Small Businesses At Greater Risk for Online Fraud
By Eva Norlyk Smith, Ph.D.
August 5, 2011
Consumers who use credit cards online know that if something happens, their accounts are generally protected against financial losses. However, when it comes to online banking fraud, small business owners don’t enjoy the same protections — and most don’t realize just how high the stakes are.
When credit card information is stolen, the maximum out-of-pocket cost to consumers is typically $50 — as long as the loss is reported within a reasonable amount of time. Business credit cards enjoy the same protections, but small business bank accounts do not. Banks generally have no legal obligation to cover online banking fraud and illegal commercial wire transfers.
As a result, small businesses often suffer heavy losses when their online information is compromised. According to a survey by Javelin Strategy & Research, the estimated cost of small business computer fraud in the U.S. totaled $8 billion in 2010. The small businesses affected were forced to absorb $2.61 billion of that loss; the rest was covered by financial institutions, credit card issuers, merchant partners or insurance firms.
“The consequences of cyberfraud can be devastating for small businesses,” says Kevin Haley, Director of Security Technology and Response at the security firm Symantec. “Many small businesses just don’t have the resources to survive from having their bank account emptied. It can put them out of business sometimes.”
Cybercrooks preying on small businesses
Experts say that cybercriminals are increasingly targeting small businesses with 100 employees or less. According to the Verizon 2011 Data Breach Investigations report, compiled in collaboration with the U.S. Secret Service, many cybercriminals have also begun to shift their focus from large-scale, complicated break-ins to smaller, more vulnerable targets that can be breached using repeatable, automated attacks.
In 2010, the number of data breaches jumped from 141 in 2009 to 761 in 2010, and a full 63 percent of the attacks were aimed at companies with 100 employees or less.
According to the Verizon report, data breaches also increasingly originate from outside hacking attacks. More than nine out of ten data breaches in 2010 originated from outsiders, while breaches perpetrated by employees accounted for only 16 percent of attacks.
Hacking and malware continue to be the most common avenues through which cybercriminals gain access to sensitive credit card or banking information. In a typical cyber break-in, malware is installed on victims’ computers through phishing emails with links or attachments containing banking Trojans, such as the Zeus Trojan.
The malware tracks keystrokes or installs fake forms to collect sensitive banking information and login credentials. Cybercriminals then use this information to make illegal bank transfers to other accounts, which are typically controlled by low-level criminals hired to transport the money back to the fraudsters.
Many small businesses have weak security
Small businesses are attractive targets. They have more money in the bank than consumers, and it’s harder for banks’ fraud prevention software to spot fraudulent activity on small business accounts where large transfers of $50,000 can be a regular occurrence.
Small businesses are also desirable hacker targets because many can’t afford to keep dedicated security experts on staff and generally rely on antivirus software and other antimalware programs for protection.
Many small business owners erroneously believe that as long as they have installed antivirus and malware protection, they are adequately guarded against cyber threats. According to a recent survey by the National Retail Federation and First Data Corporation, 64 percent of small business vendors were under the assumption that their business wasn’t vulnerable to credit or debit card data theft.
Unfortunately, antivirus software is always one step behind the newest sophisticated virus and malware strain. Hackers constantly update and tweak viruses and Trojans to escape detection by security protection software. In addition, traditional antivirus software just isn’t enough any longer.
“The criminals have gotten so good, you need more locks on your door than just one,” says Haley. “Good security software these days involves a lot more than antivirus protection. A firewall, intrusion prevention and similar extended protections are essential.”
Cyber fraud protection doesn’t have to be expensive
Cyber fraud is becoming increasingly widespread because the playing field has leveled. These days, ready-to-go malware kits are easily available on the black market, making it possible for anyone with basic computer skills to set up a botnet and orchestrate sophisticated cyber attacks.
Ironically, despite the proliferation of cybercriminals, industry experts say that the vast majority of attacks on small businesses could be prevented, without expensive security upgrades.
“This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more,” said Peter Tippett, Verizon’s vice president of security and industry solutions in a press release accompanying the 2011 report on data breaches. “And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.” In the report, Tippett estimates that 97 percent of the 2010 security breaches could have been averted relatively inexpensively.
Symantec’s Kevin Haley recommends the following practices as a basic, first line of defense against online banking fraud:
- Use state-of-the-art security software. Good security software involves a lot more than antivirus protection. Look for security software that includes a Unified Threat Management (UTM) solution. UTM is a new standard for network security, which integrates multiple, simultaneous security functions like firewalling, network intrusion prevention, antivirus, worm and anti-spam protection, content filter and much more. In addition, look into adding two-factor authentication for employees with access to online banking and other sensitive business information.
- Educate your employees. A chain is only as strong as its weakest link. Phishing emails are often cleverly disguised to pose as familiar emails, such as email notifications of a UPS package delivery. Make sure your employees know how to spot the difference and which precautions to take when in doubt. Similarly, social networking sites are a common source of malware ruses; be sure that your employees are educated on the risks. For maximum security, consider restricting employees’ Web access.
- Limit the information available on your company website. Names, email addresses and phone numbers of employees can be used by attackers for phishing attacks involving social engineering. Employees are much more likely to fall for a ruse if it has their personal information on it.
- Use a separate computer for online banking. As an added precaution, use a dedicated computer for online banking, which is not used by employees for routine business operations, social networking or Web browsing.
- Know your bank’s security policies. Educate yourself about your bank’s security policies, including which security features they offer, as well as what your protections are in case your online bank account is compromised.