Cybersecurity trends: Protecting your small business from fraud

Fraud is a threat to any business—no matter the size—and can expose your company to financial losses and reputational risks. In 2021, 16 per cent of small businesses reported being impacted by a cybersecurity incident, according to Statistics Canada. The most common incidents involved stealing money or data.

Learn how to protect yourself from these prevalent fraud schemes.

Top trending fraud: Phishing

One of the top fraud trends in Canada is phishing, a cybercrime that relies on deception and social engineering to steal sensitive information—like login credentials or financial information—on phoney websites. A fraudster poses as a trusted sender to get you to click a link that may cause malware installation.

Online banking phishing is when attackers clone websites to trick you into believing you’re accessing your real banking platform. Fraudsters even pay for ads so their malicious content appears as top search engine results. After stealing your username and password, scammers access your real account to conduct financial transactions, add user roles to online banking and access company information (like account numbers and past vendors).

It gets personal with spear phishing—fraudsters target specific people instead of using a broad approach. For example, in business email compromise (BEC), scammers trick you into sending money or sharing confidential company information.

Top types of BEC:

• False invoice schemes: The most common form of BEC. The fraudster spoofs the email address of one of your contacts and requests a fund transfer to a fraudulent account. They often supply fabricated invoices to support the request or a genuine invoice and request payment redirection to a different account.
• CEO fraud: When attackers impersonate a CEO or executive and email someone in the same organization with an urgent or unusual request—perhaps seeking confidentiality. For example, a scammer might ask you to send gift cards for an upcoming social event.
• Account compromise: When a fraudster accesses an organization’s inbox—perhaps through phishing—and requests payments from existing vendors to an account they control.

How to protect your business 

Here are simple, everyday steps you and your employees can take to protect your business from fraud:

1) Stop and think before you click links. Fraudsters aim to create urgency, pique curiosity and use fear tactics to increase chances of user participation, so take time to assess.

2) Beware of instances where you are asked to provide unusual login details, like your birthdate or a two-factor authentication (2FA) code. If something doesn’t seem right, contact the number on the back of your bank card immediately.

3) Be cautious when searching online. Never click on ad results. Always check a website’s URL for extraneous characters before engaging to ensure it’s legit. Access online banking through your mobile app or bookmark the authentic page the first time you log in.

4) Enable 2FA if possible. Never share 2FA codes with anyone. If you receive a 2FA text or email but didn’t initiate the action yourself, investigate further.

5) Use different passwords on all company systems. Only share logins with people who need them. Consider using a password manager to avoid recording them in a spreadsheet. 

The following tips might require more time, research, money and effort, but they’ll give you peace of mind:

1) Train employees on fraud signs, which include:

• high-level executives asking for unusual information
• confidentiality requests
• bypassing normal channels or established processes
• spoofed email domains or web addresses

2) Raise security awareness on your team by:

• emphasizing proper handling of sensitive data
• requiring 2FA (using apps like Google Authenticator or Microsoft Authenticator) to access email, cloud storage, your organization’s systems and online banking
• developing in-house, regularly scheduled, mandatory training for all employees on topics like:
  • identifying and handling phishing attempts
  • password hygiene
  • updating and patching systems
  • securing assets and information
  • reporting incidents
• hiring a third-party company to simulate a phishing test in your business and offering follow-up training

3) Follow secure financial processes, like:

• keeping cheques in a secure location and destroying unused ones from closed accounts
• opting for electronic payments when possible
• checking account statements regularly
• contacting your financial institution directly for any questions (with the phone number on the back of your bank cards)

4) Implement network defense solutions, like:

• firewalls
• anti-virus and anti-malware software
• a Domain Name System to block malicious websites
• a virtual private network for remote workers
• an application allow list to approve specific sites and prevent unauthorized downloads

5) Back up and encrypt data regularly. Copy information and critical applications to one or more secure locations to prevent data loss.

6) Set up automatic software updates.

7) Prepare an incident response plan—a formal document that helps your business before, during and after a cybersecurity incident—so everyone knows:

• who to contact in what circumstances
• how to identify, investigate and respond to cyber incidents, restore data and minimize business disruption

8) Research cyber insurance options. The Insurance Bureau of Canada has information to get you started. Talk to your insurance agency about adding coverage.

What to do if your business is defrauded

If you suspect fraud, refer to your incident response plan.

As soon as you detect a cyberattack, immediately:

• contact your financial institution
• scan devices for malware
• change passwords and close accounts
• contact law enforcement to file a report
• contact credit reporting agencies, including Equifax and TransUnion

More resources

• Download ATB’s Cyber Security Toolkit
• Take ATB’s complimentary Expert Anti-Fraud Training
• Read our articles on banking and fraud prevention
• Check out the Canadian Anti-Fraud Centre and Canadian Centre for Cyber Security