The same five patterns, over and over
When you read about a data breach at a large corporation, the attack often sounds sophisticated — nation-state actors, zero-day exploits, advanced persistent threats. When a small business gets breached, the story is almost always simpler. The attacker did not need to be sophisticated because the defenses were not there.
The Verizon Data Breach Investigations Report consistently shows that the vast majority of small business breaches follow the same handful of patterns. These are not obscure attack techniques. They are the digital equivalent of leaving the front door unlocked. Here are the five most common ones and what you can do about each.
1. Phishing emails
How it works
An employee receives an email that appears to come from a trusted source — a vendor, a client, their email provider, or even their own CEO. The email contains a link to a fake login page or a malicious attachment. The employee clicks, enters their credentials, and the attacker now has legitimate access to their account.
A typical scenario
A bookkeeper at a small firm receives an email that appears to be from their bank. The email says there is a problem with a recent transaction and asks them to log in to review it. The login page looks identical to the real bank portal. The bookkeeper enters their username and password. Within hours, the attacker initiates wire transfers from the business account.
Why it works
Phishing works because it exploits trust and urgency, not technical vulnerabilities. The emails are increasingly well-crafted — no more obvious spelling errors or Nigerian prince stories. Modern phishing emails are targeted, timely, and visually identical to legitimate communications.
What stops it
Multi-factor authentication (MFA) is the single most effective defense against phishing. Even if an employee enters their password on a fake site, the attacker cannot access the account without the second factor. Beyond MFA, regular phishing simulation exercises train employees to recognize suspicious emails before clicking. Organizations that run monthly simulations see click rates drop from 30 percent or higher to single digits within a few months.
2. Weak or reused passwords
How it works
When a website or service is breached, the stolen credentials often end up for sale on dark web marketplaces. Attackers buy these credential lists and try them against other services — email, banking, cloud storage, VPNs. If an employee used the same password for their personal shopping account and their work email, a breach of the shopping site gives the attacker access to your business systems.
A typical scenario
An employee used their work email address and their go-to password to create an account on a fitness app three years ago. That app was breached, and the credentials were posted online. An attacker runs those credentials against common business email providers. The employee's work email uses the same password. The attacker is in.
Why it works
People reuse passwords because remembering dozens of unique, complex passwords is genuinely difficult. Without a password manager, most people default to variations of the same base password. Attackers know this and automate the process of testing stolen credentials across thousands of services simultaneously.
What stops it
A business password manager eliminates the need for employees to remember passwords at all. Each account gets a unique, randomly generated password that the employee never needs to type. Combined with MFA on all business accounts, this makes credential stuffing attacks ineffective. Breach monitoring services that alert you when employee credentials appear in known data breaches add another layer of early warning.
3. Unpatched software
How it works
Software vendors regularly release updates that fix known security vulnerabilities. When those updates are published, the vulnerability details become public knowledge. Attackers immediately begin scanning the internet for systems still running the old, vulnerable version. The window between a patch being released and an attacker exploiting the vulnerability is often measured in days, not weeks.
A typical scenario
A small business runs a WordPress website with several plugins. One plugin has a known vulnerability that was patched two months ago, but the site administrator has not logged in to apply updates. An automated bot finds the site, exploits the vulnerability, and installs a web shell — a hidden backdoor that gives the attacker persistent access. They use this access to inject malicious code that steals credit card numbers from customers who make purchases on the site.
Why it works
Small businesses often lack dedicated IT staff to monitor and apply patches. Updates get deferred because they might break something, because nobody is assigned to do it, or simply because nobody is aware the updates exist. Meanwhile, attackers use automated tools that scan millions of IP addresses per day looking for specific unpatched vulnerabilities.
What stops it
Automatic updates should be enabled wherever possible. For systems that require manual patching, a simple monthly schedule — documented and assigned to a specific person — prevents the backlog from growing. Vulnerability scanning identifies which of your public-facing systems are running outdated software so you know what needs attention before an attacker tells you.
4. Exposed remote access
How it works
Remote Desktop Protocol (RDP) and other remote access services allow employees to connect to office computers from anywhere. When these services are exposed directly to the internet without proper security controls, attackers can find them using simple scanning tools and attempt to brute-force their way in by trying thousands of username and password combinations per hour.
A typical scenario
During the shift to remote work, a small business opened RDP access on their office server so employees could connect from home. The IT consultant who set it up planned to add a VPN later but never got around to it. Three months later, an attacker finds the exposed RDP port, brute-forces an employee account with a weak password, and deploys ransomware across the entire network.
Why it works
RDP brute-forcing is one of the most common initial access techniques for ransomware operators. The tools to scan for exposed RDP and attempt logins are freely available and fully automated. An exposed RDP port with weak credentials is essentially an unlocked door with a welcome mat.
What stops it
Never expose RDP directly to the internet. Use a VPN or a zero-trust remote access solution so that RDP is only accessible from within a secured tunnel. If remote access is necessary, enforce MFA, use strong passwords, and enable account lockout after a small number of failed attempts. Regular port scanning of your own public IP addresses reveals whether any remote access services have been inadvertently exposed.
5. Business email compromise (BEC)
How it works
Business email compromise is a targeted attack where an attacker impersonates a business executive, vendor, or partner to trick an employee into transferring money, sharing sensitive data, or changing payment details. Unlike mass phishing, BEC attacks are carefully researched — the attacker studies the company, identifies key employees, and crafts emails that reference real projects, real clients, and real transactions.
A typical scenario
An accounts payable clerk receives an email that appears to be from a longtime vendor, requesting that future payments be sent to a new bank account. The email references a real contract number and is addressed to the clerk by name. The email actually came from a lookalike domain — one letter different from the real vendor's domain. The clerk updates the payment details, and the next three payments go to the attacker's account before anyone notices.
Why it works
BEC attacks succeed because they do not contain malware or malicious links — they are just emails asking someone to do something that seems reasonable. Email filters cannot catch them because there is nothing technically malicious about the message. The attack exploits human trust and normal business processes.
What stops it
Email authentication (DMARC, SPF, DKIM) prevents attackers from spoofing your exact domain, though it does not stop lookalike domains. For financial transactions, implement a verification policy: any request to change payment details, wire money, or share sensitive information must be confirmed through a separate channel — a phone call to a known number, not a reply to the email. Training employees to recognize BEC tactics — urgency, authority pressure, unusual requests — reduces the likelihood of success.
The common thread
All five of these attack patterns share one characteristic: they exploit gaps that the business did not know existed. Exposed ports, missing email authentication, unpatched software, untrained employees, weak passwords — these are all discoverable and fixable before they are exploited.
The first step is visibility. You need to know what an attacker would see when they look at your business from the outside.
Run a free security assessment to identify your exposed vulnerabilities, email security gaps, and open ports — before someone else finds them first.
