Business person inputting their username and password on a smart phone

Cyber security 101: Keep your small business safe from phishing

Cyber security 101: Keep your small business safe from phishing

Synopsis
8 Minute Read

Phishing is a common cyber crime that can threaten your small to mid-sized business. These attackers can deceive you into installing malware, ransomware, or steal your sensitive information and data. In this article, we:

  • Define phishing
  • Outline common types of phishing
  • Uncover how to respond in the event of a phishing attack
  • Discuss how to prevent phishing
  • Discover if your business could benefit from cyber security insurance?

When it comes to cyber security, we’re all vulnerable. Even your small or mid-sized business.

And the number one method used by cyber criminals to infiltrate your network? Phishing.

According to the Canadian Centre for Cyber Security, in 2023 alone, more than 70,000 cyber scams and fraud — including phishing attacks — were reported in Canada. These threats are more common than ever, but would you know how to recognize a phishing scam?

And how can you protect your business from these threats?

Understand phishing attacks and common tactics

Phishing is like fishing. Only, instead of catching fish, cyber criminals are trying to catch your information.

They do this by dangling bait in front of you — like misleading emails, fake websites, phony phone calls, or fraudulent text messages. Their aim is to hook you into handing over sensitive information like credit card numbers, passwords, and/or data.

You know those phone calls you get from scammers, insisting you’ve won an all-inclusive vacation, and to claim your prize they require your credit card number? That’s a phishing attack.

In today’s digital era, phishing attacks have evolved to be more sophisticated. They’ve become so sneaky that an ordinary action like clicking a link or downloading an attachment can be deceiving. Often, these messages are sent from addresses that closely resemble those of trusted organizations or individuals. The scammers rely on human error — like skimming a familiar-looking email address from a trusted source — to get you to engage with their scams.

Once something like the link is activated, the scammers can install ransomware or malware, or steal your data.

Common types of phishing attacks and how to overcome them

Scammers are innovative when it comes to executing cyber crimes. Even under the umbrella of phishing, scams are becoming more elaborate, and scammers are coming up with more ways to steal your information every day.

In the business world, here are two common phishing attacks and tips on how to respond effectively:

Business email imposters

Business email imposters emulate messaging from your organization. This means they reach out to others, disguised as your business, with malicious intent.

By mimicking your business, scammers can gain access to the internal networks of other individuals and organizations — like your clients or your suppliers. This kind of hoax reflects poorly on your business and could have a major impact on your reputation and sales.

Being proactive will protect your customer’s assets, as well as manage your reputation. If scammers are spoofing your business, you need to act quickly:

Report the incident

Let the authorities know about the scam and, if applicable, contact the person who was impersonated.

Let your customers know

Reach out to your clients to let them know you’ve been mimicked by scammers and remind them not to share their personal information. Encourage them to contact authorities if their data was breached.

Alert your team

Once you’ve reported the incident to authorities and your customers, alert the rest of your team. Direct them to notice any unusual activity and report back on any additional scam attempts.

Tech support scams

These scams are executed by cyber criminals impersonating a tech support team. The threat actors often pretend to be from a large, recognizable organization, contacting you most commonly via phone calls, pop-ups, or emails.

These scammers declare they’ve found a technical issue or security threat with your computer. Then, they’ll ask you take action. Here are some of their tactics:

  • Request remote access to your computer
  • Ask you to install software
  • Try to sell you software or IT services
  • Try to sell you a warranty program
  • Direct you to a fake website
  • Request your credit card information for fake services

Organizations of various sizes have fallen victim to tech support phishing scam. It’s important to back up data, have updated software and hardware, and a plan to minimize any damage caused by this hoax. Here are some steps to take if you feel like you’ve fallen for a tech support scam:          

Report the incident

Contact the relevant authorities and report the scam.

Change passwords ASAP

Immediately change passwords, ensuring you have a unique password for each service and account.

Contact your credit card company

Request that your credit card company reverse any item charges and monitor upcoming statements for any irregularities.

Cyber security review

Have a cyber security professional review your networks for any unauthorized access.

Put your software to work

Use your security software to scan for any unusual activity that may cause issues. It’s important to keep your software up-to-date.

How can I protect my business against a phishing attack?

Protecting your small or mid-sized business against phishing attacks doesn’t have to be a daunting task. Here’s how you can stop phishing in its tracks:

1. Encourage skepticism

When it comes to unsolicited emails or messages, remind your team to think twice before clicking links or downloading attachments from unknown senders. Encourage research to ensure person or company who reached out to you is legitimate. And have a keen eye: some scammers are getting very good at impersonating real people and organizations. Look closely for spelling and grammatical errors.

2. Reach out for help

There may be times when you do your research on the sender, but still feel unsure. Don’t assume your business is safe. Reach out to a team member or an IT resource before taking any action on the threat. Bringing in an IT expert or some fresh eyes may be able to identify any red flags or already be aware of common phishing scams.

3. Secure your infrastructure

Installing passwords on all devices is only the first step your organization can take in securing files, devices, and wireless network. Protect your business further by setting up multi-factor authentication, backing up your files, setting your infrastructure to update automatically, changing the default settings on your router, and encrypting your devices, router and storage.

4. Develop a plan

Avoid major disruptions by implementing a breach plan. This plan focuses on saving data, reaching out to your clients and partners, and ensures your business can keep running without a hitch.

5. Give them a call

It never hurts to call another person at the company in question. While they may not be the sender, they should be able to confirm the legitimacy of the request. If they claim to be your credit card company, for instance, hang up and call back. However, do not use the contact information provided by the suspicious source.

6. Create a culture of security

Through ongoing training and empowerment, you can encourage your employees to spot and report any phishing scams or suspicious activities.

By staying informed and vigilant, you can reduce the risk of phishing attacks and protect the sensitive information of your business.

7. Consider cyber insurance

Phishing attacks can be expensive to recover from.

To minimize the cost associated with a breach, you may want to consider cyber insurance for your business. This insurance can cover you in the event of data breaches, general cyber attacks, attacks on hosted data, and terrorist attacks.

Here are some other factors to consider if you’re thinking of investing in insurance coverage:

  • Will you be protected in the event of a lawsuit?
  • Do they provide any additional coverage?
  • Do they provide an emergency number for immediate assistance in the event of a breach.

Make cyber security a cornerstone within your organization and meet phishing attacks head on. By prioritizing the protection of your devices and IT infrastructure, you can build a culture of security, prevent costly phishing attacks, and maintain your business’s reputation.

Experienced a phishing attack? You’re not alone. 


If your organization experiencing a phishing threat, it’s important to know that you don’t need to manage it all on your own. Our Cyber Incident Management Services are equipped to quickly respond and manage the complexity and coordination required in an attack.

We can help reduce the impact of cyber threats, so your business survives with minimal financial and reputational damage. Reach out to our team of advisors to assess your cyber readiness, or to learn how we can provide ongoing support for your IT infrastructure.  

About Drew Buhr

Drew is MNP’s National Cyber Security Assessment Lead for Digital Services, and is based in Edmonton, AB. With nearly 20 years of experience, Drew works with public and private sector organizations to help them better understand their cyber security risks and increase their security maturity. He holds multiple certifications, including CISA and CISSP, and offers services that include risk assessments, penetration testing, and strategy development.

Drew Buhr CISSP, CISA, ISO 27001 LA

Partner

780-733-8681

1-800-661-7778

[email protected]

Insights

  • Agility

    November 05, 2024

    Agronomy 101: Navigating the trends shaping crop farming

    As crop farming evolves, so do the challenges — from soil health to chemical-resistant weeds. That’s where agronomy comes in.

  • Progress

    November 05, 2024

    Outsourced HR: Your partner in support

    Feeling overwhelmed as the only HR professional in your company? You’re not alone.

  • Confidence

    October 31, 2024

    How can the mortgage industry comply with FINTRAC’s anti-money laundering obligations?

    FINTRAC expanded its regulatory scope to include the mortgage industry starting on October 11, 2024. How can your business comply with the new AML requirements?