With small business activity in Australia increasingly conducted online, scammers are responding with ever more sophisticated ways to commit financial fraud. In 2020, the Australian Competition and Consumer Commission’s Scamwatch logged more than 216,000 reports of email phishing, ransomware and malware attacks, and small business fraud, which contributed to small business losses of AU$178 million. By September 2021, that figure had risen to AU$222 million.
Business scams are a global issue. In the United States, two-thirds of small businesses reported being targeted at least once within the last three years, with one in eight losing sensitive information or money. Cyberattacks are not the price of doing business, however. With prior warning of what to look out for, and the right measures in place to secure the perimeter, small businesses can make themselves less vulnerable to potentially catastrophic attacks.
Send money abroad quickly and securely with a CurrencyFair business account.
The Australian Bureau of Statistics defines a small business as a company with fewer than 20 employees, whereas the Australian Tax Office sets the bar at AU$2 million turnover or less. Whatever the scale of the business, the common characteristic is that the cybersecurity resources, budget and expertise are a fraction of what the typical enterprise organisation can deploy. Large corporations with obligations to shareholders and regulatory bodies have to allocate significant resources to cybersecurity, typically through a dedicated IT team or partner. Small businesses, by contrast, have to focus resources on generating revenue. Scammers are well aware of this, which explains why 43% of cyber attacks target small businesses. Sadly, 60% of small businesses that are attacked go out of business within the year.
The landline phone may have largely disappeared from the office desk, but the email inbox is alive and well. The average employee receives more than 120 emails a day. That provides a way in for fraudsters using the business email compromise (BEC) scam, the biggest single threat for small businesses in Australia, with more than 60,000 attacks logged each year.
These bogus phishing emails invite the user to:
Update or change payment details.
Respond to a Zoom invite or book a calendar appointment.
Reschedule a missed delivery.
Click on a link to a third-party site, app download or video.
The emails may appear to come from a familiar supplier, customer, utility company, or legal representative. A common source in recent years is the ASIC scam claiming to be from the Australian Securities and Investments Commission.
Whatever the source, once the user clicks on the link, malware or ransomware infects their computer (and potentially the entire network). The goal is either to obtain personal identifiable information, bank details and passwords or to lock up the network until a ransom is paid.
The third most common scam targeting small businesses, with more than 20,000 cases a year, identity theft scams aim to steal personal identifiable information in order to set up fake bank accounts and credit cards. Hackers will scan databases for personal information, account details, passwords, social security numbers and so on. Often, sensitive information is publicly available on social networks and business networking profiles. The first sign of identity theft is usually a nosediving credit score, so check reports regularly for new accounts and credit searches.
For larger small businesses with a Human Resources department, cybercriminals might impersonate employees and request salary or expenses payments into a new account. More sophisticated scammers may even be able to hack into the payroll software and update account details themselves.
The bugbear of the busy small business employee, remote access scams begin with a caller claiming to represent the technical support desk of a well-known software provider (eg. Microsoft). There is an urgent security breach to fix, they claim, and they will need remote access to your computer to patch the issue. In fact, their goal is to install malware on your computer to take control of your network and steal sensitive information. If you’re in a hurry, hang up. If you have a moment to spare, watch how IT experts such as Jim Browning expose their methods and turn the tables.
Small businesses that don’t use an automated invoice and billing platform are vulnerable to bogus billing scams. Invoices typically come from an office supplies, technical support or domain registration service and the amounts may be unremarkable. Because the fake invoice is often marked as overdue or pending collections, unwitting accounts employees may process it in good faith, not realising until the end of the month (or whenever invoices are reconciled) that there is no corresponding purchase order.
Small businesses are under even greater threat since the pandemic because employees are increasingly working from home and working on unsecured networks. Alternatively, employees might be using their own laptops and smartphones in the office without a secure “bring your own device” policy in place. All hackers need to do is find an unsecured wifi or Bluetooth port to install code. An emerging threat is supply chain attacks, where sophisticated hacking teams change source code on the software of a third-party vendor (eg. accounting software, point of sale, apps and devices), and it lies dormant and undetected until the entire supply chain is compromised.
Watch out for membership or registration fee requests for events, seminars, courses or awards that don’t stand up to scrutiny. Either the scammers have cloned a legitimate website or have created a fake site that they plan to take down at short notice.
Other common scams of this nature include:
Donations to fake charities.
Subscriptions to or advertising fees for business directories or trade journals that don’t exist.
Offers to manage data protection and security to meet new legislative requirements.
The ASIC scam, which asks businesses to pay fees and renew their details.
Small businesses are as vulnerable as individuals to fall for cryptocurrency scams and alleged low-risk but high-return investment schemes. Scammers will often target small businesses with franchise offers that promise accelerated growth and support, neither of which will ever materialise. The first step in tackling investment fraud is understanding the kind of scams out there, as well as how and where they happen. We’ve rounded up a few of the most common investment scams.
In a scam that targets the hospitality industry in particular, fraudsters will pretend to slip or fall on your premises, or receive food that falls foul of health and hygiene regulations. Alternatively, scammers will target branded company vehicles with a fall or collision. In each case, the aim is to register a bogus insurance or compensation claim. Stand up for truth with CCTV or dashboard cam evidence.
Similar to the fake invoice scam, this time fraudsters deliberately overpay by credit card for an advertised product, such as a holiday, rental or delivery, then request a refund of the excess. The small business may do so in good faith, only to find that the original payment is then cancelled. This scam plagues peer-to-peer platforms such as eBay, but it can work on boutique businesses too, particularly where orders are taken over the phone or by email.
Small business survival may rely on the mantra that the “customer is always right”, but first comes the precaution of weeding out the scammers from the customers. Fraudsters often announce themselves with:
Bad English. Emails with spelling mistakes, awkward syntax, or robotic auto-generated wording.
Unsolicited approaches. Learn to be sceptical of any offer that appears out of nowhere.
Requests to verify or confirm details in any email that is not addressed to a specific person.
Urgency and pressure tactics.
An offer that is too good to be true, particularly when a small business is feeling the squeeze financially.
If there are not yet the resources or budget for full-time IT support (in house or third party), a small business can still mitigate the risk of cyberattack by implementing the following measures:
Limit the number of people who can authorise payments and use business accounts or cards.
Insist that all agreements be made in writing.
Set up security policies for personal email and BYOD devices at work.
Block access to non-work-related sites, particularly those without an SSL certificate.
Shred all documents before recycling.
Remove network access quickly for former employees.
Keep firewalls and anti-virus software updated.
Report any security breaches or attacks to one of the specific organisations set up for reporting fraud cases, for example, Action Fraud in the UK, Scamwatch in Australia and the Internet Crime Complaint Center (IC3) in the US.
Finally, If you are exchanging money, always use regulated solutions. CurrencyFair is fully licensed and regulated by the Central Bank of Ireland. As a regulated foreign exchange platform, CurrencyFair uses two-factor authentication, encryption via SSL, segregated accounts, thorough verification and multiple other safety measures to ensure all transfers through our service are as secure as possible. See here for full details of our security procedures.
With our thorough security checks in place, your business’ money is in safe hands.
Send money abroad quickly and securely with a CurrencyFair business account.
This information is correct as of 22 November 2021. This information is not to be relied on in making a decision with regard to an investment. We strongly recommend that you obtain independent financial advice before making any form of investment or significant financial transaction. This article is purely for general information purposes. Photo by Olya Kobruseva from Pexels.