You can be on Entrepreneur’s cover!

Phishing In All Its Forms Is a Menace to Small Businesses Phishing, SMiShing and Vishing (seriously) are cyberthreats harried business owners need to watch for.

By Rohit Prakash

entrepreneur daily

Opinions expressed by Entrepreneur contributors are their own.

scyther5 | Getty Images

Small business owners are overwhelmingly on the receiving end of cyber attacks. More than three-quarters of the companies targeted by malicious hackers are small shops -- those without a dedicated security team -- according to the recently released Verizon Data Breach Investigations Report (DBIR).

The most common way they get taken advantage of is malicious emails, or "phishing emails," as they're commonly referred to. They are "the no. 1 cause of cybersecurity incidents bar none," said Oren Falkowitz, a former NSA employee and now CEO of cyber defense start-up Area 1 Security.

Related: Google Delaying Some Gmail Message to Quell Phishing

Disguised as notes from loved ones or even an employer, crooks piece together what appear to be legitimate emails that, as Falkowitz notes "ask you to click on a file or a link or increasingly with fileless or linkless message to take some sort of action," and then "enter [a] password, transfer money through a fraudulent wire or send W2s out." These emails can be as painfully obvious as a note from an exotic prince or as deviously deceptive as the fake email alert that led to the hack of the DNC.

The vast majority of security incidents start with cybersecurity threat and a whopping 30 percent of these phishing emails get opened. (The average office worker receives more than a 100 emails a day.) Phishing emails lead to infections that corrupt some of our most sensitive business machines with ransomware -- nasty malware that encrypts files -- or captures our usernames and passwords.

The risk is real and prevalent. Here are some useful and free ways to help keep your small business safe:

If it looks phish-y, call the sender to verify.

Whenever you receive an email containing a link or an attachment that just doesn't make sense, check it out. In fact, anytime you receive something that appears important, call the sender to verify what they sent, and ask them to describe the links or attachments.

Related: The Biggest Threats in Your Inbox

Establish strong credentials.

One of the most common-sense -- and overlooked -- suggestions in the DBIR is turning on two-factor authentication for administrative access to web apps that contain sensitive company or customer information. The process involves signing in with your passcode and then receiving a special code text directly to your phone or app.

Last year, during a meeting at UC-Berkeley, Dropbox's then-Chief Trust Officer Patrick Heim told the Commission on Enhancing National Cybersecurity that less than one percent of the services' users take advantage of the extra protection. (Researchers at Carnegie Mellon University recently published a password meter that will help you make your passwords strong. You can find it here.)

Ask yourself if your employees really need access to all of the computers that run your business? As small shop owners scale their businesses, they often give all their managers access to the shop's computers. My advice -- make sure that your managers are following the same rules you are. If you have a single work machine that holds all your invoicing and spreadsheets, you don't want your manager potentially getting phish'd when she checks her Hotmail.

It's not just email.

Emails aren't the only place where you have to be vigilant. Digital con artists also send malicious attachments and links over text messages -- so-called SMS phishing, or SMiShing. They attempt to do the same over social media. And, sometimes they even attempt to "socially engineer" victims over phone calls. That's called Vishing.

Visually validate websites.

Many phishing messages take you to web forms or other sites that look legit, but, on closer inspection, are truly phish-y. Some criminals take over the neglected parts of websites and host malware or other phishing content. It's called "parasite hosting."

Make sure if a link within an email is meant to take you to a Gmail login page, it takes you to, not some other random website.

Related: Just Being Proactive Isn't Enough: What Entrepreneurs Should Do During a Cyberattack


Even though the recent WannaCrypt0r attacks -- which ravaged networks worldwide -- weren't seemingly spread by email, they could have been upended by hitting an update button. Before the ransomware ever compromised the computer systems of the UK's National Health Service or Spanish telecommunications company Telefónica, Microsoft issued a patch that would have stopped the virus cold.

Indeed, in order to stay safe in Windows, I recommend small businesses that use simple software enable automatic updates. Most importantly, just remember, no matter how many hundreds or even thousands of emails that you receive, never trust embedded links or attached files.

Rohit Prakash

Co-founder of Townsquared and Small Business Champion

Rohit Prakash is co-founder of Townsquared, the only a private, online community for small businesses that ties neighborhood entrepreneurs and mom-and-pop shops together on its hyper-local social network.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Editor's Pick

Business News

James Clear Explains Why the 'Two Minute Rule' Is the Key to Long-Term Habit Building

The hardest step is usually the first one, he says. So make it short.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

Microsoft's New AI Can Make Photographs Sing and Talk — and It Already Has the Mona Lisa Lip-Syncing

The VASA-1 AI model was not trained on the Mona Lisa but could animate it anyway.


Get Your Business a One-Year Sam's Club Membership for Just $14

Shop for office essentials, lunch for the team, appliances, electronics, and more.

Side Hustle

He Took His Side Hustle Full-Time After Being Laid Off From Meta in 2023 — Now He Earns About $200,000 a Year: 'Sweet, Sweet Irony'

When Scott Goodfriend moved from Los Angeles to New York City, he became "obsessed" with the city's culinary offerings — and saw a business opportunity.