Small businesses at great risk of spear-phishing attacks

Cybercriminals are using spear-phishing attacks more often and small businesses are three times more likely to experience this form of cyber attack.

18  March 2022 

Cybercriminals are increasingly using spear-phishing as a method to attack small businesses.

Phishing is a popular way cybercriminals use to lure confidential information from device users – such as online banking logins, credit card details and passwords. The cybercriminal will send a deceptive message via email, SMS, instant messaging or social media platforms, usually posing as someone from a trusted organisation.

While phishing victims are often selected at random, spear-phishing is an attack on a specific person or group.

According to cloud security solutions company, Barracuda, spear-phishing has steadily increased over the years to the point where it now impacts the majority of businesses – particularly those with less than 100 employees.

The group’s Spear Phishing: Top Threats and Trends Vol. 7 report found Microsoft is the most impersonated brand, used in 57% of phishing attacks.

This was followed by WeTransfer and DHL, used in 17% and 6% of phishing attacks, respectively.

Docusign was used in 3% of phishing attacks, LinkedIn and Instagram were used in 2%, while Apple and Google were used in 1%.


Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

How to protect your business from spear-phishing

1.  Make use of artificial intelligence (AI)

Small businesses can better protect themselves from spear-phishing by utilising artificial intelligence, according to Barracuda.

“Deploy purpose-built technology that doesn’t solely rely on looking for malicious links or attachments.

“Using machine learning to analyse normal communication patterns within your organisation allows the solution to spot anomalies that may indicate an attack.”

2.  Deploy account-takeover protection

Many spear-phishing attacks originate from compromised accounts so it’s vital for employers to ensure staff accounts are set up to alert them if their account is being targeted.

Utilise technology that incorporates AI in order to detect real-time threats and remove malicious emails sent from compromised accounts.

3.  Monitor inbox rules and suspicious logins

Be aware of logins from unusual locations and IP addresses – this is often the first indication of a compromised account.

“Be sure to also monitor email accounts for malicious inbox rules, as they are often used as part of account takeover. Criminals log into the account, create forwarding rules, and hide or delete any email they send from the account, to try to hide their tracks,” Barracuda flagged.

4.  Use multi-factor authentication (MFA)

Ensure you and your employees are all using two-step verification to enable access to accounts. Some examples beyond a username and password include an authentication code, thumb print, or retinal scan.


Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.