3 Worst Email Scams Targeting Small Businesses, and How to Avoid Them

Big companies like Equifax, Marriott, Uber, and Yahoo have been hacked, but small businesses are particularly vulnerable to cyberattacks. According to Symantec’s 2019 Internet Security Threat Report, employees of small businesses were more likely than large businesses to receive email threats like spam, phishing, and malware. Find out about three of the most common email threats to small businesses.

1. Malware

Malware is a type of malicious software that can harm your computer by stealing data, disabling systems, deleting or corrupting files, or even spying on you. A virus, Trojan horse, ransomware, or worm is malware. Every one of them is risky for a small business.

Malware can be acquired by visiting an infected website or plugging in an infected device, but it is most commonly acquired via email, either as an attachment or a link within the email. Verizon’s 2019 Data Breach Investigation Report says phishing emails deliver 94% of malware.

You should be extra cautious if you receive a suspicious email with an attachment. Microsoft Word or Excel files with extensions.doc,.dot,.docx,.dotx (or.docm) (or.xlsx) make up 48% of malicious email attachments, according to the 2019 Internet Security Threat Report. Other dangerous files include.exe,.rtf,.jar,.vbs, and.pdf.

If you don’t know the sender, don’t open the attachment. If you know the sender but are unsure about an attachment (or want to be safe), contact the sender.

2. Fake Email from a Real Company

Others seem to come from companies you know and trust, like banks or credit card companies, or PayPal, Amazon, or Netflix.

A link in the email will ask you to perform a “required” task. These emails often try to overcome the recipient’s hesitation or suspicion by posing as a known company and making the requested action seem urgent, such as losing access to an account if you don’t update your information. In fact, some of these emails ask you to change your password to avoid a virus or hack attack.

If you click the link, you’ll be taken to a fake website designed to steal your personal information.

Never click a link in an email unless you are certain it is legitimate. Navigate the link by hovering over it. This can be as simple as accounts.trustedcompany.net instead of www.trustedcompany.com or a completely different URL with a long string of extra characters. In either case, it’s a spoof.

If you trust the email and click the link, carefully review the website before entering information. Check the URL address bar for the company’s official name, the https://, spelling and grammar errors, and unusual or clumsy phrasing. If you have any doubts about the site’s legitimacy, close your browser. To double-check, copy and paste the URL into a new browser window. If the URL in the new window isn’t the same, it’s a scam.

In an email from a company, open a new browser window and type in the company’s known URL to ensure you’re on the right site.

3. Spear Phishing Emails

It involves emailing someone and posing as a trusted entity such as an employee, relative, friend, or business associate.

One in every six American businesses lost data, had credentials or accounts compromised, ransomware infected, or were victimized by wire transfer fraud last year, according to the 2020 State of the Phish Report.

Phishing is a popular and successful method. When cyber criminals target specific individuals, they use personal information about them to trick them into providing data that can be used to steal money or sensitive information. In 2019, 88 percent of organizations were spear phished, according to the 2020 State of the Phish Report.

For example, a cyber criminal might visit your website, identify a partner company, go to that company’s website, find a list of employees, email you pretending to be the partner company’s president, and ask you for sensitive information, account access, or even money wired directly to them.

The email and sender are familiar, so they don’t raise suspicion. It will often have a familiar greeting and may even mention something personal about you that a fraudster found on social media or a Google search, such as a “mutual friend” or personal or professional details.

Hover over the sender name to see the return address. Notify your IT department and the person whose identity is being used if the mailto: address does not match your contacts. If any email raises your suspicions (e.g., strange wording or tone compared to previous emails from the purported sender), call to confirm.

Leave a comment