When Scammers Go Phishing, They Hope to Reel In You and Your Business Data

412

There’s an old expression: “fishing for information.” It means that a person is trying to pry information from you indirectly.

In today’s world, that old saying has been updated and modified.

Now, cybercrooks go phishing for information from individuals and businesses. The scammers don’t come right out and say, “Can you give me your email address and password so I can steal thousands of dollars from you?” Instead, they also take the indirect approach…through phishing.

They use all sort of trickery—well-disguised lies and deceit—to extract valuable information from businesses and their employees. Their bag of tricks includes emails, texts and fake websites that seem to be legitimate to lure you in. Once you’re hooked, they can reel in all types of company secrets and steal boatloads of dollars.

AVOIDING THE HOOK
That's why it's more important than ever to do what you can to prevent it and be aware of the full story on phishing:

• The cost to businesses in fraud losses.
• Why employees make good victims.
• The signs of a phishing attempt.
• What happens when victims are hooked.
• How to thwart phishing attempts.

PHISHING IS PROFITABLE FOR CROOKS
Cybercrime cost individuals and businesses more than $4 billion in losses in 2020, according to an FBI report. The tricks scammers use on citizens are easily adapted for businesses of all sizes, with phishing attacks leading the list of scams reported to the FBI. 

Make no mistake, as long as you’re in business, you or your employees could be the target of a phishing attempt. The prime targets are the ones who have the most decision-making authority, but employees make great targets too, and the cybercrooks know this. Here’s why: 

• Employees often wear many hats and are constantly under pressure to multitask—this makes it easy for them to be distracted or less attentive than usual
• They may also fall into a routine and be somewhat complacent, which makes them susceptible to a phishing attempt
• If there are a few hundred employees in your company, one employee may not be familiar with who is on your executive team and could be easily fooled by an email from someone posing as a high-level authority, which is known as business email compromise, or BEC 

HOW PHISHING WORKS.
Phishing emails (and sometimes texts) are designed to trick you into believing that the message is from a trustworthy source, such as a person or company you know. Here are some of the possibilities:

• The email or texts may seem to come from a familiar source
• The scammer might impersonate a vendor that is sending an invoice
• The message could appear to come from an important client
• It could look as if a coworker has sent a message
• Scammers also send phishing messages that imitate messages from banks, credit cards or other organizations that an employee might recognize


No matter who these con artists are or their skill level, they will still generally take the same approach:

• They will send an email that at a quick glance seems to be simply another of the many daily (sometimes hundreds!) that you our your very busy employees get
• The message will come from a fictitious person at the same company or from a fake or impersonated person from a different company
• The message will direct the reader to take some type of quick action—urgency is always a factor because the scammer knows he will get only once chance and must make the best of it

You may also get emails from organizations you may have heard of but never dealt with. These messages could be worthwhile, but they also could be scams. 

WHEN VICTIMS GET HOOKED BY A PHISHING ATTACK.
If the recipient isn’t careful, isn’t paying attention or is rushed, they might respond to the email (believing the sender and the request are legitimate) and take the action requested by the scammer:

• Wiring money to scammers
• Downloading fake invoices and forwarding them, with approval for payment
• Providing passwords to networks or to the company intranet
• Divulging sensitive company information such as employee names, phone numbers, email addresses or account numbers
• Clicking on email links that infect computers and company networks with malware, perhaps even ransomware 

SPREAD THE MESSAGE: “NO PHISHING.”
No matter the size of the company, it is vitally important for business owners and management teams to fully understand and be aware of phishing attempts and to have some type of cyber-readiness plan in place to help thwart them and prevent losses: 

• Carefully examine EVERY email you receive, assuming you’ll get phishing emails and texts routinely
• Look at the return address of an email and verify that it is (and not simply looks) legitimate
• NEVER click on an attachment without ensuring the sender is 100% legitimate—most malware is launched by employees clicking on dangerous links
• If a request seems odd or out of the ordinary—even if it seems to be from someone you know—call the person or department directly to verify the request
• Do not reply to an email unless you are certain it is safe to do so
• Do not call any numbers listed in the email message or visit listed websites
• See if the website address has the “secure” symbol and begins with “https”—scammers often won’t bother to secure their fake websites
• Do an internet search of the organization by typing in the name and adding the word “scam” after it
• You can also do a search using the exact wording of the email message itself or the subject line of the email—many times that helps uncover a phishing attempt or other scam 

For more information on protecting your business from business fraud and other dangers, visit the Banc of California Business Insights page on the Banc of California website. It provides valuable information from business experts on a variety of topics, including cybersecurity.