Phishing – a big problem for small and medium-sized businesses 

Phishing is one of the most serious threats facing business owners today. Over the past few years, phishing attacks have become increasingly sophisticated and difficult to detect.

Meanwhile, the study “Perception of Cybersecurity among Managers of Polish Companies” was commissioned in 2022 by Sophos*. It showed that more than a quarter of Polish companies do not have a budget for protection against cyber threats. On average, every third manager complains that management boards are not interested in the issue of data and system security. 

In this article, we take phishing into perspective. We will explain what it is and what attack methods criminals use and what effects a single attack can have on a company. Finally, we will present ways to combat this phenomenon. 

What is phishing? 

Phishing is a cyberattack technique that aims to steal sensitive information such as passwords, login details or financial details by impersonating a trusted source or institution. 

Since the outbreak of the COVID-19 pandemic, the number of phishing attacks has more than doubled. The targets are employees who have moved from offices to homes overnight and whose companies did not manage to equip them with adequate protection, e.g. in the form of filters detecting and blocking access to fake websites. 

Organized criminal groups have become the source of attacks, which for profit (and sometimes on behalf of) extort data, and then use them to get into corporate networks to encrypt data and demand a ransom. 

Sounds like a gangster movie script? Maybe. The fact is that on this basis, criminals demand an average of PLN 1.5 million ($350.000) from Polish companies for decrypting stolen data. Those that do not have adequate security and backups pay. 

Consequences of cyberattacks for companies 

The aforementioned SW Research for Sophos study shows that as many as 40% of managers in Poland are most afraid of problems with the company’s financial liquidity as a result of a cyberattack. The greatest fears accompany the staff employed in enterprises with a turnover of up to one million zlotys (as much as 55%) and over 15 million zlotys (41%). 

The issue of ensuring the protection of data and systems concerns not only giants, but also the SME sector. 

What can threaten a company if it lets a hacker into its infrastructure? 

• Blocked bank accounts will directly translate into a lack of financial liquidity; 
• Lack of access to the systems will make it impossible to perform services and orders, which will lead to the loss of customers; 
• Stopping production will cause losses that will be difficult or impossible to recover. There will also be costs of restoring activity; 

• If there is a leakage of data covered by the GDPR, the company will be exposed to additional financial penalties; 
• Leakage of data covered by non-disclosure agreements (NDAs) will result in legal action by customers or partners; 
• Image losses with the above are just the proverbial nail in the coffin. 

Phishing examples and methods of attacks 

Phishing attacks are supposed to catch us when we don’t expect it. Acting by surprise, the attacker will want to force us to: 

• Providing login details (e.g. to the bank) on a crafted website; 
• Providing payment card details; 
• Providing personal data (e.g. ID card number, PESEL number, mother’s maiden name and other data that is used by financial institutions to verify identity); 
• Downloading a file with malicious software, e.g. invoices, payment requests, offers. 

Some of the most common phishing methods

Email phishing 

Email phishing is the most common form of phishing. A business owner or employee receives fake emails that look like messages from banks, companies or service providers asking for confirmation or payment. They may also contain links to fake websites that look just like real websites but are used to steal user data. 

Email phishing is becoming increasingly difficult to detect as hackers effectively imitate the look and content of transactional emails and send them from addresses that are confusingly similar to the original ones. 

Spear-phishing 

Spear-phishing is a specific form of phishing where cybercriminals launch attacks on specific employees or groups of employees in order to obtain confidential information or gain access to the company’s network. Spear-phishing attacks require prior recognition of the company and employees, which is why they are most often used against large and wealthy institutions. Attackers often use social engineering techniques to obtain information that will help them defraud employees. 

Vishing 

Vishing, also known as voice phishing, is a form of phishing that uses telephone calls to obtain confidential information. Attackers call your company and pretend to be employees of banks, police officers, service providers,  or IT companies, and then ask for confidential information or log in to a prepared website. 

Smishing (SMS spoofing) 

Smishing, or SMS phishing, is a form of phishing that uses SMS messages to obtain confidential information or gain access to mobile devices. If you associate the alarming message that you have an unpaid bill and your electricity is about to be cut off or the package will not be delivered – this is smishing in practice. 

Pharming 

Pharming is a form of phishing that intercepts internet traffic and redirects users to fraudulent websites. Cybercriminals use DNS manipulation or man-in-the-middle attacks to redirect users to fake websites. 

How to protect yourself against phishing? 

Phishing is dangerous for companies and businesses because it can lead to the leakage of confidential information, and thus to the loss of reputation and customer trust. It can also lead to money loss if cybercriminals gain access to a company’s bank accounts or other funding sources. 

Protecting against phishing starts with building and following good security practices

What to bet on? 

1. Use of strong passwords and multi-level authorizations, 

2. Use professional firewalls, 

3. Block fake login pages, 

4. Train your employees in recognizing phishing. 

Business owners and IT managers need to be aware of the different methods and types of phishing and be able to identify which ones are most dangerous to their organization. 

Do you want to effectively protect your company against cyberattacks? Talk to our experts during a free consultation and learn more about effective cyber protection.