How to Prevent Phishing Attacks

The Insurance Institute of Canada, citing IBM Canada’s annual “Cost of a Data Breach Report”, states that phishing attacks are one of the most common types of attacks, affecting 14% of Canadian businesses in 2024. 

Additionally, data from a 2024 Canadian Internet Registration Authority survey of organizations found that 44% experienced a cyber-attack in the last 12 months, and 56% are worried about how artificial intelligence (AI) may make phishing email and text-based attacks more effective.

What Types of Phishing Attacks Are There?

There are numerous ways cybercriminals can try to attack your business. Here are some of the most common types of phishing attacks:

• Email phishing. Email phishing is the most common type of attack. It’s typically sent to as many people as possible within an organization. The message usually has a sense of urgency, asking the recipient to respond as quickly as possible. A malicious link in the email may bring them to a fake webpage to fill in some personal information or a request to buy gift cards and include the codes in the response.

• Spear phishing. A type of targeted attack sent to a select few individuals at an organization. Criminals may impersonate someone the targeted individual works with or knows. The email will typically include the recipient’s name to make it more personal. Again, there may be a sense of urgency included in the email.

• Whaling. In this instance, a senior executive (known to cybercriminals as a bigger fish) is targeted. The email will typically force the recipient to act because of the content of the message, such as the intention to sue the individual or the organization.

• Business email compromise (BEC). A cybercriminal will successfully take control of an executive’s account and attempt to use it to get employees to do their bidding, such as sending a wire transfer. BEC is also known as CEO fraud.

• Vishing. Also known as voice phishing, vishing involves a call from what appears to be a financial institution or government body claiming that a large sum of money is owed or suspicious credit card activity. The scammer may ask to verify their bank account information or credit card details.

• Smishing. Cybercriminals can send SMS or text messages posing as legitimate organizations. The message often includes a malicious link that requires the user to enter some personal information.

• Social media phishing. Hackers often create fake profiles on social media networks and attempt to get you to click on a malicious link or obtain confidential information about you.

Cybercriminals have also become much more sophisticated over the years, using social media to gather information. They can look up potential victims on Facebook or LinkedIn and quickly find their friends, co-workers, and business contacts. Hackers can use this information to pose as someone in a potential victim’s network or circle of friends – a type of attack called social engineering.

Who’s at Risk of Phishing Attacks?

Every small business or self-employed professional is at risk of phishing attacks.

Some attacks may be on all employees, while others target specific people. Those targeted the most often include senior executives and their assistants, IT systems administrators, help desk employees, and those with remote access or access to sensitive information. 

However, cybercriminals don’t discriminate and don’t bypass small businesses – they often covet attacking small companies because they have fewer cybersecurity resources to thwart attacks.

How to Recognize a Phishing Attack

The federal government suggests you should look out for red flags in a message, such as:

• Language that pressures you to act quickly
• Requests for personal information or to verify passwords and information
• Spelling and grammar mistakes
• Email addresses or links that look suspicious
• Blurry images or a design that doesn’t look professional

What to Do If You Suspect a Phishing Attack and How to Report It

If you’re not sure whether an email is a phishing attack, the best plan of action is:

• Report it. Notify your IT or security department immediately. Don’t forward the email to any other co-workers because they may accidentally click on something. If a phishing attack is confirmed by your company’s cybersecurity professional or IT department, it should be reported to the federal government’s Canadian Anti-Fraud Centre and your local police force.

• Don’t click on any links. Check out the organization in your web browser for more information. That way, you know you’re getting information from a legitimate source.

• Don’t download unexpected files. A legitimate organization typically won’t send you files or forms without telling you ahead of time.

• Change passwords. If you accidentally click on a malicious link, change your account passwords immediately.

5 Ways to Prevent Falling Prey to a Phishing Attack

Here are five ways to take proactive measures to protect yourself and your business from becoming a victim of a phishing attack:

1. Educate yourself and your employees. Knowing what a phishing attack looks like can help prevent them from being successful. Cybersecurity training should be mandatory for everyone in your organization. 

2. Delete suspicious emails and texts. Don’t reply to or interact with an email or text you identify as suspicious or questionable. If in doubt, toss it out. In other words, delete it.

3. Install antivirus and anti-phishing software. These types of cybersecurity software can help protect your privacy and prevent attacks by filtering and removing suspicious emails. Keep all antivirus and anti-phishing software updated, use multifactor authentication for logging into accounts and devices, and consider using a virtual private network (VPN) when online, especially if you must use public Wi-Fi.

4. Improve cybersecurity measures. You should consider doing the following: use email security systems to filter out potentially hazardous emails; block users from accessing specific sites through website filtering; use strong passwords, change passwords frequently, and use different passwords for different devices and accounts; avoid inputting personal information on unsecured sites (those with ‘http’ in the URL instead of ‘https’), and install security updates for software or devices as soon as they’re available instead of waiting for a more convenient time.

5. Backup your company data. Whether using a mobile device, laptop, or desktop computer, automate daily encrypted backups of confidential company data to store in secure cloud storage and an external hard drive.

What Insurance Protects Businesses From Phishing Attacks?

Two types of cyber insurance can help a small business recover from cyber-attacks and data breaches, including phishing attacks: cyber liability insurance and cybercrime insurance. Both are affordable insurance solutions that cost significantly less than what a phishing attack, ransomware attack, or data breach would cost you.

Cyber liability insurance covers damages and expenses following an attack or breach, including software restoration, crisis management services, credit monitoring, and legal advice fees.

Cybercrime insurance covers criminal activities that occur via the internet or other computer networks affecting your business. It’s designed to address online financial theft and fraud committed against your business.

Fill out our online application for a free quote in less than five minutes.

Zensurance is Canada’s leading small business insurance brokerage, serving hundreds of thousands of businesses and independent professionals in almost every industry. We can quickly obtain the comprehensive, low-cost cyber insurance protection you need and customize it to suit your requirements.

– Updated December 11, 2024.

Recent Posts