When you think of threats to your small business, you may consider competitors or individuals trying to steal your ideas, lack of customers, or poor economic conditions. You worry about how your product or service will do, or if you’ll make or have enough money to get through the year. One specific area of concern that you probably don’t consider is online bank fraud. In this modern day and age, the masked bank robber has gone out of fashion; the hacker is the new “it” criminal. And guess what? Your small business is the victim.
More and more small businesses are falling prey to ingenious hackers and cybercriminals who deplete their commercial accounts-with no way to regain the stolen money. Just one fraudulent interaction can completely decimate a company that took years to build. The small business is especially vulnerable because they don’t have the protection of a full scale I.T. department, nor do they have the firewalls, malware protection and cyber defenses that bigger businesses can afford to implement. In an effort to conserve funds, employees in small business environments are given inappropriate access to bank accounts and are not educated in the potential dangers of online banking fraud. Hackers specifically target small businesses with large commercial bank accounts for these specific reasons.
Cybercriminals usually use three primary methods for their online banking fraud:
1. Social engineering. This refers to the manipulation of account holders/users through the impersonation of a trustworthy source (like a bank) via electronic communication, usually asking for confidential information. These can take the form of emails (“phishing”) or text messages (“smishing”). Be aware of nonsensical greetings, a strange sense of urgency, abnormally sized or distorted logo’s, improper grammar or incorrect links.
2. Malware. This is when “malicious” software is installed on our computer without your knowledge or consent. This software can record keystrokes, redirect your Internet browser or even impersonate you in online banking transactions. Malware can be installed through various means: infected email attachments/documents, corrupt links, documents, videos or photos posted on websites (especially social media sites), and corrupt search engine results.
3. Combination of social engineering and malware. In these cases, social engineering is usually used to fool users in order to infect the computer with malware. For example, an account holder will receive a “phishing” email with a link attached. When they are fooled by the initial email and click the link, the computer is then infected by malware.
Many business owners incorrectly assume that the protection that applies to a personal bank account is the same for business accounts. If money is fraudulently taken from your personal account, the banks will work with you to regain that money, with no loss to you (if caught in a reasonable amount of time). Unfortunately, unless the business account owners have specific fraud insurance that covers this kind of illegal activity (usually fraud insurance only covers employee embezzlement), they must bear the brunt of the losses and take full responsibility.
Once the money is gone, there is usually no way to get it back. This realization usually causes the business owner a great amount of anger directed at the bank-but banks actually have no legal responsibility to reimburse businesses for fraudulent losses since federal regulations do not apply to commercial accounts. Companies that have tried to sue their banks over this have consistently lost; this fraud is seen as the fault of the company and their lack of security precautions. Larger banks like Wells Fargo and Bank of America have more advanced pattern-recognition and monitoring systems. Banks should have automated capabilities to detect irregular or fraudulent activity in accounts, but because these systems are highly expensive, many smaller banks still rely on manual procedures. Despite the banks security precautions (or lack thereof), it always comes down to the individual business.
Depressing, right? Fortunately, there are easy steps to take to protect your small business from this kind of fraud. These measures should always be taken-or risk losing everything!
1. Do not give out bank access information. Do not give out any login information or passwords, IDs, token codes or token numbers. If you receive an email, phone call or text message asking for this information, do not respond. Let your financial organization know immediately if this happens.
2. Implement controls. Have qualified professionals complete your accounting practices. Online payments, ACH, wire transfers and foreign exchanges should have “dual custody.” Reconcile your bank accounts monthly and always lock up your checks.
3. Strengthen cyber security. One the most important steps to take, regularly update your antivirus/antispyware software and make sure that you have strong firewalls installed. If you are not savvy in this area and cannot afford a fulltime I.T. employee, spend the money on a high quality consultant that can help you with proper installation. Ensure that your servers and systems are updated with all vendor-recommended revisions.
4. Educate your employees about the potential risks. Any employees with access to the company bank accounts should be instructed to never give out bank information to outside sources. They should be warned of “phishing” and “smishing” scams and given strict instructions on what to do if this happens.
5. Dedicate one computer for online banking. This computer should not be used to browse the Internet (especially social media sites) or have emails sent from it. This may seem excessive, but in the long run, the cost of a computer is nothing compared to the cost of losing your company.
6. Monitor your bank account everyday, multiple times a day. This includes holidays and weekends. Unfortunately, small business bank accounts are often not monitored closely enough, or are supervised by an unfit employee. Cybercriminals-most of who are based in Eastern Europe-move very quickly. They understand the timeliness of what they are doing and they know how to work the system to their advantage. If you see anything suspicious, contact your bank immediately-if you wait, massive amounts of money can be transferred out in a very short amount of time, funds that you will never recover.
7. Only use trusted websites. Block access to any websites that carries a potential risk to your business or is not relevant to the business’ needs. If your computer warns you that a site may not be safe, do not visit the site.
8. Use your bank’s notification or alert services. This is a service that most larger banks have-you can be alerted via text or email of any electronic debits or transfers. If activity occurs that you did not authorize you will be notified immediately and can then take the necessary action.
Many small business owners think that this won’t happen to them and have taken reasonable precautions. Unfortunately, the amount of cyber attacks against small business bank accounts is rising. Before it’s too late, take the aforementioned steps to protect your small business from suffering monetary losses or even worse, closing down .