Business Fraud Prevention

Cyber-attacks are a growing threat for small businesses and the U.S. economy. According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2020 alone.

Small businesses are attractive targets because they have information that cybercriminals want, and they typically lack the security infrastructure of larger businesses.

According to a recent SBA survey, 88% of small business owners felt their business was vulnerable to a cyber-attack. Yet many businesses can’t afford professional IT solutions, have limited time to devote to cybersecurity, or they don’t know where to begin.

Start by learning about common cyber threats, understanding where your business is vulnerable, and taking steps to improve your cybersecurity.

Cyber-attacks are constantly evolving, but business owners should at least be aware of the most common types.

Malware

Malware (malicious software) is an umbrella term that refers to software intentionally designed to cause damage to a computer, server, client, or computer network. Malware can include viruses and ransomware.

Viruses

Viruses are harmful programs intended to spread from computer to computer (and other connected devices). Viruses are intended to give cybercriminals access to your system.

Ransomware

Ransomware is a specific type of malware that infects and restricts access to a computer until a ransom is paid. Ransomware is usually delivered through phishing emails and exploits unpatched vulnerabilities in software.

Phishing

Phishing is a type of cyber-attack that uses email or a malicious website to infect your machine with malware or collect your sensitive information. Phishing emails appear as though they’ve been sent from a legitimate organization or known individual. These emails often entice users to click on a link or open an attachment containing malicious code. After the code is run, your computer may become infected with malware.

The first step in improving your cybersecurity is understanding your risk of an attack, and where you can make the biggest improvements.

A cybersecurity risk assessment can identify where a business is vulnerable, and help you create a plan of action—which should include user training, guidance on securing email platforms, and advice on protecting the business’s information assets.

Planning and assessment tools

There’s no substitute for dedicated IT support—whether an employee or external consultant—but businesses of more limited means can still take measures to improve their cybersecurity.

FCC Planning Tool
The Federal Communications Commission offers a cybersecurity planning tool to help you build a strategy based on your unique business needs.

Cyber Resilience Review
The Department of Homeland Security’s (DHS) Cyber Resilience Review (CRR) is a non-technical assessment to evaluate operational resilience and cybersecurity practices. You can either do the assessment yourself, or request a facilitated assessment by DHS cybersecurity professionals.

Cyber Hygiene Vulnerability Scanning
DHS also offers free cyber hygiene vulnerability scanning for small businesses. This service can help secure your internet-facing systems from weak configuration and known vulnerabilities. You will receive a weekly report for your action.

Supply Chain Risk Management

Use the Supply Chain Risk Management Toolkit to help shield your business information and communications technology from sophisticated supply chain attacks. Developed by the DHS Cybersecurity and Infrastructure Agency (CISA), this toolkit will help you raise awareness and reduce the impacts of supply chain risks.

Train your employees

Employees and emails are a leading cause of data breaches for small businesses because they are a direct path into your systems. Training employees on basic internet best practices can go a long way in preventing cyber-attacks. The Department of Homeland Security’s "Stop.Think.Connect" campaign offers training and other materials. 

Training topics to cover include:

• Spotting a phishing email
• Using good browsing practices
• Avoiding suspicious downloads
• Creating strong passwords
• Protecting sensitive customer and vendor information
• Maintaining good cyber hygiene

 

Use antivirus software and keep it updated
Make sure each of your business’s computers is equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.

Secure your networks
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.

Use strong passwords
Using strong passwords is an easy way to improve your cybersecurity. Be sure to use different passwords for your different accounts. A strong password includes:

• 10 characters or more
• At least one uppercase letter
• At least one lowercase letter
• At least one number
• At least one special character

Multifactor authentication
Multifactor authentication requires additional information (e.g., a security code sent to your phone) to log in. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.

Protect sensitive data and back up the rest

Back up your data
Regularly back up the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

Secure payment processing
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

Control physical access
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

Small Business Payments Toolkit

The Federal Reserve and Business Payment Coalition has created the Small Business Payments Toolkit so that you can see the benefits of using electronic payment types, as well as practical fraud prevention including mitigation tips and education and training for employees to avoid payments fraud. Access the toolkit here.

Business Email Compromise (BEC). What is it?

Business Email Compromise (BEC) is a type of targeted scam in which an attacker impersonates a company executive or high-level employee with the intent of defrauding or extracting sensitive data from the company or its partners. The end goal of a BEC fraud is to persuade the target to make a money transfer or send sensitive data to the attacker while believing they are executing a legitimate and regular business operation.

Attackers achieve this by using different manipulating techniques in order to trick users into providing money or data.

How a BEC Scam Works

Well, like all social engineering attacks, BEC fraud relies on the human factor in order to be successful. This means that the innate human tendency to be a social creature is what will be exploited here.

Because people have a natural desire to be helpful and prove their usefulness, therefore likely to become victims of BEC attacks. The impulse to say ‘yes’ fast to a request from your management overrides the need to double-check if everything is in order with that request in the first place. 

In most BEC attacks, there are three major stages:

Target Research

Also known as the “man-in-the-email” attack, BEC scams start with a large amount of research, with the attacker going through publicly available information about the company, like websites, press releases, or social media published content.

Planning

After diligently researching his targets for some time, the attacker will develop a few scam scenarios that might work.

The attacker will try to either obtain access to the email addresses of the influential people in the company or just impersonate them. By creating an email address with a spoofed domain and just adding 1 digit or one letter in the domain name you could become a victim.

Attack Execution

Depending on the adversary’s thoroughness, the BEC assault can occur in a single email or throughout an entire thread. To earn the victim’s trust, this communication frequently employs persuasion, urgency, and authority. The attacker then gives the victim instructions to either make a money transfer or send sensitive data.

Most Common Types of BEC Attacks

The Bogus Invoice Scheme

In this specific scam companies working with foreign suppliers are often targeted. The attackers pretend to be suppliers requesting fund transfers for payments to an account owned by fraudsters.

CEO Fraud

After collecting the necessary data, attackers will behave as the company CEO or any high-level executive and send an email to employees in finance, requesting money transfers to the account they control.

Email Account Compromise (EAC)

An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

Attorney Impersonation

There are cases when attackers are pretending to be a lawyer or someone from a law firm that is supposedly in charge of crucial and confidential data. These types of requests are done usually through email or phone and take place at the end of the business day when the victim is tired and less focused.

Data Theft

This type of scam usually targets employees from the HR and bookkeeping departments. The employees are targeted in order to obtain personally identifiable information (PII) or tax statements of employees and executives, important data that can be used in future attacks.

How to prevent Business Email Compromise?

1. Train your employees

An extremely important step an organization must take in safeguarding against BEC is to provide employees with adequate cybersecurity training.

Employees should be aware of the risks and implications that these attacks hold, as well as how to spot scams and properly respond to an incident of this sort.

BEC attacks have a high success rate not because they are so technologically sophisticated, but because they are exploiting human vulnerabilities, like a response to authority, schedule, or even tiredness.

You can mitigate these risks using clear communication of roles and expectations whilst providing appropriate guidance in the use of IT and accounting controls.

Cybersecurity risks come in a wide variety of shapes and sizes, making it critical to recognize, disclose, and properly respond to a cyber threat.

Although it may seem obvious, human error is responsible for 95% of effective cyber-attacks. Managers should bear in mind that hackers don’t just break into the IT department by sheer force; they look for weaknesses.

As a result, every job in the organization is responsible for cybersecurity knowledge and abilities.

Making cyber security everyone’s responsibility is extremely important, therefore you should include management and IT in your education program, as well as have regular cyber security sessions, and of course create specific rules for email, internet browsing, social networks, and mobile devices.

It’s true that there’s no foolproof method that you can use to protect your business, but educating your employees about security threats and best practices for online behavior and privacy can greatly reduce the possibility of a BEC scam.

2. Encourage employees to challenge suspicious requests

Sometimes employees tend to rush an action or a response, therefore training them to double-check before executing a task could reduce the risk of being compromised by a cyber attack.

Let’s take as an example an email coming from a senior executive in the company in which a large amount of money is requested in an urgent manner.

Employees should understand that it’s better to delay the payment than to be scammed and take the proper steps in making sure the request that came their way is actually legit.

Another aspect that needs to be better applied and understood, especially when discussing larger companies, is to make employees feel comfortable to contact their managers, not only via email but also using alternative communication tools like internal chat systems, SMS, and even phone calls.

Any organization requires effective communication. Organizations must have complete policies and methods for communicating with their constituents, workers, and stakeholders, as well as the general public, in order to be successful.

3. Payments approval process

Organizations should start mapping the existing workflow used for wire transfers and analyze in-depth their processes in order to identify potential weaknesses and enhancement opportunities, for example limiting the amount of money each executive can approve, or using authorization for wire transfers, that also includes a protocol for approvals in the specific cases where senior executives are the initiators of these transactions.

4. Deploy cybersecurity solutions

Raising employee awareness about scams and BEC fraud is always a good idea, but businesses shouldn’t rely solely on this.

Having at least basic email security in place and two-factor authentication is a must. You Should also make sure to update your security software regularly and keep a backup of your data.