Business scams aren’t something that exclusively come out of the woodwork during a pandemic such as COVID-19. However, it does present cybercriminals and other “bad actors” with opportunities to capitalize on individuals’ and businesses’ vulnerabilities. Small and even medium-size businesses are particular targets because they don’t often have IT staff or expensive cybersecurity. Criminals are also capitalizing on the new reality that the pandemic has changed when, where and how businesses are operating and making payments, opening a door for fraud.
But there are ways to protect yourself and your business from being compromised by cybersecurity (crimes committed on the Internet) or general bank fraud (money or other assets held by a financial institution are illegally obtained using false information or pretenses.)
Common Business Scams/Fraud "Opportunities"
1. Check fraud. Your banking account number is printed on every single check, and that makes every check vulnerable. Checks continue to be the payment method most affected by fraud, with 74% of organizations affected in 2019, according to an American Financial Group (AFG) survey.
Check fraud can take many different forms; physical checks can be stolen and forged. Already-written checks can be modified if a perpetrator adds a “0” to change a $100 check to a $1,000 one. Checks can be whitewashed, meaning the line items are “washed,” the dollar amount and name are changed and the check is cashed. If a business does not monitor its checking account every day – which is not unusual for small businesses – business owners may not realize something like this has occurred until a few days later. Unfortunately, that’s too late, as the check will already have cleared. It is important to understand that businesses have only 24 hours to report the fraud.
- How to safeguard your business: Consider purchasing a web-based check verification service such as Check Positive Pay through your bank. This allows you to review exception items and return checks you determine may be fraudulent. In addition, keep physical checks in a secure place with limited staff access and add protocols for check approvals.
2. ACH (Automated Clearing House) fraud. ACH is an electronic network for financial transactions, processing large volumes of credit and debit transactions in batches. These are commonly known as direct payments and sidestep the need to use physical checks or even credit card networks. Businesses commonly rely on ACH for credit transfers, including direct deposits, payroll and vendor payments. As with checks, however, these can be compromised if the wrong person gains access and submits fictitious electronic payments. All it takes is for the wrong person to gain access to your account number and bank routing number to execute fraud.
- How to safeguard your business: Consider using an ACH monitoring service such as ACH Positive Pay through your financial institution. This allows only ACH transactions from parties you authorize, within the dollar amounts you allow, to post to your account.
3. Business email compromise – including phishing/spoofing and malware. This is one of the most financially damaging online crimes, and we’ve all received these types of emails at some point. There has been a significant increase in attempts to lure businesses with offers of COVID-19 information and much-needed supplies, including PPE. In cases like these, the old adage is likely true: if it seems too good to be true, it probably is!
An especially timely phishing and malware scam to be mindful of: Small Business Administration (SBA) spoofing. There are criminals sending emails that appear to be from the SBA with a link to a spoofed SBA website, which they then use to steal your business’s credentials. Whenever a criminal sends an email message that appears to come from someone you know – a vendor, a partner, etc. – and makes a request, it is anything but legitimate – it’s phishing.
In these cases, the email even looks legitimate in that it features a “from” email address that only slightly varies from the real one and may feature actual company logos and employee names easily acquired from social media. The scammer pretends to be someone else and asks the recipient (often an accountant or business owner) to wire money or provide confidential information, including financial information.
However, you’re being “spoofed” and the fraudster uses the information to gain access to online accounts or to make unauthorized transactions. They attempt to obtain user names, passwords and credit card details for malicious purposes. And during COVID-19, we’re particularly “ripe” for these types of issues, as people are generally doing more with less – and may not look at emails as closely as they should; some fraudsters’ emails indicate they need the information because of pandemic-related changes in business operations.
Yet another way they gain access: they send something legitimate-looking with an attachment or link, and when you click on that, malware infiltrates company networks and accesses data – including user names, passwords and financial account information. Another way this can occur: perpetrators can also access the system through employees’ social media or text messages, bypassing security and then disrupting the system or using malware to steal data.
- How to safeguard your business: This requires all of us to be on the defensive when it comes to viewing emails. Don’t click on anything in an unsolicited email or text message, and carefully review the email address, URL and spelling in any correspondence as that’s a key tipoff that something isn’t legitimate. If you’re not sure, verify payment and purchase requests by calling the person requesting it and/or initiating a separate email (not replying) inquiring about it. Many businesses apply dual controls; if someone gets a request that seems “off” to some degree, they contact a second party in the business. And listen to your gut if the requestor is pressing you to act quickly; this is a strong sign something isn’t right.
4. Exploitation of working remotely/using remote applications. Who hasn’t done at least some business remotely as a result of the pandemic? For some businesses, there’s a substantial amount of business being conducted from home remote access and virtual applications. This, in turn, presents opportunities for criminal access.
- How to safeguard your business: Protect your computer systems with security software and use a firewall. Wireless routers – even those a few years old – are less secure. When you get those reminders to update your software, heed them because these often add antivirus and security patches to existing software. And reconsider where and how you store business information; if you keep simple spreadsheets in the cloud or on a server, add encryption as another layer of security to make it accessible to only authorized users. Resources from the National Institute of Standards and Technology can educate you on how to make a safer transition to a remote workplace.
5. Robocall scams – You may receive phone calls pitching test kits, sanitation supplies or other in-demand items businesses are clamoring for from fraudsters who press you to purchase right away. In addition, some target small businesses, “warning” them that their Google listing isn’t correctly displaying or saying people can’t find them online at this time, looking to create panic so you don’t think clearly. Maintain a cool head when you get rushed, desperate-sounding calls like these and don’t take the bait.
Other safeguard tips:
- You can follow all kinds of security and safety protocol, but you need to know that your vendors and partners have property security measures, too. Have conversations with your banker, accountant and other parties that have access to key business information.
- Constantly monitor your business information, including business records, business AND personal credit (as compromised personal credit can impact your business), state records (including professional licenses) and your financial accounts as noted above.
- When you communicate with your bank or other partner, share information via phone, secure email or fax.
Unfortunately, fraud protection often is not set up until after a business is a victim of fraudulent activity. But the reality is that safeguards like those listed above are efforts businesses can make now, proactively. The COVID-19 world in which we live makes them even more imperative. If you want to increase your protection, Investors Community Bank offers Check Positive Pay and ACH Positive Pay to provide consistent monitoring of your account for fraudulent activity, so you can focus on running your business. Learn more here about our treasury management services.