How Phishing Scams Work and How They Can Affect Your Business



Various types of fraud and data breaches have taken the lead role in the headlines for several years now. Even so, the phenomenon of phishing scams is not as well known as are some of its other criminal counterparts. Nevertheless, it is crucial to understand how phishing scams operate and how your business can be impacted.

Phishing Scams in a Nutshell

What makes phishing so insidious is that these attacks are so often impeccably disguised as originating from legitimate sources that people reflexively trust. Most of the time, phishing attacks come in the form of an email message from what appears to be a trusted business or financial institution. When an unwitting employee, manager or CEO clicks on a link within the message, they are either taken to a bogus website or, like it or not, begin downloading a harmful file or program.

In many cases, the crafters of these messages manipulate the emotions of their recipients, playing on fear, anxiety, greed and even happiness for the sole purpose of obtaining information or letting loose a cyber attack via the downloading of an attached file.

The Goal of Phishing Scams

Although phishing attack emails are spam, they are far more toxic than most other junk mail, which, as annoying as it may be, is usually simply sent in bulk to get customers to buy a product. Phishing attacks, on the other hand, are designed to obtain confidential data known as personally identifiable information (PII).

Examples of PII include Social Security, credit card and bank account numbers, medical or educational records, dates of birth and mailing addresses. By impersonating reputable and trusted online payment providers, businesses, financial institutions and even social media sites, the phishing attack is much more likely to elicit the desired response, i.e. disclosing sensitive personal information or downloading a malicious file.

Once the perpetrators of the scam obtain the PII they have been seeking, they set about to make a large profit from it by selling it in clandestine online marketplaces. Financial gains can range from $5 for a simple credit card number on up to over $1,000 for legitimate bank account information. Once these data are in the hands of identity thieves, the financial dominos start to fall and the consequences can be devastating, particularly if the victim is a business.

Spear Phishing and Your Business

The standard phishing attack is sent in bulk; in fact, many of the people who receive the emails may not even be customers of the business or financial institution the perpetrators are impersonating. However, criminals have increased the efficiency of their attacks by initiating campaigns called spear phishing. This is a far more targeted offensive that is directed toward a specific group of people.

For example, your employees might be sent a spear phishing email that appears to come from you and others in leadership roles in your business. Worse still, today’s HTML emails enable bad actors to make the messages appear to be on your letterhead and in the standard company format to which your staff is accustomed.

Although stealing PII may be a juicy byproduct, spear fishers are usually after more high-value prizes such as access to your network credentials in preparation for an ongoing persistent attack. Recent news stories about ransomware fall into this category. In this kind of attack, a company’s data is essentially held hostage by the criminals, who refuse to release it unless the business pays a hefty ransom.

How to Protect Your Business from Phishing Attacks

Your merchant payment processing company can provide a full array of tips and solutions that will help you avoid being the victim of a phishing scam, but there are steps you can take immediately as well. Educate your employees about what phishing is and how it works. Red flags include:

  • Generic salutations such as “Dear sirs” or “to whom it may concern”
  • Incorrect domain names
  • Unfamiliar senders
  • Unexpected email attachments
  • Messages that seem designed to cause emotions in the receiver: pity, urgency, anger, etc.
  • Emails that have executable file attachments with extensions such as exe, jar, com, scr, bat and msi

In addition, take the time to install security solutions into your network if you have not already done so. These precautions will help to protect your employees from their very human tendency to act without thinking in spite of being warned about the consequences.

Another way to limit your business’ risk is to ensure that your lines of communication are secure. One of the best ways is to encrypt all of the data flowing to or from your website via Secure Sockets Layer (SSL) protocols. Once this is installed, all of your data is made inaccessible to anyone who does not have the encryption key. In addition, you can be notified if it appears that someone was attempting to breach your security. With SSL in place, your customers will be alerted if they have clicked on an imposter site before they divulge any sensitive information.

Finally, it is vital that you constantly keep your ear to the ground when it comes to security. Make it a priority to update all of your security software whenever upgrades are released. Doing so will go a long way toward protecting you from the constantly evolving cyber threats being cooked up in the devious minds of criminals. When combined with training and educational tools, these security defenses just might save your business from a nasty attack, financial losses and even a blow to the reputation you have worked so hard to build.