Don’t Get Hooked by Phishing: Keeping Your Business Secure

Phishing has been a common and costly threat to businesses since the 1990s. It involves fraudsters impersonating a trusted source to trick someone into revealing sensitive information, clicking on malicious links, or transferring money.

How costly? The numbers are staggering. According to Deloitte’s Center for Financial Services, AI could spike U.S. fraud losses almost 3.5 times, reaching $40 billion by 2027. This surge would be the next chapter in a long story. Fraudsters have constantly evolved their tactics, targeting businesses of all sizes.

Remember: Falling victim to phishing isn’t just about financial loss. It can also harm your business’s reputation, especially if your customers or partners are affected.

Phishing Is Just the Start

Phishing is often a broad term, but fraudsters are developing more targeted approaches. Here are some of the most common threats:

• Spear Phishing: Unlike generic phishing attacks, spear phishing targets one person. Scammers research their victims to craft convincing communications that appear to come from known contacts or institutions. Some spear phishers use employees’ social media profiles to include seemingly legitimate details.
• Whaling: This phishing targets executives or high-level employees who have access to sensitive accounts. Cybercriminals impersonate CEOs, CFOs, or other leaders to request fraudulent transactions. Employees may comply due to pressure from leadership.
• Smishing: Short for “SMS phishing,” smishing attacks use text messages to deceive recipients into clicking malicious links or sharing login details on their mobile phones. These messages may reference issues like a pending delivery or business checking account issue. Some fraudsters can even send messages that appear to come from known phone numbers.
• Quishing: Fraudsters use fake QR codes to direct unsuspecting users to malicious websites or prompt malware downloads. After scanning the code, you may reach a phony banking website or invisibly download software that steals your usernames and passwords for legitimate websites.
• Vishing: This scam involves phone calls where attackers use spoofed caller IDs to pose as a bank, vendor, or company executive to access sensitive information. For example, a vishing fraudster might call and ask for passwords or confirmation codes.
• Email Compromise: Fraudsters clone legitimate emails or create deceptive lookalike accounts to trick employees into wiring funds or providing confidential data. They may include links or request replies requesting account or business credit card details.
• SEO Poisoning: Attackers manipulate search engine results to rank fraudulent websites or ads that appear trustworthy, leading users to phishing sites. These sites can closely resemble your bank or vendor but with subtle differences like replacing “and” with “&” or “.com” with “.co.”
• Deepfakes: These fraud attacks are now at the forefront of cybercrime. It’s easy to use AI to generate video or voice recordings that convincingly impersonate company executives. These deepfakes will fraudulently request account details or payments to steal funds from your business.

How to Safeguard Your Business

While IT security tools help, technology alone isn’t enough to stop fraud. These forms of fraud are as much about behavior as technology. A comprehensive approach is key to protecting your business.

Recognizing and reporting suspicious activity is crucial. Employees should be trained to identify phishing attempts and report unusual activities. Independent verification is also essential. Confirm sensitive requests like transferring funds or sharing login credentials through official channels rather than acting on urgent emails, texts, or calls.

Regular training keeps employees informed about the latest scams and responses. You can also help customers by reminding them about official company communications and common scams.

Don’t Trust—Verify

Adopt a simple slogan to protect your business from phishing and fraud: “Don’t trust. Verify.” Fraudsters use urgency and deception to trick victims. Using dual-control processes to confirm the legitimacy of an email, call, or link can mean the difference between staying secure and becoming a target.

M&T is here to help. If you have concerns about fraud risks, we can guide you on best practices and security measures to help keep your business safe. If you’re unsure, contact your relationship manager or schedule an appointment today.