Phishing scams have become an all-too-common threat. Through spear fishing, vishing and other forms of social engineering, cybercriminals trick business owners and employees into disclosing sensitive information like credentials and passwords, eventually resulting in data breaches and ransomware installations on a business’s network. According to Accenture, 43% of cyberattacks are aimed at small businesses. But why have these attacks become so prevalent and so successful?

Macro trends have pushed workplaces to permanently adopt a hybrid model. This has cemented an expanded attack surface for cybercriminals to penetrate. Combine this with the fact that more than 80% of data breaches result from human error — and employees who work from home are more susceptible to these errors — and it has created an ideal scenario for scammers. Companies of all sizes are at heightened risk in the post-pandemic world. 

According to a recent study by ProofPoint, 84% of organizations polled faced at least one successful phishing attack in 2022. This is jarring not only because so many organizations have fallen victim, but also because so many SMBs do not have the resources to fully recover from these kinds of cyberattacks. 

Cyberattacks now cost small businesses $2.2M on average and 60% of companies that suffer an attack go out of business within six months. Expenses stemming from a cyberattack can include ransom payments, lost revenues from business downtime, remediation, legal fees and audit fees. Affected businesses can even see their credit-rating downgraded. These costs, fees and challenges can add up and ultimately bankrupt a small business. 

Why are SMBs a common target and what do scammers want?

When criminals target SMBs, they’re generally after two things — data and ransom money. Ransomware attacks, via phishing links, are the most common cyber threat to small businesses. Stolen data is easy to monetize and sell whereas victims must pay a demanded ransom to have the installed ransomware removed from their compromised systems. Direct financial loss stemming from wire transfer or invoice fraud is also common.

So why SMBs? Cybercriminals are a lot like children — they like to steal cookies, and they like to steal them from full jars on low shelves. SMBs are like those easy to access cookie jars. They lack sufficient security measures and trained personnel; they hold data like credit card numbers and protected health information that criminals can easily monetize; they neglect to use an offsite source or third-party service to back up their files or data (making them vulnerable to ransomware); and they often serve as a backdoor into the supply chain of a larger company. Hiscoxx’s 2022 Cyber Readiness Report found that businesses with 10 to 49 employees saw a ~4X rise in the average number of attacks last year.

In contrast, large businesses continue to invest in their cybersecurity, making themselves tougher targets to crack. They may hold bigger and better cookies, but their cookie jars are on the top shelf behind a thrice-locked door. SMBs are considered “soft targets” in comparison due to their insufficient security controls and a shortage of skilled resources on the payroll.

A CNBC survey released in the fall of 2021 found that 56% of small-business owners weren’t worried about being the victims of a hack. Additionally, many SMBs market and sell their goods, products, and services exclusively through social platforms where many attacks originate. This lethal combination of low security prioritization paired with easy-to-exploit business channels have made SMBs prime targets for today’s cybercriminals.

How can SMBs protect themselves? 

While it may seem a daunting task, there are easy, low cost strategies and steps SMBs can take to proactively defend against phishing attacks and cyber threats:

• Backup data to a system not connected to the network. If a phishing attack occurs, security leaders can be able to use that backup to restore their data.
• Keep security up to date. This may sound obvious but many businesses forget or postpone necessary updates and patches due to convenience.
• Deploy a safety net. Email authenticator applications are tremendously helpful in reducing inbound threats. These are not foolproof, but they’re better than going at it alone.
• Use 2FA, strong passwords and a password manager. These are basic, basic tenants of cyber hygiene but they can go a long way. For those interested in taking things one step further, begin utilizing a YubiKey to lock down important accounts like email and key socials. When a YubiKey is used, the physical key must be in an individual's possession when attempting to log into the associated account.

Attackers are relentless and most companies fail to realize the severity of threats until it’s too late. By following best practices and proactively protecting against phishing scams, SMBs can greatly reduce their risk and continue to thrive in today’s ever-evolving marketplace.