In today’s digital age, online small businesses are booming, but with success comes the responsibility of protecting your online assets against cyber threats like phishing attacks.
Phishing, in simple terms, is a deceptive practice where scammers try to trick you into revealing sensitive information, such as passwords, credit card details, or personal data.
Don’t worry, though!
In this article, we’ll dive into nine practical ways for owners to protect your small online business from these schemes.
Get to Know Phishing Inside and Out
The first step in securing your business against phishing attacks is to understand what phishing is all about. Think of it as someone trying to fish for information, but not in a good way. Phishers employ deceptive tactics, often involving fake emails, websites, or messages to deceive unsuspecting victims.
Generally, what happens is that a hacker will access your site through various ways. (I’ll explain in a bit.) Once in, they will set up a fake website in a subfolder or subdomain on your website generally unbeknownst to you. This website will look like a more popular site such as a credit card site or financial institution.
Once the site is set up, the attacker will start sending out email via your hosting account telling unsuspecting people that their account was compromised. In that email they provide a “click here” link that takes them to a site to “log-in” to update their account info of course providing their old password and email address. Sadly, they’ve taken the bait and provided the attacker with their financial information.
Sadly, I know this to be true. As a webmaster and hosting provider, I’ve had to clean up these types of sites more times than I care to count.
Educate Your Team About Phishing Risks
Your team is your first line of defense against phishing attacks. Ensure that your employees are well-versed in recognizing phishing attempts. Teach them not to click on suspicious links or download attachments from unknown sources. Regularly remind them about the importance of staying vigilant. Sadly, many larger corporations send out links using URLs that do not match their company name. Mostly because they’re using some third-party service. That makes it really hard to tell if the link is fake or not.
If you are trying to tell if a link is suspicious on a computer, you can place your cursor over the link and via the status bar generally in the lower left of your computer screen.
In some cases, on a mobile device you can long-press the link, and it will reveal the site you are going to. If it is a short URL such as bit.ly or others, you can probably guess that it is NOT your financial institution sending the link. You can check out the link behind a URL shortener with a service called https://checkshorturl.com/
Bolster Your Password Game
Strong passwords are your initial line of defense. Make sure all your business accounts are protected by strong and unique passwords. A strong password typically includes a combination of letters (both upper and lower case), numbers, and symbols.
Remember, never share your passwords with anyone you don’t trust implicitly. I’ve covered this before in previous articles. But there are services like https://haveibeenpwned.com/ this will tell you if your email address has been breached. Meaning if a site where you’ve used that email address for your account has been compromised chances are so has your password.
I use a service called 1Password (I’ve provided a review for this site in Traces previously) to manage my passwords and log-in information. It has a feature that will tell you if your password or email has been compromised so you can update your information on that site.
Implement Two-Factor Authentication (2FA)
Two-Factor Authentication, or 2FA, adds an extra layer of security to your accounts. With 2FA, you’ll need to provide a second code or confirmation when you log in. This additional step makes it considerably more challenging for hackers to gain unauthorized access.
Some places now call this Two Step Authentication. Many times, they will send a code to your cell phone to verify it is you. Other services will use an app such as Google Authenticator or Authy.
While this may seem like a nuisance to take this extra step, it is good reassurance that someone else cannot log into your accounts and resources.
Exercise Caution with Emails and Links
I already touched on this but when you receive emails or messages containing links or attachments, exercise extra caution. Even if the email appears legitimate, hover your mouse cursor over the link to preview the destination URL before clicking. If you have any doubt about an email’s authenticity, contact the sender directly to verify its legitimacy. Many times, an email to the sender’s email address is hidden and just the name is displayed. You can expand the email address in most cases to verify that it’s the person you think it is from.
Keep Your Software Updated
One of the simplest yet most effective ways to shield your business from phishing attacks is to keep your computer and all software up to date. Software updates often include security patches that can help safeguard your business against evolving threats. This is even more critical on your website.
There are plugins and add-ons you can apply to lock down your website such as WordFence or others to help guard against attacks but the most important thing you can do is make sure your web sites theme, plugins, and operating systems are up to date. Outdated software can allow your site to be breached from security holes that the hackers have discovered.
Deploy Antivirus Software
Consider installing reputable antivirus software on your business computers. This software is designed to detect and block phishing attempts, providing an additional layer of protection against cyber threats. Personally, I utilize Windows Defender on my PC and on my Mac I just use the default security protocols which I’ve never had an issue with. The same is true with my phone and tablet.
Safeguard Personal Data
Never share sensitive information, such as credit card details or personal data, through email or on websites unless you’re absolutely certain of their security. Ensure that your business website is equipped with an SSL certificate to encrypt data transmitted between your website and your customers. A practice I do is to send the username via one method such as email and then the password via text or messenger. This way the data doesn’t travel together.
A note on the SSL—your hosting company should have a free option for you. There are services that require you to pay for an SSL certificate. I would definitely check with them or consider your hosting options. An SSL certificate will display a padlock next to your web address to show that it’s secure. Not having one means your date is not encrypted and will also penalize you in search engine rankings.
Keep a Close Eye on Your Accounts
Vigilance is key. Regularly monitor your business accounts and transactions for any signs of suspicious activity. Should you encounter anything that seems strange, take immediate action by conducting a thorough investigation and resolving the issue right away.
By putting these nine practical steps into your online business strategy, you can significantly enhance your defenses against phishing attacks. Remember, vigilance, education, and being proactive in your cybersecurity measures are important in the ever-changing digital landscape.