In recent years, phishing has become one of the most prevalent forms of cyber attacks, especially against small and medium-sized enterprises (SMEs). In fact, 43% of cyber attacks target small businesses, and there was a 424% increase in such attacks last year alone!

Phishing is a social engineering attack that relies on tricking individuals into revealing sensitive information or downloading malware through email, text messages, or social media.

Business Email Compromise (BEC) attacks usually target small business employees who have access to financial accounts or sensitive information, in the best of cases. At worst, they may target anyone who, by downloading malware, could provide a back-door entrance to the company’s systems. And, 94% of detected malware is received by email!

So long as the attack involves ‘simple’ phishing, a cybercriminal will impersonate a trusted party, such as a company executive, vendor, or supplier, and request that the target perform a wire transfer or disclose confidential information. Cybercriminals use various tactics, such as spoofed emails (that imitate the format of a trusted sender), fake invoices, or social engineering, to trick the target into complying with their requests.

The results can be staggering: the average cost of restoring business after an attack is close to a million dollars, and about 60% of small businesses that suffer a cyber attack close within six months. What’s worse is that the available literature, which could serve to mitigate the problem, is scarce—only about 15% of such attacks are reported! And still, the numbers are such that the FBI’s Internet Crime Complaint Center (IC3) struggles to cope with the number of incidents reported.

They scam the helpless, too

When you think of a small business, you may imagine a mom-and-pop corner store or – if you get adventurous – one of the myriads of companies that manufacture parts for the automobile manufacturing chain. But charities and health clinics are small enterprises, too. Last year, the Treasure Island homeless fighting organization fell victim to a BEC attack. Charity staff were scammed into transferring funds to the cyberthug posing as a partner organization that had applied for a $625,000 loan.

The saddest part about this story is that, 1. The charity could not afford cybercrime insurance, and 2. The San Francisco attorney’s office refused to investigate!

Two years earlier, the Agari cybersecurity firm revealed that fifteen small companies had lost over $1.3 million to a Nigerian group, Gold Galleon, who used fake invoices to scam victims into transferring funds into their accounts. The group spoofed domains and email accounts and then used mules and shell companies to transfer the funds to themselves.

One Small to Medium Step

As the Treasure Island story indicates, SMEs will more often than not stand alone, and must therefore be vigilant and take proactive measures to protect themselves against phishing attacks. Some measures SMEs can include:

  • Providing regular cybersecurity training for employees, suppliers, and partners to educate them on the risks of phishing attacks and how to identify them.

  • Implementing multi-factor authentication (MFA) for financial accounts to prevent unauthorized access.

  • Enforcing strict policies on wire transfers and requiring additional verification for any requests.

  • Abide by Solutions Review’s 3-2-1 rule of backup: THREE copies of data – primary and 2 copies. Using TWO different media types, of which ONE is off site.

  • Conducting regular security audits to identify vulnerabilities in the SME’s infrastructure.

  • Install novoShield on your phone, your employees’, and your suppliers’ and partners’. It is an inexpensive extension to your iPhone and prevents phishing pages from opening, even if someone within your chain accidentally clicks on a phishing link.

The State of the Enterprise

The steps enumerated above are simple. They require little financial outlay and are mostly a matter of self-discipline. And yet, more than half of small businesses think they’re too small for a cyber attack; a quarter do not realize that an attack will cost them money.

Nearly half of small businesses have no understanding of how to protect themselves against cyber attacks. And this, even though half of them have experienced an attack in the past year. Of these, a full two-thirds took no steps following an incident to remedy their vulnerability. Three-quarters claim they don’t have the personnel to address IT security, and 91% do not have cyber liability insurance.

To understand how this affects the rest of us, consider that the US Small Business Association (SBA) estimates that small businesses of 500 employees or less constitute 99.9% of all US businesses, constituting 44% of the entire nation’s economy. In comparison, the largest constituent, agriculture, constituted less than 1% of GDP in 2021, the giant tech companies contributed about a half percent, with the entire high-tech industry answering for 12 percent of total employment and 23 percent of national output.1

This is clearly no longer a concern just for the small corner-side grocery store. It affects us all!

– – – – – – – – – – – – – – – – – – – – –


1 The above graph does not purport to be entirely representational. SMEs are not a market sector whereas high tech and agriculture are. Some high tech and agricultural enterprise are SMEs and some are not. The chart merely serves to illustrate the scope.  

Additional References:

Cybersecurity and Infrastructure Security Agency (CISA). (2020). Business Email Compromise. Retrieved from