How SME owners protect the business from phishing

As a small business owner, you may not have the luxury of a big budget for cyber security. But that doesn't mean it should take a backseat.

More than a third of cyber-attacks on businesses involve phishing - the act of sending fraudulent emails with the aim of accessing vital information such as passwords and even credit card numbers.

According to the researches, 84% of Malaysian SMEs fell prey to cyber fraud incidents in 2018.¹ And the potential economic loss Malaysia could sustain due to cyber crimes could be a whopping estimated RM49.15 billion.²

So there are compelling financial reasons for knowing how to spot the signs of phishing and how to protect your business.

But what exactly is phishing? And what should you look out for?

Phishing scams exploit the way we're inclined to think and act. They try to make you give away sensitive information about yourself, your business and your finances.

A typical phishing email may look like it's from your bank or a popular social media network. But it contains a link to a webpage created by the fraudster to capture your password or gain access to your computer.

There are several signs that an email may be a phishing attempt. David McCaw, Global Head of Cyber security Education and Awareness at HSBC, suggests that before opening the email or selecting any links or attachments: "Take a moment to think 'Was I expecting this email? Does it look right?'"

Common signs of a phishing email include:

• an unusual sender. While it might show the name of a familiar bank or company, a closer look reveals that the email comes from an address you don't recognise.
• deceptive links. Hovering over a link will show you the actual URL that it will take you to. It could be a completely different website or a misspelt version of a popular website.
• a sense of urgency. Phishing emails often claim you'll get into some kind of trouble if you don't respond quickly. This could be in the form of a fake demand from the Inland Revenue Board of Malaysia
  or a notice telling you that you might miss out on a tax refund.
• impersonation. Cyber criminals may pose as CEOs or senior executives and send emails to your employees in an attempt to trick them into paying bogus invoices and sharing sensitive data.

Cyber criminals look for the weakest link when planning their attack - often, this might be an employee. "Think of your employees as a human firewall," McCaw says. "The more they know what to look out for, the less likely they'll pay a fake invoice or share passwords with third parties."

Here are a few ways your employees can keep their personal data and information about your business safe.

• Double-check, the traditional way. If you suspect an invoice you received by email is fake, call the company directly to verify that it's real.
• Scrutinise the small stuff. Is the logo in the email blurry? Do the payee bank details on the invoice match what you have on file? If something doesn't look right, put the email in quarantine (a location on the server to store suspected spam temporarily) or delete it. 
• Stay vigilant. Fraudsters may target small businesses by phone as well. If you get a suspicious call, note down the time, number and company that the caller claims to be working for. Speak to the company on their official number to check if the call was real.
• Cyber security training. Offered by more and more accredited bodies, and a good way to ensure everyone in your firm knows what to look for and how to respond if a breach occurs.

As cyber security threats increase in volume, it becomes more a case of when you'll be targeted, than if. But you can act now to prepare yourself against attacks.

"Encrypt your data and back it up, preferably offsite," McCaw suggests. "And don't forget the small things that can make a big difference. Automatic software updates that pop up while you're in the middle of something can be annoying. But the longer you put these updates off, the longer you're vulnerable to cyber-attacks."

If you think you've been a victim of phishing:

1. Report it to the police
2. Let your bank know immediately
3. If you have cyber crime insurance, contact your insurer
4. Consider cyber crime prevention training for you and your employees

You can also speak to your Relationship Manager or call our contact centre at +603 8321 8888 for any enquiries related to HSBC Fusion.

Disclaimer: 

This document is issued by HSBC Bank Malaysia Berhad 198401015221 (127776-V) ("we", "us" or "our"). The contents of this document are confidential and are intended for use by the customer whom this document is prepared for and addressed to the customer ("you" or "your") exclusively and may not be divulged without our prior and express consent. This document is provided to you solely for the purposes of enabling you and us to review how we and other members of the HSBC Group (collectively "HSBC") currently provide products and services to you and to discuss how HSBC can enhance and improve on the same. Any other use is prohibited unless you first request and obtain our written permission.

While reasonable care has been taken to ensure the accuracy of this document, HSBC does not make any representation or warranty (expressed or implied) of any nature including, without limitation, the adequacy, accuracy, currency, correctness or completeness of the information contained herein (whether the information is generated from or held within the HSBC system or is provided by third parties) and HSBC does not accept responsibility or liability for any errors or omissions. Any opinions in this document constitute the present view or judgment of HSBC and is subject to change without notice. This document is intended for reference and to facilitate discussion only and should not be relied upon by you for any purposes and shall not be capable of creating any contractual commitment on the part of HSBC. Any examples given are for purposes of illustration only.

To the extent permitted by law, HSBC shall not be liable for any damage, loss or liability (whether arising in contract, tort, including negligence, or otherwise) arising out of or in connection with your use of or reliance upon this document. The aforesaid exclusions apply to any damage which is direct, indirect, special, incidental or consequential or consists of loss of profits, business, goodwill, opportunity or data. All of the above exclusions apply even if you have advised HSBC of the possibility of the above types of damage, loss or liability.

All intellectual property rights (including, without limitation, copyright, database rights, design rights, patents and trademarks) in this document are owned by or licensed to HSBC unless otherwise stated. Without limiting the above, unless you first obtain written consent from HSBC, you may not copy, reproduce, duplicate, publish, modify, adapt, publish, broadcast, create derivative works of or in any way exploit all or any part of this document.

_{¹:https://www.chubb.com/content/dam/chubb-sites/chubb-com/my-en/campaign/my-sme-cyber-report-2019-download/documents/pdf/chubb-my-sme-cyber-preparedness-report-2019.pdf}

_{²: https://www.digitalnewsasia.com/digital-economy/cyber-security-threats-cost-malaysian-organisations-us122bil-economic-losses}