No matter the sector you’re in or the size of your business, a phishing attack is a significant issue. Far from just using dodgy email links, scammers are using increasingly sophisticated ruses to wiggle their way into company devices and gain access to sensitive information, with devastating effects. Particularly in a startup business, where there is so much going on and processes are yet to be fully established, it can be easy to fall victim to a phishing scam.
In this post, we explore the impact these attacks can have on a business, as well as offer advice on how to best avoid them.
One of the areas of concern for businesses after a phishing attack is data security. Whilst you might imagine that scammers would go straight for your money, bank details, and security information can be a lot harder to get hold of than contact numbers and emails. Banks also tend to have a double layer of protection to defend businesses against this sort of attack too, making it even harder to do successfully.
However, information can be just as valuable as financial details, particularly for businesses where clients will want to remain anonymous. Holding sensitive information allows scammers to then go after your clients, potentially implementing a two-stage attack, where they send malicious emails to addresses taken from your business contact list.
Money is the target for a lot of cyber attacks – either gained directly via the scam or extorted via a ransom scheme. Whilst losing money is problematic for any business, startups are perhaps the least able to spare any funds, making a financial phishing scam even more devastating. According to research, $420 million was lost via email scams in 2022, and with the number of scams only rising, this figure has likely gone up.
As well as the direct financial impact on company accounts, businesses may experience further losses if they have to close their systems temporarily, limiting sales. Or, if data is leaked, they may be forced to pay heavy fines for breaking GDPR regulations.
One metric that’s harder to measure is the impact of phishing attacks on the reputation of your startup company, which will be heavily reliant on customer recommendations at this stage in your lifecycle. Even though it can feel like phishing attacks aren’t your fault, it may not appear this way to your customers – and, crucially, your investors – who may feel you should have been more vigilant. This can take time to recover from, reducing your financial pipeline and therefore your business growth. In a worst-case scenario, you may find that investors pull or restrict any further funding.
The negative impacts of phishing scams are clear to see, and they’re not something to be taken lightly by any company, especially one that is just starting out. So how can you protect yourself? Let’s take a look at some of the steps all businesses should take.
Your team is the first line of defense against any malicious activity. They can spot it and stop it, but only with the right training, and with easily accessible platforms to report any concerns. Implementing this type of training might not be high on your priority list when you’re starting out, but building vigilance and accountability into your company culture can really help keep your assets safe. In fact, experts found that effective training reduced successful phishing attacks in 84% of US organizations.
Make sure that your staff understands the tactics that scammers use and the potential impact it could have so that everyone feels like it’s a collaborative effort to keep the business secure. You may want to consider bringing in an expert speaker, using interactive quizzes or even simulating a phishing attack for training purposes if you have the budget to do so. Real-life examples may stick more clearly in your team’s minds, and drive home the severity of this issue.
Even when the training is complete, your work isn’t done. Make sure to post regular updates that raise awareness about any new techniques, and give workers time to refresh their memory on any areas they don’t feel confident with. In a busy environment, there may be a time when they disregard a suspicious email in favor of getting the task done, and this is exactly what you want to avoid. Ensuring they know that reporting any red flags is a top priority will give them the confidence to stop scammers from succeeding.
Even with the best will in the world, the chances are that a malicious email will manage to slip past your team at some point. This is where having several layers of security is invaluable for protecting your business.
Multi-factor authentication (MFA) is an easy tool to set up, but one that can prove incredibly useful if a scammer does happen to get hold of any passwords or login credentials. Requiring your team to enter a secondary password, approve a login on a separate device or enter an authentication key as well as a strong password can help flag any suspicious login attempts, and make employees think twice about what they’re logging in to.
Unfortunately, many scammers have gotten wise to this tactic, and try a technique called push-bombing. When utilizing MFA, employees often expect a notification on their phone to approve access. Scammers take advantage of this, flooding the recipient’s phone with multiple login requests, hoping to provoke them to click on one of them. This is often successful, as the employee gets frustrated, or mistakenly clicks, as they assume an MFA request is legitimate.
To defend against this new technique, startups shouldn’t just settle for standard MFA, but look to implement phishing-resistant MFA if possible. One example of this is security keys, where the employee has to use a small physical device that connects to their computer or phone. Since they require the key to be in the same place as the device that is being accessed, it’s much harder for scammers to complete their attack.
In the busy first few years of running a company, it’s easy to let establishing processes and protocols slide in favor of activities that boost profit. However, it’s essential to ensure that your hard work is protected via strong cybersecurity measures, or you risk having to take a step backward, not forward.
Kathleen White works as an independent business analyst for several small businesses. She completed her degree in Business and Management at the University of Bristol, achieving a First-Class Honours. She enjoys writing in her spare time to share what she has learned, in hopes of benefiting other businesses.