dynamic nature of the world business markets combining with fraudster access to self-reported information on social media, it’s the perfect cybersecurity storm. Fraudsters know it’s just a matter of playing the numbers game and waiting. The more phishing attempts they send, the more chances they have of getting an unsuspecting individual to take the bait and click on an infected link, attachment, or picture.

Most often, these attacks are aimed at individuals that play a role in the finance chain of a business. Businesses must remain vigilant, stay informed of fraud trends, and be able to recognize when attackers are attempting to gain access to sensitive data and business funds. Being aware of what these scams look like and having a plan in place with best practices can reduce the risk of becoming a victim.

Phishing attacks are one of the most common ways fraudsters lure businesses into actions that allow them to access your sensitive data for financial gain. Let’s jump in and learn more about what a phishing attack looks like.

Common Types of Phishing Attacks

Email Phishing – The most common type of phishing occurs when a fraudster creates an email that looks like it was sent from someone you know at work or do business with. It lures you into sharing sensitive data using a phony hyperlink, fake attachment, and/or urgent language. Once clicked on, malicious software—or “malware”—can be used to capture keystrokes and “lay in waiting” until enough sensitive information is gathered by the fraudster, who will then attempt to gain access to things like emails, online banking, business networks, and customer databases.

Malware Phishing – This is the use of infected hyperlinks, attachments, pictures, or QR codes in an email that manipulate users into clicking on malware using urgent or fear-inducing language.

Spear Phishing – This is a highly customized cyber-attack meant for a specific individual. Spear phishing attacks are perpetrated through gathering social media info and creating a customized communication that feels authentic and familiar.

Whaling Phishing – Fraudsters use this to target an executive or other “big fish” at a company. (Even though whales are not fish but mammals!) Intense research is done by the fraudster to create a personalized and authentic-feeling phishing attempt that looks for the right moment to steal sensitive business information.

Smishing Phishing – Scammers use text messages designed to look like companies you do business with. The texts contain infected links that, once clicked, will deposit malware or other nefarious types of electronic mechanisms on your devices. These can be used to capture keystrokes and lay in waiting until the fraudster gathers enough information to access your sensitive data.

Best Business Practices to Help Prevent a Phishing Attack

Be aware of the latest phishing scams. Phishing fraudsters are constantly coming up with new ways to trick people. Stay up to date on the latest scams so you can protect yourself.

Pause. Scrutinize emails and websites that ask for sensitive information. Phishing emails and websites often look legitimate, but there are usually some red flags that prove they are not authentic: 

  • The email address may not be from the company it claims—hover over the email address to see the actual address in the “to” field
  • Small deviations from the legitimate email address, like “.org” versus “.com”
  • Urgent language within the email
  • Misspellings or obvious grammatical errors
  • Websites that have a different URL than the company’s known website address

With artificial intelligence now being more widely used by fraudsters, the above examples are not always the case, but this gives you a solid checklist to help identify red flags.

Don’t click on links you aren’t expecting or don’t recognize. Phishing emails and websites often contain links that take you to fake websites. If you click on a link, you could become infected with malware or otherwise provide an assailant with access to your sensitive business information.

Use strong passwords with no more than a 90-day expiration. Passwords are the gatekeepers to your sensitive data. They should be at least 10 characters long and include special characters, upper case letters, and numbers. Using a phrase is a much stronger way to create passwords compared to familiar words or other passwords that you already use for social media, email, general business systems, etc. You should also change your passwords regularly, and do so even more often for financial accounts.

Share less online. Fraudsters are always trolling for information on social media, and they use this information to target businesses. Be careful about what you share. Ensure that your privacy settings reflect the highest level of security possible.

Always have two-factor authentication enabled. Two-factor authentication provides an extra layer of security to your accounts by requiring you to enter a code from your phone in addition to your password. This makes it much more difficult for someone to access your account even if they have your credentials.

Use up-to-date security software. Security software can help protect your computer from malware and other threats. Make sure you install security software from a reputable source and always keep it up to date. Patches are just as important as the initial install for full security, as they contain valuable fixes that center on network security and functionality.

Consider implementing these security measures:

  • Firewalls that scan employee access points or track network traffic
  • Routers complete with two-password protection, intrusion prevention, firewall management, denial-of-service coverage, and the ability to support VPN access if you are accommodating remote workers
  • Computers that have two-factor authentication, anti-virus software, and complex passwords

If you are a business and think you may have been the victim of a phishing attack, you should take the following steps:

  • Change your passwords for any accounts you think may have been compromised.
  • Contact your bank to report the fraud and work with your treasury management team to ensure you have the proper fraud protection services in place for your business accounts, including Check Positive Pay and ACH Positive Pay.
  • Visit the FBI’s Internet Crime Complaint Center (IC3) webpage to open a case.

Phishing scams can be a serious threat to your business information and financial security, and fixing breaches can be a time-consuming task. By staying aware of fraud trends and implementing these best practices, you can take the first steps toward protecting your business.