Cybercrime is one of the largest fraud risks for a small-business owner. The 2014 Global Fraud Study released by the Association of Certified Fraud Examiners determined businesses can lose 5 percent on average of their revenue each year to fraud. They pegged the total monetary amount at nearly $3.7 trillion across the globe. The study also reports that more than one in five of the nearly 1,500 cases analyzed in more than 100 countries had employees walking out the door with at least $1 million in cash.
People don't realize how often small businesses are targeted for their data and bank accounts. The loss of data, a lawsuit over how the data was captured, and the loss of thousands of dollars in a bank account can all put a business under. Below are some of the more common cybercrimes every business is subject to, and some ideas to prevent them.
1. Malware From the Internet
Malware from the Internet is obtained either by downloading free programs (which small-business owners often use) or by browsing the Web with a vulnerable computer. Think your computer isn't vulnerable? If you have ever declined to update Java for any period of time, your computer was probably vulnerable to cyberattack.
Once malware downloads onto the computer from one of these two sources, your computer may now be controlled by a billion-dollar crime industry. These crime organizations sell access to your computer, data acquired from it (credit cards, passwords, SS numbers, email addresses, proprietary company information, addresses, bank account information, access to your bank account, etc.) and they can even lock down your computer to ransom it. They can do this by encrypting the data or restricting access and requiring you to pay hundreds of dollars with a MoneyPak card.
2. Malware From Email
This is obtained by an incredibly well put together phishing attack. Crime organizations obtain email lists and send emails that appear to be from legitimate domains and from legitimate companies. Why is this form of attack so successful? Because if you get an email from FedEx about the details of your tracking information or shipped package, you would expect it to come from firstname.lastname@example.org.
The fake emails actually come from the fedex.com domain, or so it appears. Crime organizations actually spoof the email to show the legitimate domain. Then they put together a very well-written email about the details of your package and persuade you to open an attachment or follow a link (as companies often request via email).
Like any business owner, you probably know that a lot of companies have your email, and you often buy, ship, and sell a lot of things. So if you get an email saying your shipment needs your attention and a customer might be affected by it, you are likely to open it. This email could contain malware which may then infect your machine, and it can become exploited much like malware from the Internet.
Emails for this type of attack are not just from FedEx; they will typically appear from well-respected companies like UPS and even the Better Business Bureau.
3. Social Engineering
This is an older style of attack that has been occurring more frequently. A business will receive an urgent call from a person (often a male and sometimes speaking with a western Asian accent) who will generally associate himself with Microsoft. They usually have some story about the business owner's computer being compromised and that it needs to be fixed. The caller then will direct the business owner to take actions on their computer to rectify the issues. This generally ends in this scam company getting your credit card details and access to your computer. After all, they want to be paid for fixing your issue and need access to your computer to fix it.
Every single type of fraud listed here resulted in a financial impact to the business owner with potentially lasting consequences. So how can a business protect itself?
- Backups. Ensure backups are regularly paid for, that they are performing without fail, and that they are stored offsite or in the cloud.
- Pay for antivirus. Get the good stuff. For antivirus to be worth anything there needs to be a team of security professionals scouring the Web and creating definitions of different types of malware to be wary of. If you have a well-paid team, you generally end up with better antivirus.
- Pay for both email and spam protection. Having your own email domain generally makes a business seem more professional in the first place, rather than relying on the free spam filter that a free email comes with. If you pay for email and spam protection, you look more professional and receive a spam filter that works better.
- Updates. Always keep your computer up-to-date with the latest version of any program you have on it. If you don't, it can create security holes.
- Ignore unexpected calls or emails. Never consent to give away information or perform actions if the person called you or if you weren't expecting their email.
- Have a well-trusted IT company on hand to deal with these issues when they pop up. Paying an IT company to manage all of these things for you in the first place is probably the safest way to go.
There will always be new scams and risks when you run a business or startup. The principles above should help keep you as safe as possible while still allowing you to continue running an efficient operation.