As of April 1, Sandy Spring Bank has merged into Atlantic Union Bank. Learn more on our merger site.

Atlantic Union Bank Logo
Routing #: 051403164 Insights & Stories Rates Community About Locations
SEARCH
MENU
Back
Your Business
Your Security
09.09.25

How Phishing, Smishing and Quishing Impact Businesses and What You Can Do

    • URL Copied

In today’s digital landscape, cybercriminals are targeting businesses with increasingly sophisticated attack methods. Among the most damaging tactics are phishing, smishing and quishing (also known as QR code phishing). These threats have a direct impact on company finances, data security, customer trust and long-term business viability.

The Impact

Phishing remains the #1 cybercrime threat, responsible for a 57% weekly attack rate and costing businesses $17,700 every minute worldwide. The average cost of a phishing data breach is $4.88 million, up nearly 10% from last year. Small businesses lose $200,000 on average per successful attack, and 60% go out of business within six months of a major breach.1

Smishing (SMS-based phishing) attacks targeted 76% of businesses last year. The average cost per successful smishing attack on an organization was over $9.5 million. Global volumes keep rising, with more than 3.5 billion phone users receiving spam texts daily.2

Quishing exploits the widespread use of QR codes in business. Attackers embed malicious links in QR codes distributed via email, printed materials and even video conferences. When scanned, these direct employees to fake sites, steal data or deliver malware. Quishing can bypass traditional email security since QR codes often appear harmless – making it a fast-growing threat.

Common Tactics Used Against Businesses

Cybercriminals use a blend of technology and psychology to deceive even savvy employees.

  • AI-powered Email Attacks: Automated phishing emails now mimic legitimate communication styles and include personalized details, making them harder to detect.
     
  • Urgency Triggers: Smishing and quishing messages often use urgent language to provoke quick, thoughtless actions – like clicking a link or scanning a QR code.
     
  • Impersonation and Deception: Attackers pose as executives, IT support, vendors or trusted coworkers to request sensitive information, fraudulent fund transfers or attempt identity theft.
     
  • Multi-channel Approach: Instead of just email, attacks happen via SMS, messaging apps, social media platforms, QR codes – even video calls.
     
  • Malicious Attachments and Links: Whether in emails, SMS messages or QR codes, these direct users to look-alike sites to steal their information.
     
  • Deepfakes and Voice Phishing: AI is increasingly used to craft fake voices and videos that impersonate company leaders.
     

How Businesses Can Protect Themselves

A multi-layered defense is vital. Here’s how your business can stay secure.

  1. Continuous Employee Training
    • Run regular awareness sessions on phishing, smishing and quishing threats.
    • Use real-life simulations and role-playing exercises to boost recognition and safe practices.

     

  2. Security Policy and Verification
    • Implement strict verification protocols for messages requesting sensitive actions.
    • Encourage employees to verify requests via official channels – never through links or QR codes alone.
    • Establish and enforce clear reporting procedures for suspicious communications.

     

  3. Technology and Process Defense
    • Deploy advanced email and SMS filters to block malicious content.
    • Install mobile-threat detection tools for suspicious links and attachments.
    • Update all software and systems regularly to patch vulnerabilities.
    • Use multi-factor authentication (MFA) on all critical accounts, including those accessed via mobile devices and through QR code scans.

     

  4. Incident Response and Monitoring
    • Set up a rapid incident response plan detailing steps for containment and reporting.
    • Monitor for unusual account or network activity and segment sensitive data to limit exposure after a breach.

     

  5. Promote a Safety-First Culture
    • Foster open communications about cyber threats.
    • Regularly review and update policies as scams evolve, especially as attackers leverage new technologies like AI and deepfakes.
       

Atlantic Union Bank offers a variety of resources to help businesses stay protected. Learn more about our Treasury Management services.

As cyberattack volumes rise and scammers get craftier, the key to resilience is layered defense, empowering your team, upgrading your tech stack and treating every message, call or QR code as a potential risk. The cost of preparation is always less than the cost of a breach.

Stay vigilant. Stay secure. The health of your business depends on it. For more information on how you can protect your business, please visit our Security and Fraud Center. If you have received a suspicious communication from us, always be sure to call our Customer Care Center at 800.990.4828 to verify.

 

1Fortinet, 2025 Global Threat Landscape Report.
2CrowdStrike, 2025 Global Threat Report

You Might Be Interested In

Your Business Your Security
08.28.2025

How to Protect Your Company from Fraud
Your Business Your Security
08.07.2024

Avoiding Identity Theft as a Business Owner
Your Business Your Security
08.07.2024

Tips for Mitigating Risk in Your Business
Your Business Your Security
02.07.2024

Guarding Against Small Business Tax Identity Theft

This website uses cookies. By accepting the use of cookies, this message will close and you will receive the optimal website experience. For more information, please visit our Online Privacy Notice.