Google has declared war on scammers targeting businesses [1]. Cybercriminals posed as the tech giant and got small businesses to pay to create a business profile on Google, which is actually free.

Kaspersky experts support Google’s efforts by highlighting common social engineering methods that cybercriminals are currently using to trap small and medium-sized enterprises (SMEs) and offering tips on how SMEs can protect themselves.

Common social engineering methods

• Cybercriminals pose as suppliers: Large companies have strict procedures to check (potential) suppliers, but small companies lack these resources. Cybercriminals take advantage of this and lure with lucrative offers, flexible conditions and websites that are deceptively similar to those of legitimate suppliers. After payment, however, companies receive nothing in return.
• Fake events: Industry events are crucial for businesses. Fraudsters therefore send out invitations with relevant and engaging content for fake events to sell tickets via legitimate-looking landing pages to make a profit.
• Blackmail using bad reviews: Scammers write negative reviews about hotels, restaurants and other businesses and send them an email offering to remove the reviews in exchange for a sum of money from Google, TripAdvisor or another website that offers review options.
• Spear phishing: In spear phishing, scammers send emails to a person in charge of the company’s budget, such as the owner or accountant of the organisation. They impersonate a bank, partner or colleague and urgently request a payment or information about the company’s employees or accounts.
  Kirill Kulakov, Technical Advisor at Kaspersky Fraud Prevention, comments:

“Medium-sized companies are of interest to cybercriminals. In contrast to those who focus on private users, B2B fraudsters rely even more on individually tailored and efficient social engineering methods and schemes. They invest a lot of time and effort in developing and implementing methods that are relevant to a specific industry or company – and that pays off, much more so than for an ordinary, private user.”

Kaspersky tips for small businesses

• Don’t allow yourself to be manipulated or emotionally blackmailed. Scammers always try to pressure and unsettle, leading their victim to take rash actions.
• Check emails from new, unknown senders for spelling as well as the text displayed with hyperlinks.
• Introduce a clear password policy that passwords must contain at least eight letters, a number, upper and lower case letters and a special character. In addition, it should be ensured that these passwords are changed if a compromise is suspected. For this, a security solution with a comprehensive integrated password manager [2] should be implemented.
• Install updates from software and device manufacturers as soon as they are available.
• Deploy a comprehensive security solution such as Kaspersky Endpoint Security for Business [3] that protects against a wide range of threats, including ransomware.
• Train employees regularly on cybersecurity. Kaspersky Security Awareness [4] is based on a learning cycle with micro-learning units that are motivating and easy to integrate into everyday work.
• The GEIGER project [5], co-funded by the European Commission, provides tools to assess the cybersecurity level of small and very small businesses and raises their awareness of data protection and privacy through specific training tools, such as two gamification solutions developed by Kaspersky.
• Report fraud attempts to the relevant law enforcement authorities.

[1] https://mashable.com/article/google-suing-scammers-that-prey-on-small-businesses
[2] https://www.kaspersky.de/password-manager
[3] https://www.kaspersky.de/small-to-medium-business-security
[4] https://www.kaspersky.de/enterprise-security/security-awareness
[5] https://project.cyber-geiger.eu/