The number one threat facing small businesses today isn’t viruses and hackers, but phishing attacks. Read more to learn how phishing affects your bottom line and how to defend against this nasty cybercrime.

How proactive and alert are you when it comes to protecting your small business from cyberattacks?

United Nations Response to information flow

If your security solution is sub-standard or non-existent, then you’ll surely fall prey to cybercrime and scams that can cause substantial losses.

Viruses and trojans are the de facto faces of cybercrime; however, phishing scams are the real problem to watch out for.

It’s a lot scarier than regular malware because anyone can do it – 86% of email attacks don’t even involve malware, and 32% of all data breaches are because of phishing.

Cybercriminals don’t need to write complicated code or use specialized tools to launch a phishing campaign, plus they’re easy to run and almost impossible to trace.

What is Phishing?

Phishing is a type of cybercrime where a target gets tricked into providing sensitive data such as banking details, credit card numbers, passwords, and personally identifiable information.

Criminals impersonate legitimate organizations and contact their targets either through phone, text message, email, or a combination of all three if they have enough of the victims’ details.

The stolen information can be sold to a third party or used to access critical accounts that can lead to identity theft, account takeover, and consequential financial loss.

While email address search can tell you if the sender is legitimate, not all people are aware of this security strategy to defeat phishing emails.

A perfect example of a phishing attack is getting an urgent email from a leading bank or credit card company, alerting you that there was a data breach and you need to secure your account, or it will get frozen.

The attackers are banking on the chance that you have an account with that particular bank or credit card company.

Receiving an urgent email can drive most people to panic, so they follow the instructions on the email and click the link or download the attachment, and that’s the beginning of the end.

Victims have no clue that they’re entering their credentials into a fake website controlled by the attacker or downloading malware into their computer.

Small Businesses Make More Attractive Targets

There’s a misconception that small businesses are immune to cyberattacks because large companies have more money and more valuable products. Small businesses are more attractive targets because most have limited resources and less experienced employees who know how to deal with an attack, making them sitting ducks. Hackers often use phishing attacks to exploit vulnerabilities in smaller companies with little to no resources for cybersecurity.

Help share information check box

Let’s take a look at some numbers:

● A staggering 84% of all small to medium businesses (SMBs) were targeted by phishing attacks in 2018.

● Sixty-five percent (65%) of SMBs have never even run a phishing email test before.

● Sixty percent (60%) of small businesses fail to recover and eventually fail six months after any cyberattack or data breach.

Experts agree that the situation will get worse before it gets better. The recent surge in phishing attacks during the COVID-19 pandemic is proof of that.

It’s easy to put up a startup these days, and most entrepreneurs don’t have the cash flow and the security awareness to defend their fledgling companies from attackers.

How to Protect Your Small Business From Phishing Attacks

Cybercriminals can steal personal details from their victims, such as location data, passwords, login credentials, banking information, and a lot more. Here are a few tips on how to defend yourself.

1. Phishing Email Detection

All employees in your small business must know how to detect a phishing email. There are ways to dissect an email to check if it’s from a legitimate sender or not.

An email address search can trace the email back to its source, for instance, and if the domain is different from the name on the message, you can bet that it’s a phishing attempt.

Phishing emails don’t address the target by their name and can start with a generic greeting such as “Dear Valued Customer” – a telltale sign that the email is from a scammer.

Phishing emails also use fake or spoof domains that either mask the real domain or use one that reads like the original (Gooogle, Mircosoft) to trick the target into thinking it’s legitimate.

graphic of women know the symptoms

2. Regular Employee Cybersecurity Training

Even if you’re aware that these threats exist online and know what to do when faced with a phishing attack, your employees may not.

Ensure that all your staff receives basic online safety and hygiene training to educate them on how to interact with ALL emails (don’t click on links or download attachments), regardless of origin.

You have to be strict about following security guidelines to the letter because one small mistake could mean a significant financial hit.

It would also help if you could run regular cybersecurity drills dedicated to phishing attacks, so your staff would know what to do in any given situation.

3. Keep Your Operating System and Software Updated

Some phishing attacks still use malware that relies on unpatched operating systems or outdated software.

Ensure that all company devices are running the latest versions of their respective OSs, and ALL software are patched and up to date.

Media players, PDF viewers, and any video conferencing programs should be updated because hackers often exploit these.

4. Conduct a Password Audit

Conduct an office-wide password audit to check and weed out weak and redundant passwords.

Enforce proper password policies that include using a strong password for every account and not reusing them anywhere else. 

All an attacker needs is one password to break in and cause damage. Invest in a password manager and make sure everyone is using the robust password generated by the program or a mix of three to four random words in a string.

5. Enforce Multi-Factor Authentication on All Accounts

Ensure that each online account has multi-factor authentication enabled by default to add an extra layer of security that attackers won’t be able to defeat without having the device with the authenticated code. You can use authentication apps that can run on a smartphone or a physical authentication device.

6. Isolate and Backup Critical Components

Your company’s infrastructure has critical components that not everyone needs to have access to.

Some segments don’t even need to be online. It would help to isolate the crucial elements in your infrastructure as much as you can, such as restricting access to some servers and keeping entire systems completely offline.

Having redundant backups will also help get your systems back in case of a ransomware attack.


Having a modest organization doesn’t necessarily mean your attack surface is smaller or less appealing than that of a big company. Remember, phishing attacks can happen to anyone, and you can never assume that it won’t happen to you or anyone else in your organization. The current pandemic that’s gripping the world right now has enabled countless scammers to ply their trade, and phishing attempts are up by a whopping 350% hitting both businesses and individuals with the same ferocity.

It would help to implement a proactive protection strategy that includes investing in cybersecurity & theft protection tools and employee security training on how to deal with phishing or other types of cyberattacks. 

Having active security measures in place can help prevent attacks and mitigate the risks of a breach. Spending a little more on security now can save your finances and reputation in the future.