5 Best Practices to Protect Yourself From Email Phishing Attacks

By Alexandre François

Every year, email phishing is the cause of many data breaches and massive financial losses, affecting businesses of all sizes. In fact, it is the most prevalent form of cyberfraud against SMBs—cybercriminals often look at SMBs as easy targets, expecting that these companies lack both the tech stack and expertise to detect and block sophisticated attacks.

But that’s not necessarily true. SMBs can safeguard their users and IT infrastructure, notably by following these five anti-phishing best practices.

1. Always keep the basics in mind

Phishing scams come in many shapes and forms and are continually evolving. But the mechanics behind attacks have fundamentally remained the same over time, with warning signs that include:

• Non-branded business email addresses. Virtually anyone can set up an account like companyabc@mail.com using a free email service.
• Poorly drafted communications. Often times emails have grammar mistakes, formatting errors, or generic greetings
• Intimidating calls to action. These pressure recipients to disclose data or complete money transfers ASAP, so nobody has the time to realize that something is off.
• Suspicious email attachments. Attachments have file extensions used to run code or macros: e.g., .cmd, .exe, .docm, .pptm, etc.
• Inconsistent domain names. This is when a sender contacts you from another email address for no apparent reason.
• Inconsistent links with different displayed and destination URLs.

2. Implement security awareness initiatives

You can keep employees alert to the dangers of email phishing by curating real-life news stories from various cybersecurity websites and presenting them, for example, in a newsletter that details what happened in each case and how the scam could have been prevented. You could also simulate email phishing campaigns to familiarize your staff with scammers’ tactics and to detect blind posts in your email security processes.

3. Set security policies to stop spear phishing

Spear phishing, also known as business email compromise (BEC), is a technique where scammers impersonate a trustworthy source (i.e., a CEO, CFO, or long-term supplier), and make a seemingly believable request to justify a fraudulent wire transfer, change in billing details, etc. You can preempt these scams with simple security measures, such as:

• Following up on sensitive requests via phone or in person. Email is a perfect disguise for scammers, but it is much harder to mimic a person’s voice or appearance. For that reason, impersonators are likely to walk away if you ask them to contact you by phone or video conference, or to meet in person.
• Decentralizing your business’s approval process. Decision-making is often highly concentrated in SMBs, where usually there are very few individuals who can give permission to go ahead with projects and requests. Fraudsters leverage that fact, awaiting prompt compliance when they forge the email address of the person in charge. The likelihood of BEC scams being uncovered increases when two or more people approving a request becomes a requirement.

Other Articles From AllBusiness.com:

• The Complete 35-Step Guide for Entrepreneurs Starting a Business
• 25 Frequently Asked Questions on Starting a Business
• 50 Questions Angel Investors Will Ask Entrepreneurs
• 17 Key Lessons for Entrepreneurs Starting A Business

4. Make phishing reporting everyone’s duty

Cybercriminals execute phishing attacks on a large scale, contacting dozens or more recipients at the same time to increase their odds of deceiving targets. Therefore, everyone in your company should know if they notice a phishing scam, they should immediately alert others. To encourage employees to speak up, it’s essential they feel comfortable reporting email frauds with no fear of retaliation.

5. Deploy anti-phishing technology

Email security software and anti-phishing features can support your security efforts, minimizing the number of "phishy" emails that make it to your employees’ inboxes, and flagging suspicious messages, notably with:

• Domain blacklisting. Blocking all email coming from addresses knowingly used in the past to conduct fraudulent activities.
• Setting up spam filters. Filters should have rules to stop communications with phishy keywords, excessive punctuation, unsafe URLs, and failed message encryption.
• Content scanning. This identifies viruses, spyware, ransomware, and other corrupted attachments.
• Spoofed sender detection. Telling recipients when they never interacted with a specific sender in the past.

Minimize the risk of data loss and extortion by implementing these strategies as part of a more comprehensive anti-phishing strategy.

RELATED: Think Your Small Business Is Too Small to Get Hacked? Think Again