Safeguarding Success: Fraud Prevention Tips for Small Businesses
IN THE DYNAMIC LANDSCAPE OF SMALL BUSINESSES (SMBS), navigating the complexities of fraud prevention is a prevalent challenge. As these companies strive for growth and success, they often find themselves vulnerable to various forms of fraud. Brady Harrison, Director of Customer Analytics Solution Delivery for the Digital Solutions team at Equifax, shares new attacks he has seen targeting SMBs and ways they can protect their business and growth.
Are you seeing increased cyberattacks on small businesses (SMBs)? What's driving this?
BH: We have seen an increase in cyberattacks across all industries, from SMBs to enterprises and franchises. A portion of the increase stems from fraudsters shifting their targets. A lot of attacks were previously pointed at COVID-19 relief funds, unemployment, the PPP program, etc. But those avenues for generating cash are diminishing as aid programs are sunsetted or go away. So all of that capability, expertise, and tooling is now being pointed at other ecommerce areas — including SMBs.
A lot of SMBs aren’t prepared to handle or may not even know the full extent of the influx of fraud that is shifting to these industries. They don’t have the fully fledged security teams or dedicated resources to solely fight fraud, so they become an easier target for cyberattacks.
What about SMBs makes them particularly susceptible to attack? What types of attacks are small businesses most vulnerable to?
BH: A lot of smaller businesses wear multiple hats and have to worry about a variety of concerns (inflation, labor issues, etc.). Having so many things on their plate takes away from their ability to focus on security. Most of the increase we have seen comes from account takeover attacks. Customer expectations are always evolving. Right now, a lot of expectations revolve around an easy, beneficial online experience. In a lot of industries, that translates to features like online accounts and apps with discounts or loyalty points. On the surface, these capabilities seem like a great way for a business to grow. And they can be. But online accounts come with the threat of account takeover fraud. Accounts with stored payment information and loyalty points are an appealing target to fraudsters. And if accounts are hacked, the SMB faces revenue loss, reputational damage, and security non-compliance fines.
Another avenue for attack is card testing — which happens when criminals make small, inconspicuous purchases to test the validity of stolen payment information. There is a proliferation of attacks at small businesses — especially restaurants — because they have the ideal dollar amount for testing cards. You can buy a 50 cent dipping sauce or a dollar bottle of water and those types of transactions won’t seem unusual. But these small transactions can have a major impact on a business’s bottom line. Not only does the business lose the revenue from the sale when the cardholder disputes the unauthorized purchase, but the business also pays an authorization fee for an interaction that has no profit. We have seen online businesses ring up large authorization bills because they get card tested. Sure, we are talking probably pennies a piece, but 100,000 of anything is a lot.
Where do operators need to be particularly vigilant?
BH: Anytime you do business online or have some exchange of value online, that is where we want to be vigilant.
Protecting the login process is critical. Look for suspicious activity. Some common red flags for account takeover fraud are multiple failed login attempts in a short period of time, data points that don’t match the customer’s norm (like a different device ID or IP address), and unusual activity once the user is in the account (like changing the payment information or draining loyalty points).
On the card testing side, operators should be on the lookout for a large number of low dollar amount transactions. Once fraudsters detect an easy mark — businesses with obvious vulnerabilities — they will act quickly to do as much damage as possible before detection. Watch for unusual patterns, such as multiple transactions from the same IP address or device, an unusually high authorization decline rate, or a sudden spike in chargeback rates.
What are some of your top tips for businesses to protect themselves from a cyberattack?
BH: Make your business more aware of where this risk could come from. Basic security training for anybody with a company email address or access to your secure system will help to protect you against the scams and real cybersecurity threats.
Additionally, look for a provider or solution that is native to your point of sale or CRM to manage some of this risk for you. For example, Kount’s fraud detection technology is integrated with most major ecommerce platforms. Businesses using those integrated platforms — like Shopify — can activate Kount’s payment fraud solution with just a few clicks.
If an operator suspects an attack, what should he/she do?
BH: On the cybersecurity front, if you do get ransomware or you suspect you are under a business email or cybersecurity attack, working with your local law enforcement field office will be a good start — along with tighter fraud controls going forward. Lean on your providers and their expertise about dialing up or down friction and risk thresholds to mitigate the attacks.
Again, check with the company that is enabling your ecommerce capability. Lean on that provider to see if they have a baked-in solution or if they have a plugin that makes sense. That would be a great first step and often is as easy as flipping a switch to get additional protection.
Check out the Digital Solutions partner marketplace to see the many ecommerce partners we support.