WIXLIB

CYBERSECURITY FORSMALL BUSINESSPHISHINGYou get an email that looks like it’s from someone you know.It seems to be from one of your company’s vendors and asks that you click on a link to update yourbusiness account. Should you click? Maybe it looks like it’s from your boss and asks for your networkpassword. Should you reply? In either case, probably not. These may be phishing attempts.HOWPHISHING WORKSYou get an email or textIt seems to be from someone you know,and it asks you to click a link, or give yourpassword, business bank account, or othersensitive information.It looks realIt’s easy to spoof logos and make up fake emailaddresses. Scammers use familiar companynames or pretend to be someone you know.It’s urgentThe message pressures you to act now —or something bad will happen.What happens nextIf you click on a link, scammers can installransomware or other programs that canlock you out of your data and spread tothe entire company network. If you sharepasswords, scammers now have access toall those accounts.LEARN MORE AT:FTC.gov/SmallBusinessWHAT YOU CAN DOBefore you click on a link or share anyof your sensitive business information:Check it outLook up the website or phone number forthe company or person behind the text oremail. Make sure that you’re getting thereal company and not about to downloadmalware or talk to a scammer.Talk to someoneTalking to a colleague might help you figureout if the request is real or a phishing attempt.Make a call if you’re not surePick up the phone and call that vendor,colleague, or client who sent the email.Confirm that they really need informationfrom you. Use a number you know to becorrect, not the number in the email or text.

CYBERSECURITY FORSMALL BUSINESSHOW TOPROTECTYOUR BUSINESSBack up your dataRegularly back up your data andmake sure those backups are notconnected to the network. Thatway, if a phishing attack happensand hackers get to your network,you can restore your data. Makedata backup part of your routinebusiness operations.Keep your securityup to dateAlways install the latest patchesand updates. Look for additionalmeans of protection, like emailauthentication and intrusionprevention software, and set themto update automatically on yourcomputers. On mobile devices,you may have to do it manually.Alert your staffShare with them this information.Keep in mind that phishingscammers change their tacticsoften, so make sure you includetips for spotting the latest phishingschemes in your regular training.Deploy a safety netUse email authenticationtechnology to help preventphishing emails from reachingyour company’s inboxes in thefirst place.LEARN MORE AT:FTC.gov/SmallBusinessWHAT IF YOU FALL FOR APHISHING SCHEMEAlert othersTalk to your colleagues and share yourexperience. Phishing attacks often happen tomore than one person in a company.Limit the damageImmediately change any compromisedpasswords and disconnect from the network anycomputer or device that’s infected with malware.Follow your company’s proceduresThese may include notifying specific peoplein your organization or contractors that helpyou with IT.Notify customersIf your data or personal information wascompromised, make sure you notify theaffected parties — they could be at risk ofidentity theft. Find information on how to do thatat Data Breach Response: A Guide for Business(FTC.gov/DataBreach).Report itForward phishing emails to spam@uce.gov (an address used by the FTC) and toreportphishing@apwg.org (an address usedby the Anti-Phishing Working Group, whichincludes ISPs, security vendors, financialinstitutions, and law enforcement agencies). Letthe company or person that was impersonatedknow about the phishing scheme. And report itto the FTC at FTC.gov/Complaint.

CYBERSECURITY FORSMALL BUSINESSBUSINESSEMAIL IMPOSTERSA scammer sets up an email addressthat looks like it’s from your company.Then the scammer sends out messages usingthat email address. This practice is calledspoofing, and the scammer is what we call abusiness email imposter.HOW TOScammers do this to get passwords andbank account numbers or to get someoneto send them money. When this happens,your company has a lot to lose. Customersand partners might lose trust and take theirbusiness elsewhere — and your businesscould then lose money.PROTECT YOUR BUSINESSUse email authenticationWhen you set up yourbusiness’s email, make surethe email provider offers emailauthentication technology. Thatway, when you send an emailfrom your company’s server, thereceiving servers can confirmthat the email is really from you.If it’s not, the receiving serversmay block the email and foil abusiness email imposter.LEARN MORE AT:FTC.gov/SmallBusinessKeep your securityup to dateAlways install the latest patchesand updates. Set them toupdate automatically on yournetwork. Look for additionalmeans of protection, likeintrusion prevention software,which checks your network forsuspicious activity and sendsyou alerts if it finds any.Train your staffTeach them how to avoidphishing scams and showthem some of the commonways attackers can infectcomputers and deviceswith malware. Include tipsfor spotting and protectingagainst cyber threats in yourregular employee trainingsand communications.

CYBERSECURITY FORSMALL BUSINESSWHAT TO DOIF SOMEONE SPOOFS YOUR COMPANY’S EMAILReport itReport the scam to local law enforcement, the FBI’s InternetCrime Complaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. You can also forward phishing emails to spam@uce.gov (an address used by the FTC) and to reportphishing@apwg.org (an address used by the Anti-Phishing WorkingGroup, which includes ISPs, security vendors, financialinstitutions, and law enforcement agencies).Notify your customersIf you find out scammers are impersonating your business, tellyour customers as soon as possible — by mail, email, or socialmedia. If you email your customers, send an email withouthyperlinks. You don’t want your notification email to look likea phishing scam. Remind customers not to share any personalinformation through email or text. If your customers’ data wasstolen, direct them to IdentityTheft.gov to get a recovery plan.Alert your staffUse this experience to update your security practices and trainyour staff about cyber threats.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSTECH SUPPORT SCAMSYou get a phone call, pop-up,or email telling you there’s aproblem with your computer.HOW THEOften, scammers are behind these calls, pop-upmessages, and emails. They want to get yourmoney, personal information, or access to yourfiles. This can harm your network, put your dataat risk, and damage your business.SCAM WORKSThe scammers may pretend to be from a well-known tech company, such as Microsoft. They uselots of technical terms to convince you that the problems with your computer are real. They mayask you to open some files or run a scan on your computer — and then tell you those files or thescan results show a problem but there isn’t one.The scammers may then:Ask you to give them remoteaccess to your computer — whichlets them access all informationstored on it, and on any networkconnected to itInstall malware that gives themaccess to your computer andsensitive data, like user namesand passwordsTry to sell you software or repairservices that are worthless oravailable elsewhere for freeLEARN MORE AT:FTC.gov/SmallBusinessTry to enroll you in a worthlesscomputer maintenance orwarranty programAsk for credit card informationso they can bill you for phonyservices or services availableelsewhere for freeDirect you to websites and askyou to enter credit card, bankaccount, and other personalinformation

CYBERSECURITY FORSMALL BUSINESSHOW TOPROTECT YOUR BUSINESSIf a caller says your computer has a problem, hang up. A tech support call you don’t expect is a scam— even if the number is local or looks legitimate. These scammers use fake caller ID information tolook like local businesses or trusted companies.If you get a pop-up message to call tech support, ignore it. Some pop-up messages about computerissues are legitimate, but do not call a number or click on a link that appears in a pop-up messagewarning you of a computer problem.If you’re worried about a virus or other threat, call your security software company directly, usingthe phone number on its website, the sales receipt, or the product packaging. Or consult a trustedsecurity professional.Never give someone your password, and don’t give remote access to your computer to someonewho contacts you unexpectedly.WHAT TO DO IF YOU’RESCAMMEDIf you shared your password witha scammer, change it on everyaccount that uses this password.Remember to use unique passwordsfor each account and service.Consider using a password manager.Get rid of malware. Update ordownload legitimate securitysoftware. Scan your computer, anddelete anything the software says isa problem. If you need help, consulta trusted security professional.If the affected computer isconnected to your network, you or asecurity professional should checkthe entire network for intrusions.If you bought bogus services,ask your credit card company toreverse the charges, and checkyour statement for any chargesyou didn’t approve. Keep checkingyour credit card statements to makesure the scammer doesn’t try tore-charge you every month.Report the attack right away to the FTC at FTC.gov/Complaint.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSCYBER INSURANCERecovering froma cyber attackcan be costly.Cyber insurance is one option that can help protect your businessagainst losses resulting from a cyber attack. If you’re thinkingabout cyber insurance, discuss with your insurance agent whatpolicy would best fit your company’s needs, including whetheryou should go with first-party coverage, third-party coverage, orboth. Here are some general tips to consider.WHAT SHOULD YOURCYBER INSURANCE POLICYCOVER?Make sure your policy includes coverage for:Data breaches (like incidentsinvolving theft of personalinformation)Cyber attacks on your dataheld by vendors and otherthird partiesCyber attacks (like breachesof your network)Cyber attacks that occuranywhere in the world (notonly in the United States)Terrorist actsAlso, consider whether your cyber insurance provider will:Defend you in a lawsuit orregulatory investigation (lookfor “duty to defend” wording)LEARN MORE AT:FTC.gov/SmallBusinessProvide coverage in excessof any other applicableinsurance you haveOffer a breach hotlinethat’s available every dayof the year at all timesThe FTC thanks the National Association of InsuranceCommissioners (NAIC) for its role in developing this content.

CYBERSECURITY FORSMALL BUSINESSWHAT ISFIRST-PARTY COVERAGEAND WHAT SHOULD YOU LOOK FOR?First-party cyber coverage protects your data, including employee and customerinformation. This coverage typically includes your business’s costs related to:Legal counsel todetermine yournotification andregulatory obligationsCustomer notificationand call centerservicesCrisis managementand public relationsForensic servicesto investigate thebreachRecovery andreplacement of lostor stolen dataLost incomedue to businessinterruptionCyber extortionand fraudFees, fines, andpenalties related tothe cyber incidentWHAT ISTHIRD-PARTY COVERAGEAND WHAT SHOULD YOU LOOK FOR?Third-party cyber coverage generally protects you from liability if a third partybrings claims against you. This coverage typically includes:Payments to consumersaffected by the breachClaims and settlementexpenses relating todisputes or lawsuitsLosses related todefamation and copyrightor trademark infringementCosts for litigation andresponding to regulatoryinquiriesOther settlements,damages, and judgmentsAccounting costsMore insurance resources for small businesses available at www.insureuonline.org/smallbusinessLEARN MORE AT:FTC.gov/SmallBusinessThe FTC thanks the National Association of InsuranceCommissioners (NAIC) for its role in developing this content.

CYBERSECURITY FORSMALL BUSINESSEMAIL AUTHENTICATIONEmail authentication technology makes it a lot harder for a scammer tosend phishing emails that look like they’re from your company.Using email authentication technology makes it a lot harder for scammers to send phishing emails.This technology allows a receiving server to verify an email from your company and block emailsfrom an imposter — or send them to a quarantine folder and then notify you about them.WHAT TOKNOWSome web host providers let you set up your company’s business email using your domain name (whichyou may think of as your website name). Your domain name might look like this: yourbusiness.com. Andyour email may look like this: name@yourbusiness.com. Without email authentication, scammers can usethat domain name to send emails that look like they’re from your business. If your business email uses yourcompany’s domain name, make sure that your email provider has these three email authentication tools:Sender Policy Framework (SPF)tells other servers which servers are allowed tosend emails using your business’s domain name. Sowhen you send an email from name@yourbusiness.com, the receiving server can confirm that thesending server is on an approved list. If it is, thereceiving server lets the email through. If it can’t finda match, the email can be flagged as suspicious.Domain Keys Identified Mail (DKIM)puts a digital signature on outgoing mail so serverscan verify that an email from your domain actuallywas sent from your organization’s servers and hasn’tbeen tampered with in transit.Domain-based Message Authentication,Reporting & Conformance (DMARC)is the essential third tool for emailauthentication. SPF and DKIM verify the addressthe server uses “behind the scenes.” DMARCverifies that this address matches the “from”address you see. It also lets you tell otherservers what to do when they get an email thatlooks like it came from your domain, but thereceiving server has reason to be suspicious(based on SPF or DKIM). You can have otherservers reject the email, flag it as spam, or takeno action. You also can set up DMARC so thatyou’re notified when this happens.It takes some expertise to configure these tools so that they work as intended and don’t block legitimateemail. Make sure that your email hosting provider can set them up if you don’t have the technicalknowledge. If they can’t, or don’t include that in their service agreement, consider getting another provider.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSWHAT TO DO IF YOUREMAIL IS SPOOFEDEmail authentication helps keep your business’s email from being used in phishing schemesbecause it notifies you if someone spoofs your company’s email. If you get that notification,take these actions:Report itReport the scam to local law enforcement, the FBI’s Internet CrimeComplaint Center at IC3.gov, and the FTC at FTC.gov/Complaint. Youalso can forward phishing emails to spam@uce.gov (an address used bythe FTC) and to reportphishing@apwg.org (an address used by theAnti-Phishing Working Group, which includes ISPs, security vendors,financial institutions, and law enforcement agencies).Notify your customersIf you find out scammers are impersonating your business, tell yourcustomers as soon as possible — by mail, email, or social media. If youemail your customers, send an email without hyperlinks: you don’t wantyour notification email to look like a phishing scam. Remind customersnot to share any personal information through email or text. And if yourcustomers’ data was stolen, direct them to IdentityTheft.gov to get arecovery plan.Alert your staffUse this experience to update your security practices and train your staffabout cyber threats.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSVENDOR SECURITYYour business vendorsmay have access tosensitive information.HOW TOMake sure those vendors are securing their own computersand networks. For example, what if your accountant, whohas all your financial data, loses his laptop? Or a vendorwhose network is connected to yours gets hacked? Theresult: your business data and your customers’ personalinformation may end up in the wrong hands — putting yourbusiness and your customers at risk.MONITOR YOUR VENDORSPut it in writingVerify complianceMake changes as neededInclude provisions for securityin your vendor contracts, likea plan to evaluate and updatesecurity controls, since threatschange. Make the securityprovisions that are critical toyour company non-negotiable.Establish processes so youcan confirm that vendorsfollow your rules. Don’t justtake their word for it.Cybersecurity threatschange rapidly. Make sureyour vendors keep theirsecurity up to date.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSHOW TOPROTECT YOUR BUSINESSControl accessPut controls on databases with sensitive information. Limit access to a need-to-knowbasis, and only for the amount of time a vendor needs to do a job.Use multi-factor authenticationThis makes vendors take additional steps beyond logging in with a password toaccess your network — like a temporary code on a smartphone or a key that’sinserted into a computer.Secure your networkRequire strong passwords: at least 12 characters with a mix of numbers, symbols, andboth capital and lowercase letters. Never reuse passwords, don’t share them, andlimit the number of unsuccessful log-in attempts to limit password-guessing attacks.Safeguard your dataUse properly configured, strong encryption. This protects sensitive information asit’s transferred and stored.WHAT TO DO IF AVENDOR HAS ADATA BREACHContact the authoritiesReport the attack rightaway to your local policedepartment. If they’re notfamiliar with investigatinginformation compromises,contact your local FBI office.Confirm the vendorhas a fixMake sure that the vendorfixes the vulnerabilities andensures that your informationwill be safe going forward,if your business decides tocontinue using the vendor.Notify customersIf your data or personal information was compromised,make sure you notify the affected parties — they could beat risk of identity theft. Find information on how to do thatat Data Breach Response: A Guide for Business. Find it atFTC.gov/DataBreach.LEARN MORE AT:FTC.gov/SmallBusiness

CYBERSECURITY FORSMALL BUSINESSHIRING A WEB HOSTYou may want a newor upgraded websitefor your business.WHAT TOBut if you don’t have the skills to set up the webpresence you want, you may want to hire a web hostprovider to do it for you. Whether you’re upgrading awebsite or launching a new business, t

Promote security practices . in all locations. Maintain security practices even if working . remotely from home or on business travel. Know the response plan. All staff should know what to do if equipment or paper files are lost or . stolen, including whom to notify and what to do next. Use Data Breach