Phishing In All Its Forms Is a Menace to Small Businesses Phishing, SMiShing and Vishing (seriously) are cyberthreats harried business owners need to watch for.

By Rohit Prakash Edited by Dan Bova

Opinions expressed by Entrepreneur contributors are their own.

scyther5 | Getty Images

Small business owners are overwhelmingly on the receiving end of cyber attacks. More than three-quarters of the companies targeted by malicious hackers are small shops -- those without a dedicated security team -- according to the recently released Verizon Data Breach Investigations Report (DBIR).

The most common way they get taken advantage of is malicious emails, or "phishing emails," as they're commonly referred to. They are "the no. 1 cause of cybersecurity incidents bar none," said Oren Falkowitz, a former NSA employee and now CEO of cyber defense start-up Area 1 Security.

Related: Google Delaying Some Gmail Message to Quell Phishing

Disguised as notes from loved ones or even an employer, crooks piece together what appear to be legitimate emails that, as Falkowitz notes "ask you to click on a file or a link or increasingly with fileless or linkless message to take some sort of action," and then "enter [a] password, transfer money through a fraudulent wire or send W2s out." These emails can be as painfully obvious as a note from an exotic prince or as deviously deceptive as the fake email alert that led to the hack of the DNC.

The vast majority of security incidents start with cybersecurity threat and a whopping 30 percent of these phishing emails get opened. (The average office worker receives more than a 100 emails a day.) Phishing emails lead to infections that corrupt some of our most sensitive business machines with ransomware -- nasty malware that encrypts files -- or captures our usernames and passwords.

The risk is real and prevalent. Here are some useful and free ways to help keep your small business safe:

If it looks phish-y, call the sender to verify.

Whenever you receive an email containing a link or an attachment that just doesn't make sense, check it out. In fact, anytime you receive something that appears important, call the sender to verify what they sent, and ask them to describe the links or attachments.

Related: The Biggest Threats in Your Inbox

Establish strong credentials.

One of the most common-sense -- and overlooked -- suggestions in the DBIR is turning on two-factor authentication for administrative access to web apps that contain sensitive company or customer information. The process involves signing in with your passcode and then receiving a special code text directly to your phone or app.

Last year, during a meeting at UC-Berkeley, Dropbox's then-Chief Trust Officer Patrick Heim told the Commission on Enhancing National Cybersecurity that less than one percent of the services' users take advantage of the extra protection. (Researchers at Carnegie Mellon University recently published a password meter that will help you make your passwords strong. You can find it here.)

Ask yourself if your employees really need access to all of the computers that run your business? As small shop owners scale their businesses, they often give all their managers access to the shop's computers. My advice -- make sure that your managers are following the same rules you are. If you have a single work machine that holds all your invoicing and spreadsheets, you don't want your manager potentially getting phish'd when she checks her Hotmail.

It's not just email.

Emails aren't the only place where you have to be vigilant. Digital con artists also send malicious attachments and links over text messages -- so-called SMS phishing, or SMiShing. They attempt to do the same over social media. And, sometimes they even attempt to "socially engineer" victims over phone calls. That's called Vishing.

Visually validate websites.

Many phishing messages take you to web forms or other sites that look legit, but, on closer inspection, are truly phish-y. Some criminals take over the neglected parts of websites and host malware or other phishing content. It's called "parasite hosting."

Make sure if a link within an email is meant to take you to a Gmail login page, it takes you to https://accounts.google.com/, not some other random website.

Related: Just Being Proactive Isn't Enough: What Entrepreneurs Should Do During a Cyberattack

Update.

Even though the recent WannaCrypt0r attacks -- which ravaged networks worldwide -- weren't seemingly spread by email, they could have been upended by hitting an update button. Before the ransomware ever compromised the computer systems of the UK's National Health Service or Spanish telecommunications company Telefónica, Microsoft issued a patch that would have stopped the virus cold.

Indeed, in order to stay safe in Windows, I recommend small businesses that use simple software enable automatic updates. Most importantly, just remember, no matter how many hundreds or even thousands of emails that you receive, never trust embedded links or attached files.

Rohit Prakash

Co-founder of Townsquared and Small Business Champion

Rohit Prakash is co-founder of Townsquared, the only a private, online community for small businesses that ties neighborhood entrepreneurs and mom-and-pop shops together on its hyper-local social network.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Business Ideas

70 Small Business Ideas to Start in 2025

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2025.

Business News

'Everyone Can Profit From It': What Is DeepSeek? China's 'Cheap' to Make AI Chatbot Climbs to the Top of Apple, Google U.S. App Stores

DeepSeek researchers claim it was developed for less than $6 million, a contrast to the $100 million it takes U.S. tech startups to create AI.

Business News

Elon Musk's DOGE Is Hiring People Eager to 'Work Long Hours' to Eliminate 'Waste, Fraud and Abuse' in the Government. Here's How to Apply.

The Department of Government Efficiency is hiring U.S. citizens to help cut spending and headcounts in the federal government.

Business News

'I Love Doing Product Reviews': Bill Gates Stepped Down from Microsoft in 2020, But Admits He Still Spends 15% of His Time Working at the Company

In a new interview with the Wall Street Journal, Gates also said he is still close with Microsoft's CEO Satya Nadella.

Business News

Uber's CEO Says Drivers Have About 10 Years Left Before They Will Be Replaced

Uber CEO Dara Khosrowshahi says the jobs of human drivers are safe for the next decade, but after that, another type of driver will take over.

Franchise

Franchise Models Explained — How to Choose the Right One for Your Goals

Navigating the franchise world starts with understanding key business models. Here's how project-based and subscription franchises differ in investment, scalability, and recession resistance.