Scams cost the economy more than $5 trillion per year.
US consumers lost $3.56 billion to online fraud in 2022, and almost half of the businesses surveyed experienced fraud, corruption, and economic crime.
The numbers are shocking, aren’t they?
The Top Business Scams and How to Reduce Risk
Cybercrime is the front-runner of crimes affecting most businesses, with phishing being the most prevalent threat in the US.
There are plenty of scams attempting to lure businesses, including:
- Business email compromise
- Business identity theft
- Business impersonation
- Data breach
- Fake charity solicitation
- Fake invoicing (demands for money for unsolicited products or services)
- Fake SEO experts
- Money transfer fraud
- Office supply scams
- Overpayment scams
- Phishing, including voice phishing
- Robocalls offering fake products and services
- Vanity award scams
Some small businesses still believe they are safe from scams because they are relatively small players in a big pond. Most, however, are catching up to the fact they are also targets, and they must find ways to reduce their risk.
The most potent ways that businesses combat scams include:
- Staff Cybersecurity Training
- ID Verification for Unknown Callers and Message Senders
- Encryption for Sensitive Communications
- Authentication for Access Control
Why Cyber Criminals Target Small Businesses
Small businesses tend to have less security than medium to large businesses. They may have an IT person rather than an IT department. Moreover, many small businesses don’t have anyone in charge of IT, let alone cybersecurity.
Small businesses can unwittingly provide access to their more secure business partners. Cybercriminals sometimes target small businesses with vulnerabilities to steal data regarding their larger business partners, such as usernames and passwords or other valuable confidential data.
Four Ways Companies Combat Scams
1. Cybersecurity Training
The best thing any business can do to improve security is to train its staff. According to a study by Stanford University, 88 percent of data breaches can be traced back to human error. It’s critical that staff recognize phishing emails and other scams, understand the risks, and know how to respond.
The Risks of Phishing Emails
Senders of phishing emails often seek personally identifiable information from their victims, such as usernames and passwords, contact details, or financial information, which they can sell or use to commit identity theft and make unauthorized transactions. Phishing emails may also solicit usernames and passwords or other access credentials to help criminals get unauthorized access to a business network.
Many phishing attempts are the first step in a ransomware attack. The recipient unwittingly downloads malware, subjecting the network to ransomware which encrypts the user’s critical data, and cybercriminals demand money to decrypt it.
How to Spot Spam and Phishing Emails
Most email services come with spam filters to identify and separate spam and phishing emails from regular communications. Sometimes, however, they get through.
Malicious emails tend to be recognizable by:
- Bad spelling and grammar;
- An urgent tone;
- Fake email addresses and URLS based on actual businesses;
- Claims that the recipient has been individually selected;
- Claims that seem too good to be true;
- Demands for access credentials or personally identifiable information.
Businesses must be cautious of spearphishing attacks, in which a criminal targets an individual or company. Their attention to detail can make such phishing emails more convincing.
For example, they may design the fraudulent communication to appear to be from a colleague, a department within the organization, a business partner, or an authority with ties to the business or industry. The air of authenticity can fool staff into making an error and trusting the sender, which is why cybersecurity awareness is vital.
What to Do With Spam
On identifying an email as spam, a phishing attempt, or otherwise suspicious, staff should not interact with it. This means neither responding to the email nor clicking any links.
Responding to spam marks the recipient’s email address as active and worth pursuing. Clicking links can do the same, as well as potentially lead to downloading malware.
Staff should report it to someone responsible for the company’s IT if this role exists. Reporting fraud attempts helps keep the business safe by raising awareness.
Once the employee has notified someone in IT, they can report the email as spam using the email application’s facility and block the sender to avoid receiving more emails.
2. Verifying Details
If a business is unsure whether a communication is from a genuine source, they can verify it online. PhoneHistory is useful for checking the validity of the owners of phone numbers, whether they called you or contacted you via message.
Reverse phone lookup services can be used as a precautionary measure because they provide comprehensive information about the phone number in question, such as the name of the owner, the carrier, the state, and, of course, the history of how that number has been used.
3. Encryption
In a man-in-the-middle attack, the sender and recipient believe they are communicating with each other, but a third party intercepts the messages before sending them on. That third party can read and, if they choose, modify the messages, which can lead to successful fraud attempts.
The way to combat this is by insisting on encryption for communications. With encryption, the sender’s device encodes transmissions in a way only the recipient’s device can decipher. Anyone intercepting the communication wouldn’t be able to read or modify the contents.
WhatsApp and Gmail messages are automatically encrypted. Staff can determine that a contact form or other transmission is encrypted by looking at a closed padlock symbol and/or “https” in the URL bar.
4. Strong Authentication
An effective password policy, preferably incorporating multi-factor authentication, helps businesses avoid losses due to scams and unauthorized access to a business network. A weak password, such as Password1 or 123456, doesn’t even necessitate a scam to provide access to a system. On the contrary, a strong password poses a problem for cybercriminals and other would-be scammers.
A strong password is a long password that includes one or more non-dictionary words or character strings. It should consist of a combination of letters, numbers, and special characters.
Multi-factor authentication takes protection even further by requiring further proof that the person attempting to access the system is genuine. Secondary or tertiary authentication might take the form of a code word, a one-time temporary PIN received via a mobile app, or a biometric scan, among other possibilities.
Conclusion
Investing time and money in security awareness and training is invaluable. In this way, a business can transform its staff from a security vulnerability to a business strength. Armed with the necessary tools and resources, the workforce can help keep the business safe from many scams and lower the risks for everyone.
