What is the dark web

Common types of cyberattack used to target small businesses

Cyberattacks against small businesses are becoming increasingly aggressive, more sophisticated and far more common than anyone would like to admit.


We may think we can spot an illegitimate email a mile away, but the number of UK businesses affected by cyberattacks rose 40% this year. And that’s not only the stat that makes worrying reading…

  • Small businesses are targeted by an estimated 65,000 attempted cyberattacks every day
  • One in three UK small businesses suffered a cyber breach last year
  • Breaches of cyber security cost the average small business £25,700 last year
  • 60% of SMEs went out of business in the first six months after experiencing a cyber attack
  • 90% of cyber-attacks are down to human error, which means that a business’ employees are the weakest link


Education, along with having a robust and secure IT system in place, is the best way to minimise the risk. It can also be helpful for limiting the extent of the potential damage that may be caused, were your systems to be breached.


So, what are the top types of cyberattack that may pose a risk to your organisation?


  1. Spear Phishing

Phishing is a type of cyberattack aimed at extracting sensitive information that hackers can then use to their advantage. The earliest phishing scams involved impersonating a reputable organisation, such as a bank, in a bid to acquire access to a user’s account. The fraudster would send the same email to hundreds of recipients, knowing at least one would be duped.

In recent years however phishing has taken a more sophisticated turn and businesses are now a prime target. Known as spear phishing, this new generation of phishing focuses on small groups or individuals within an organisation. The targets are carefully researched in advance to lend the email authenticity and kudos.

This false sense of security is precisely what the cyberattacker is banking on. It’s a formula that’s proven to be effective, even duping high-level executives, which in itself is known as ‘whaling’. The objective, as with all forms of phishing, is data mining. The best way to protect yourself and your business? Never enter your personal data via a link sent to you by an unknown third party – no matter how sincere they seem.


  1. Smishing

Smishing, or text message scamming, is similar in nature to the email phishing approach. You may receive a message supposedly sent by your mobile carrier or your device’s issuer, which is actually a cyber fraudster in disguise.

These scams generally go one of two ways. The message may ask you to verify details or you may be notified that you’ve qualified for an award or upgrade.

Banks that use SMS to verify customer details have even found themselves exploited in smishing attacks. So much so that in in May new rules came into effect requiring banks to issue refunds to customers who had been duped by fake SMS.

As with phishing, the safest way to protect your business from a smishing attack is by thinking before acting. Never take a message at face value. Independently verify its authenticity by contacting whoever the sender is claiming to be, and never share details through a clicked link.


  1. Invoice fraud

Invoice fraud occurs when a cyberattacker sets out to impersonate a legitimate supplier or payee of your business. It’s a type of fraud that cost UK businesses nearly £93 million in 2018 – such is the effectiveness of the scam.

In invoice fraud attacks, a scammer will contact a business’ accounts department masquerading as a legitimate company, to request an update to the bank details held on account. Any monies then paid to that company going forward are actually being transferred directly to a cybercriminal.

Despite over 3000 cases of invoice fraud recorded in the UK, in March, the BBC published figures that showed four in ten UK businesses are unaware of invoice fraud – 68% of which are small enterprises.

It’s the convincing nature of the email that ensures recipients fall for the scam. As with any change of detail request from a business associate, always make independent checks before taking action and if you have been duped, contact your bank to report the fraud immediately.


  1. Session hijacking

Session hijacking (also known as cookie hijacking) is when a cyberattacker exploits a person’s browsing session to gain access to their user ID. It occurs when a website you share information with online isn’t HTTPS encrypted.

In session hijacking, any cookies (information you share with a website) that isn’t HTTPS enabled isn’t encrypted, therefore it isn’t secure. This effectively means that anyone with the know-how can read your cookies and gain access to personal information – like account details – you shared with that website.

This is exactly the kind of cyber security vulnerability a session hijacker looks to exploit. By monitoring internet traffic, the hijacker can intercept data that’s been sent over HTTP, rather than HTTPS. This means, rather than being scrambled, your username and password are visible. Once a cyberattacker has this information, your account is instantly compromised.

To safeguard yourself and your employees against cookie hijacking always ensure any website you enter personal details into is HHTPS encrypted. This means it’s protected by a secure socket layer (SSL) preventing a cyberattacker from accessing information you share.


  1. Malware

Malware stands for malicious software, a term used to describe any type of code or computer program that’s been designed with malicious intent in mind. Common types of Malware include viruses, spyware and ransomware, all of which can infect your device and wreak havoc. In the worst cases, these types of software delete or corrupt files, spy on your organisation and lock you out of your IT systems.

In short, malware is bad news for businesses. Unfortunately, avoiding infection from these types of corrosive software programs isn’t easy. Cyberattackers have a number of tricks to ensure malware infiltrates your devices. This includes attaching malicious data strings to internet downloads and exploiting vulnerable backdoors in your IT system’s security.

Malware is relentless and will enter your network by any means necessary. Once installed, it can discreetly hide in your systems, harvesting data including credit card details, without anyone in your organisation being aware. It can potential infect a string of connected devices, simply by entering one person’s account, and is one of the highest cyber security risks facing businesses today.


  1. Malvertising

A more recent strain of malware affecting businesses and individuals is malvertising. With malvertising, malicious software hijacks advertising on legitimate websites, redirecting you to fraudulent sites or infecting your system in a single click. This type of malware preys on unsuspecting internet users who have no way of knowing that the advert has been corrupted.

Malvertising can install ransomware on your machine or harvest sensitive information, which may compromise GDPR laws and put your customers and suppliers at risk.


Reducing your risk

As with all cyberattacks that pose a threat to your business, the best way to protect yourself is through a combination of employee training and robust IT systems.

Education about the latest cyber security threats will minimise the risk of an employee being duped by a cyberattack. While bolstering the security of your IT will help you avoid infection from malicious software and safeguard the sensitive information your business stores digitally.

For expert advice on getting started, check out: Cyber security: 10 top tips for small businesses.
And for support with your current IT system, ensuring it is robust, secure and can evolve with the needs of your business, call us for an informal chat on 01908 613 080 or email lionel@dragon-is.com


About Dragon – IT Support Services Milton Keynes

At Dragon IS we specialise in IT solutions for small businesses. For more advice, call us on 0330 363 0055.