It isn’t as easy to avoid phishing emails as you might think.  Sure, we know better than to click on emails with misspelled words or poor grammar.  But cybercriminals are becoming increasingly clever to try and gain your trust.

One common way to gain your trust is through spear phishing, particularly by targeting executives in companies large and small.  This particular brand of spear phishing—commonly known as “CEO spoofing” —has tricked companies into losing millions of dollars. By posing as the CEO, who is usually (conveniently) out of town, a scammer will send an email to employees requesting that money be immediately deposited into an account. These emails may contain the company seal or the CEO’s signature and, at first glance, appear to be entirely authentic.

This degree of deception requires lots of planning. From deducing when a CEO will be physically absent from the office to analyzing a company’s email format, this brand of cybercriminal is purposeful. If an employee believes the email is a legitimate request, they will follow through and only realize a horrible mistake has been made once it is too late.

Small businesses are not exempt from this risk.  News reports and social media postings provide a lot of information.  Announcements about new investors, a company sale, or signing a new client can all trigger an authentic-looking email from a cybercriminal.  Often, the request will be to transfer funds or provide W-2 information. 

Obviously, this tactic is much more sophisticated than trying to get you to click on a link or attachment.  So, the steps you take to avoid these emails need to be more sophisticated as well.  Every employee needs to know how to identify and avoid phishing emails. 

How To Help Avoid Phishing Emails and Save Your Company Money

  • Understand that all organizations receive phishing emails.  You’re not safe just because you work for a small business.
  • If you know the sender but the subject line is strange, double-check the sender’s address by dragging your cursor over the name.  Make sure the address is a reasonable match with the sender’s name and organization. If not, delete.
  • If you know the sender, but are not expecting a request, link or attachment, create a separate email to confirm the sender's identity and their intent to contact you.  This is important for people inside your organization, too. 
  • If you have finance or HR responsibilities, be especially cautious.  Create a process that requires a separate confirming email or phone call before you take action.   Even if the email looks legitimate, you don’t want to transfer money or provide personal information to a scammer.

Informed employees are your best defense against phishing emails. Put the necessary safeguards in place to ensure that no one transfers funds or shares personal information without seeking confirmation.  When everyone in your organization knows how to avoid phishing emails, you will save your company money. 

If you’re considering outsourcing your business IT, contact CRU Solutions