top of page

Should Small and Medium-Sized Businesses Care about Phishing Attacks?

According to a Nationwide survey, phishing ranks among the most common cyber threats businesses face. Second only to computer virus attacks.

Phishing follows a familiar pattern where cybercriminals open email accounts or websites similar to those of reputable companies. And use the accounts to get sensitive financial and personal information from their targets.

But should small and medium-sized businesses care about phishing attacks? - Yes!

Small and medium-sized businesses should definitely be conscious of phishing attacks.

Let’s look at reasons why SMB’s should care about phishing attacks:

  1. Phishing Can Affect Any Company It’s undeniably true that most phishing attacks targeted at established brands are usually widely publicized, and Google and Facebook are potential cybercrime case studies. However, phishing attacks can be targeted at any company, regardless of its location, nature, or scale. Therefore, one of the worst mistakes you can ever make is to run your SMB from the assumption that you’re immune from phishing attacks.As a matter of fact, hackers love to target small and medium-sized businesses, with up to 95% of all reported credit card breaches coming from SMBs.The main reason cybercriminals target small businesses is that these companies either don’t have proper security plans in place or they don’t update them as regularly required.

  2. Many SMBs Handle Phishing In House According to an Endurance International Group survey, many small businesses report handling phishing attacks themselves.Most SMBs probably don't understand the overall implications of phishing attacks. As such, they see no grounds for allocating funds to avert or mitigate their effects.However, sourcing an outside IT consultant remains the most effective way of dealing with cybercrime.

  3. Many SMBs Rely Only On Anti-virus Software Many small businesses believe they're immune to cyberattacks because they have anti-virus software installed on computer systems. A dangerous assumption. Anti-virus software can only do so much (not all) to protect your business. In fact, hackers are known to target anti-virus software through deceptive download and update requests. So, while having anti-virus software in place is a wise move, it doesn’t make your SMB hacker-proof.


How Will Phishing Attacks Affect Your Small and Medium-size Business?

1. Loss of Finances

Successful phishing attacks can set your company back millions of dollars, and that happens in five ways.

i. Loss of Revenue

A breach will expose your company’s sensitive financial information to fraudsters. Once they have your information, they can go ahead and authorize illegal fund transfers or make illegal payments.

Another way your business will lose revenue is through reduced sales and operational disruptions occasioned by the downtimes from cyberattacks.

ii. Security Expenses

After a security breach on your company, the next logical thing to do is invest in better security plans. That may include acquiring more effective anti-phishing technological solutions and hiring more IT staff.

iii. Regulatory Fines

Another way that your company can lose finances through cyberattacks is through regulatory fines. The fines are approximately 5% of your company’s annual turnover.

However, the rate depends on your region and the severity of the breach. If you are unlucky, the penalties can be absolute.

iv. Legal Fees

When a security breach occurs and sensitive personal data slips into the hands of malicious third-party entities, those who have lost their data may bring up lawsuits against the company. That includes your clients, suppliers, associates, and even employees.

Cyberattack-related lawsuits are usually quite expensive to settle, considering that they’re prosecuted as matters of public interest.

v. PR Expenses

When a cyberattack happens on your SMB, your clients, employees, and the general public will not view you as a victim. Instead, your company will receive lots of backlash for failing to safeguard sensitive information.

Before you know it, you’ll be dealing with a public relations nightmare. In such circumstances, one of the best damage control measures is to hire a reputation manager, and they don’t come cheap.

2. Deterioration of Brand Value and Reputation

As we’ve pointed out, successful phishing attacks leave your company with a tattered reputation. According to statistics, data breaches that involve the loss of credit or debit card information deal the worst blows to a company’s reputation. So, if you’re a financial service provider, phishing attacks could literally put you out of business.

As an SMB, you care so much about your reputation and if you must lose it, it shouldn’t be through some malicious phishing attacks. Remember, a successful phishing attack on your SMB will have you shelling out huge funds for reputation management companies.

In the meantime, you’ll have to contend with backlash from your clients and prospects, as your competitors will be having a field day. Worse yet, a bad reputation may adversely affect your brand value if not addressed with the urgency it deserves.

3. Fall In Stock Value

A successful cyberattack on your company will have a near-instant impact on your stock value. Data by Centrify suggest that companies tend to lose at least 5% of their stock value almost immediately after announcing a security breach.

The good news is that the same statistics indicate that most companies often bounce back after a sudden fall in their stock values. However, it depends on how quickly you move to address the breach.

4. Loss of Customer Trust

When your customers provide you with their sensitive financial data, they only do so because they trust in your ability to protect their information from malicious parties. So, when a phishing attack occurs, that trust is eroded completely.

A cyberattack on your SMB changes how your customers see your business, which leads to low customer retention. Worse yet, your company may also lose the trust of your employees, resulting in a high turnover rate and, consequently, reduced overall productivity.


How Can You Protect Your SMB From Phishing Attacks?

The best way to protect your SMB from phishing attacks is to use a multi-factor authentication (MFA) system. Creating a layered defence where users need to provide a password. Input a one time pin (OTP) sent to a registered device. And answer a security question or provide biometrics such as facial recognition, fingerprints, or voice recognition. Increasing the probability the person requesting access to an SMB’s system is who they claim to be.

So, how does a typical MFA system work?

  1. Use security key and enter PIN.

  2. Log onto the website and enter a one time password (OTP) sent to requester’s registered device (phone or tablet)

  3. Downloading a VPN with a valid digital certificate.

  4. Answering a security question, verify biometrics, or swiping an employee card.

  5. Using the OTP to log on to company servers.

✳To support the above scenarios, you’ll need the following:


A device with a reader, a database, and software to read biometric data and compare match points. Mantra has a great fingerprint scanner while Logitech has facial recognition webcam.

Security Tokens

Small hardware devices embedded in a key fob/USB or in the form of a security card. Yubico has a

security token compatible with multiple browsers while GoTrustId Idem key can be put on the company employee card. The Idem key also costs less than the Yubikey.

Can be in the form of SMS or calls to authenticate users through registered devices with authentication data such as smartphone OTP apps, smart cards, or sim cards.

Soft Tokens Software based tokens that generate a single-use log in PIN. Mi-Token from Yubico is a great option for SMB’s in the banking industry. Businesses in other fields can try the smart badge authenticator from GoTrustID.


bottom of page