2020 saw near 3 million phishing attempts against SEA SMBs

Photo by Torsten Dettlaff

Global cybersecurity company Kaspersky have unmasked the continued phishing campaigns against small and medium businesses (SMBs) in Southeast Asia (SEA). Despite this segment bearing the brunt of the still on-going pandemic, Kaspersky’s Anti-Phishing Technology has blocked a total of 2,890,825 attempts aimed at SMBs in the region last year, a 20% increase compared with 2,402,569 attempts to visit fraudulent urls detected in 2019.

Phishing is a form of cybercrime based on social engineering techniques that involves stealing confidential data from a person’s computer and subsequently using the data for other purposes – from stealing the target’s money to reselling their data.

Phishing messages usually take the form of fake notifications from banks, providers, e-pay systems and other organisations, phishing also can take form of an almost 100% perfect replica of a trusted website, to which the victim would be lured through phishing messages to later leave their personal data.

In terms of per country cases of phishing targeting companies with 50-250 employees, Indonesia registered the most incidents in 2020, followed by Thailand, and Vietnam. Each of them logged over half a million attempts.

Malaysian, Filipino, and Singaporean SMBs were not spared, with these nations charting a combined 795,052 attempts to visit phishing websites from January to December last year.

SMBs in all six countries in the region have also witnessed an increased phishing attempts foiled by Kaspersky Year-on-Year (YOY), an expected aftermath of the segment’s urgent drive to digitalise amidst the pandemic.

“While they serve as the bedrock of our regional economy, SMBs are low-hanging fruits for cybercriminals. These malicious actors are aware that owners are focused on keeping their cash flow more than their cybersecurity, at least for now,” says Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky.

“Social engineering attacks such as phishing is also the easiest way in. Combining our current stressed minds with the right buzzwords like COVID-19, and now the vaccines, we expect to see this threat being used more to steal money and data from this already battered segment.”

Last year’s top 10 countries in terms of phishing attempts against SMBs were Brazil, Russia, USA, France, Italy, Mexico, Germany, Colombia, Spain, and India.

On a worldwide scale, online phishers exploited the COVID-19 theme, invited victims to non-existent video conferences and insisted that their targets register with “new corporate services”. Given that the fight against the pandemic is not over yet, Kaspersky predicts that the main trends of 2020 will stay relevant into the near future.

An important trend which businesses in SEA, a region famous for being highly active on social media, should note about is the phishing links and mails being shared via online networking platforms. Kaspersky experts have observed that scammers who were spreading their chain mail via social networks and instant messaging applications began to favor the latter in 2020.

Message recipients were promised a discount or prize if they opened a link sent to them. The phishing web page contained a tempting message about a money prize, award or other, equally desirable, surprises.

“It is true that governments and financial organisations are combining efforts to offer lifeboats for SMBs via grants and offers, but we have to accept that cybercriminals will spare no one. Amidst the uncertainties, one thing I can say for sure is that, building your IT security is always less costly than suffering a cyberattack,” adds Yeo.

Kaspersky experts also suggest the following tips for SMBs and employees to avoid being lured by cybercriminals through phishing:

  • Teach employees about the basics of cybersecurity. For example, not opening or storing files from unknown emails or websites as they could be harmful to the whole company, or to not use any personal details in their passwords. In order to ensure passwords are strong, staff shouldn’t use their name, birthday, street address and other personal information.
  • Regularly remind staff of how to deal with sensitive data, for example, to only store it in trusted cloud services that need to be authenticated for access and that it should not be shared with untrusted third parties.
  • Enforce the use of legitimate software, downloaded from official sources.
  • Make backups of essential data and regularly update IT equipment and applications to avoid unpatched vulnerabilities that could cause a breach.
  • Configure Wi-Fi encryption. It is imperative to configure your network connection correctly and set your router’s log-in and password regularly.
  • Use a VPN if connecting to Wi-Fi networks that don’t belong to you. When you’re connected through a VPN, all of your data will be encrypted regardless of the network settings, and outsiders will not be able to read it.
  • Use corporate services for e-mail, messaging, and all other work. Stick to corporate resources when exchanging documents and other information. Those cloud drives, but configured for business, are generally far more reliable than the free user versions. 
  • Protect devices with an antivirus solution. It is vital that you install a reliable security solution on all devices that handle corporate data.