It was a typical Monday morning. Sally (name changed) received an email from one of her clients saying there were two new hires that needed to be paid. She responded to the email and let the owner know that he would need to onboard them first, including all their required new hire forms and documentation.  

Within an hour, Sally received a response from the owner that included all the proper paperwork and necessary documentation to onboard these new employees. In the email, each new employee had a pay rate that would have come to nearly $5,000 in wages owed for their upcoming payday.  

Sally added all the information for the new hires into the system, including home addresses, email addresses, phone numbers, hourly pay rates, and all other details from their employment forms. Nothing seemed out of the normal. 

Except this time, it was a scam.  

The small business owner’s password to his work email address had been hacked. His exact email address and signature were legit; even Sally’s payroll system identified him with no red flags. The scammers were so spot on with details that even the verbiage used in the body of the email was said exactly the way he would have written it.  

Thankfully, the scam was caught prior to the “new employees” being paid. But it did enough to make Sally and her client feel completely violated.  

To help you prevent a data breach, we have outlined a few key takeaways that other small businesses can learn from this experience, even when on a tight budget. 

1. Know Your Business Is at Risk 

According to strongdm.com, 46% of all cyber breaches impact small businesses with fewer than 1,000 employees. If you own a small business, you are considered an easy target for scammers because you likely have little-to-no budget for cybersecurity tools and practices, and the media is less likely to pick up the story. 

Statistics show small businesses have the highest rate of targeted malicious emails and experience 350% more social engineering attacks than larger companies. While CEOs and CFOs are popular targets, anyone within the company who does not practice proper cybersecurity measures can put your business at risk.

But does a small business budget have to put you at greater risk? Not if all employees are familiar with and practice the following safety measures. 

2. Implement Password Best Practices  

One of the most effective ways of reducing cyber security risks is to consistently use password safety. This includes implementing the following best practices:

Keep passwords private  

Never share your passwords with others, especially in writing. If you have a sticky note sitting out with your password nearby, throw it away and change your password.  

Do not reuse passwords  

Use different passwords for separate login credentials. The more you reuse the same password, the easier it would be to hack into multiple accounts.

Consider passphrases for strong passwords  

To create strong passwords, use phrases that contain a mix of upper- and lower-case letters, numbers, and symbols. Ideally, your password should be a minimum of 12 characters long.

Strengthen password security  

While no password is 100% secure, you can strengthen your security with a second layer of protection like multi-factor authentication (MFA). Anybody with access to sensitive employee data should be required to implement MFA.

Routinely change passwords  

Regularly changing your passwords significantly reduces the risk of hackers accessing sensitive information.

Consider password manager software  

Using password manager software will help you minimize the headache of remembering different passwords for all your different accounts. Password managers can also suggest or generate strong passwords for separate logins. 

3. Protect from Phishing 

Phishing scams are when an imposter sends an email or text that appears to be from a legitimate colleague, client, or company. These messages are meant to trick you into clicking a link or opening an attachment with some call-to-action.

To help protect you from phishing threats and other cyber attacks, install security apps and antivirus software on business computers, as well as a virtual private network (VPN). Password-protect access to critical data and be sure your cell phone is set to update automatically.

In addition, question everything you see in an email or text message with the following questions:

Is there a sense of urgency?  

Most scammers know they only have a few moments to try and trick you, so urgent language can help keep you from reading the message more closely. If you receive a message that contains urgency (“Make a payment TODAY to avoid a penalty” or “Click NOW to stop your account from being deactivated” or “Confirm your identity right away”), beware. 

What is the sender’s email address?  

Does the sender’s email address look legitimate, including the domain? Double check to make sure there are not any spelling errors, with even just a single character that is off or added. And remember, most legitimate organizations do not use generic email accounts for business.  

How is the branding?  

Does the branding look accurate? While some scammers may spend time ensuring logos and fonts appear legitimate, others may hastily copy and paste a low-resolution image into an email that makes it look shady when closely examined.

Are attachments or links embedded?  

Be extremely cautious with attachments or links, as even Word and PDF documents may unleash malware. If something seems out of line from what you might typically expect to receive from the sender, give them a call to confirm the document is safe to open.

Does anything look unreadable or unfriendly?  

Before clicking on a link, always hover over to see where its destination is. But caution: do not automatically assume it is fine if the destination appears legitimate! Messages can be laced with links that utilize a redirect through a source that seems fine (for example, bing.com). Consider what the email is about and ask yourself if it makes sense for the source to be linked to that destination.

Is the subject line or content referencing anything out of sync?  

If something sounds awkward or unfamiliar, call the sender to confirm legitimacy. And if it sounds too good to be true (you were “randomly selected” for winning a gift card, yay!!), it is likely not real.

Was this an unsolicited email requesting information?  

If the message was unexpected (they have noticed suspicious activity or too many log-in attempts, there is a problem with your account, you need to confirm information, they include an invoice you do not recognize, you are eligible for a refund, your boss needs money transferred, they provide coupons for free stuff, etc.), always call the individual to confirm before clicking or responding.

The above image from consumer.ftc.gov may at first appear real but has several suspicious features. For example, it has a generic greeting, includes a sense of urgency, has a link for the user to update their account, and Help Centre is spelled as though it is from the U.K. (Netflix headquarters are in the U.S.).

If you are concerned about the need to update your Netflix account after receiving a similar email, log into your account or do an internet search for legitimate Netflix contact information. Never assume the information in an unsolicited email is safe, especially when asking for sensitive data, and be extremely cautious before clicking links.

4. Train employees  

Hacking tactics and cyber threats (have you heard of deepfakes?) will only grow more sophisticated with artificial intelligence (AI). Small businesses can stay ahead of scammers by presenting spoof examples and reminders at company trainings for your employees.  

Remind employees of your internal processes to question everything and to always call the message sender when in doubt. You could also test employees by sending a spoof email of your own to see how they respond, or role play real life scenarios and responses.

As part of your training, encourage employees to slow down when responding to sensitive emails. We all want to be productive, get our checklists done, meet performance metrics, and so on, but the security of sensitive data is critical.

Be particularly mindful of holidays, weekends, end of year, and other times when you may be running around and not paying close attention. Scammers are getting smarter and are banking on you being distracted by current events if not easily swept up by the urgency to quickly click, send, or act now.

5. More information  

When you are a victim of fraud, a scammer can embezzle money, download malicious software, discover credentials to personal accounts, access sensitive data, damage your credit rating, steal business data, and violate you with a load of other personal, financial, social, and emotional consequences. Being aware and proactively protecting your personal and business accounts is your best defense to avoid fraudulent activity.  

For more information on how to help your business prevent cyber threats, please contact your certified HR expert. Not a current Stratus HR client? Book a free consultation and our team will contact you shortly. 

Have you been a victim of cyber-crime? Report it here: 
Justice.gov
Federal Bureau of Investigation 

Sources:
Consumer.ftc.gov
Corporatecomm.com