This article originally appeared in the Portland business Journal on December 1, 2024.
As technology-enabled fraud schemes become increasingly sophisticated, small businesses face heightened risk. According to the Association of Certified Fraud Examiners, small businesses are particularly vulnerable to fraud and tend to fall victim more frequently than larger organizations due in part to resource constraints such as limited budgets for advanced fraud detection systems and a lack of dedicated personnel to oversee anti-fraud measures.
Currently, one of the most common scams targeting small businesses is business email compromise (BEC), which occurs when a criminal gains access to a trusted contact’s email account — or spoofs it, creating a fake email address that looks like a legitimate sender’s address — to initiate fraudulent transfers or vendor payments.
According to the FBI Internet Crime Complaint Center, reported BEC scam losses increased nearly 58% between 2020 and 2023. In 2023, the average cost of a BEC attack grew to over $137,000 (up from $125,000 in 2022), and in Oregon, victims lost nearly $23 million to BEC-related crimes.
Criminals often target businesses by posing as a legitimate supplier and sharing a fake invoice requesting payment to a fraudulent bank account. These vendor payment fraud schemes are becoming more sophisticated due to the widespread availability of AI-powered “deepfake” tools. Fraudsters are now able to create convincing fake documents and manipulate voice or video to impersonate senior members of an organization. This technology allows them to use social engineering to persuade privileged individuals, such as trusted finance team members, to initiate illegitimate bank transfers.
Fraud prevention best practices.
While it’s impossible to eliminate fraud risk entirely, you can implement a variety of best practices — most of which do not require costly technology purchases — to help minimize the risk.
1. Educate your employees. Your employees are your first line of defense against fraud. Enhance the cyber awareness of your “human firewall” by training employees on how to recognize BEC threats, spoofed messages and other phishing scams. Teach everyone to be wary of emails with attachments or links, even from known senders. Conduct simulated phishing tests to assess awareness and use the results to continuously improve training. Teach secure password practices and provide employees with a password manager.
2. Establish mandatory verification procedures for critical requests. Standardize the critical evaluation of unusual requests — even when they come from a trusted authority figure — by implementing and enforcing verification procedures that employees must follow before they can transfer funds or respond to requests for sensitive information. These procedures include the following:
- Identity verification: Instruct employees to confirm the requester’s identity via official channels — such as calling an official number or speaking face-to-face — never relying on contact details provided in the email.
- Call-back authorization: Require a call-back for wire transfers, gift card purchases or sensitive data requests. Provide a designated internal number for these authorizations.
- Questioning deepfakes: Train employees to ask questions during calls or video meetings to detect possible AI-driven deepfakes. Unresponsive or evasive answers are red flags.
3. Enhance authentication measures. Implementing multifactor authentication or single sign-on identity verification mechanisms across your employee base makes it more challenging for bad actors to gain access to your legitimate accounts.
How your bank can help you fight fraud.
In addition to taking the steps outlined above, one of the best ways to prevent BEC and other fraud threats is to work closely with your bank. Your financial institution tracks what goes in and out of your accounts and can therefore be a powerful resource for added security.
Washington Trust Bank, for example, offers business clients a range of products to help identify and prevent fraud.
- ACH Positive Pay detects fraud from incoming electronic transactions initiated outside the bank.
- As a customer, you can set up alerts through Business Digital Banking online or the Washington Trust Bank app to receive notifications via email, phone or text whenever there is activity on your accounts, such as cleared checks, withdrawals, deposits, balance changes or updates to personal information.
- Washington Trust Bank’s Positive Pay detects fraud in checks by comparing checks that post to your account with a list of valid outstanding checks provided or uploaded by the customer. Account holders can review these items in the system or be notified if check numbers and amounts don’t match and can choose to pay or return the check.
- Virtual tokens or one-time passcodes can be used during a customer’s login for secure authentication.