How to Protect Your Small Business from Sneaky, Sophisticated Cyber ScamsAuthored by: Jim Stewart, Founder DocuSend, powered by MTI.
Last modified: January 21, 2020
No one likes getting scammed. But these days, it’s the reality of having a business: even if your online presence is minimal, you're still a target for hackers.
A 2017 report from the FBI found that U.S. businesses lost $500 million in the previous year from phishing scams, and the amount they were losing each year was growing.
It used to be that schemes to steal your personal information or money were easy to identify; you might have received a comical email from a long-lost relative in a country you’d never heard of, along with a ridiculous request to wire money overseas.
Don’t Feel Foolish! It Can Happen to Anybody
Many hackers today are significantly more sophisticated in their approach. You, or an employee in your company, might get an email that looks perfectly legitimate, as though it comes from another company, or even talk to a so-called representative over the phone, only to find out too late that you have been duped into sending payment or revealing sensitive information.
That can be alarming to hear, but there’s no need to panic about cyber scams.
Armed with knowledge and the proper precautions, you can effectively protect your business from even the most sophisticated hackers.
First, the knowledge:
Common Cyber Scams That Dupe Small Businesses
A good defense starts with an awareness of your opponent’s best moves and strategies. By educating yourself and your organization’s employees about these common hacker schemes, you’ll be well on your way to security and peace of mind.
This hacking tactic dates back to the 1990s and has been refined many times since. A hacker lures someone in through a website, app or email to click on a link that will in turn compromise their personal or company data.
Some phishing scams look “phishy” right off the bat—
Like that email from “PayPal” that is clearly not legitimate because the authentic PayPal would not send communications with multiple spelling and grammatical errors. Usually these go straight to your spam folder anyway.
But many hackers’ phishing techniques have become very clever. You might receive an email from a company you trust asking you to provide sensitive data, only to later realize that the message was from a skilled copycat. For example, your accounting software could be vulnerable (see more: Cyber scams target small businesses through their accounting software).
“Spear phishing” is even trickier and more invasive.
Unlike phishing that targets mass audiences, this type of attack targets specific companies and individuals. Imagine someone posing as the CEO of your company and then requesting your accountant to pay a phony bill.
While unnerving, this is exactly the type of interaction a sophisticated hacker will attempt to use in order to steal from you.
2. Fake Invoices and Services
There are several ways that cyber scammers can trick you into paying for something you didn’t buy.
One is simply a fake invoice. Always check to make sure that the invoices you receive are the real thing. Some hackers may pose as a company you work with but redirect where the payment is made. Others might claim bogus charges—domain name renewals are common.
Some scammers may personally reach out to you, offering to improve your website’s SEO or something similar. Even if they do a little bit of work, they can grossly overcharge for their service and then vanish, or threaten to harm your website if you stop payment.
3. Stolen Credentials
With large-scale data breaches making the news, many people—individuals and businesses—have had their login credentials compromised. Hackers will steal sensitive information from one website and use it to log in on another site.
This can hit small businesses in two ways.
First, if a hacker steals login credentials from someone in your company and uses them to purchase or redeem products that can be resold, then you are at risk for a loss. Second, if you have a website that stores any login information and you get hacked, you may find yourself doing damage control for your website users.
Most likely you’ll be using a third-party application or service to handle sensitive data, so be diligent about choosing services that are reliably secure. At DocuSend, we use two respected security companies to regularly run comprehensive security tests on our system.
Now that you have the knowledge, here’s how you can take precautions:
Small Business Strategies to Avoid Cyber Scams
If you’re running a small business, it’s your responsibility to ensure that all your transactions, whether with customers or vendors, are secure. The FTC has several tips to protect your business from scams.
1. Employee Awareness
All employees who handle sensitive information should be trained about cyber scams. All it takes is one errant click to put your business at risk.
Employees should not send passwords or other sensitive information by email. And if they see anything suspicious, they should talk to other employees within the organization, as hackers may send similar emails to different people.
IMPORTANT: You and your employees need to know that if a provider can tell you your password, they are storing it incorrectly. They should only be able to send you a newly generated password, not your existing one.
2. Payment Procedures
Your business should have a verification procedure for every payment that is processed.
Sometimes the only thing a scammer will change on an invoice is the banking number, while everything else looks authentic. Go over every invoice, even from businesses you trust, to make sure that it is accurate.
Minimize the number of people who are authorized to make payments, especially for major expenses. Make sure they go through the same verification procedure.
Within your payment verification procedure, make sure that you or your employees are asking how the payments are being made. Take note: Payment processes like wire transfers and gift cards are impossible to trace and are common scammer tactics.
3. Due Diligence and Technical Proficiency
“I'm just not tech savvy” isn’t an excuse anymore if you run a business, since so many communications and transactions are done online. It’s worth your time and energy to invest in some technical training so that you can understand how business is being done.
That doesn’t mean you have to code your own website, but some basic precautions you should take with your business include:
- Changing your passwords regularly (and encouraging your employees to do so as well).
- Making sure that all sensitive files, passwords and financial information are secure.
- Verifying that you have a secure connection and a legitimate recipient any time you share sensitive information, such as login credentials. Websites that receive payment should show HTTPS, not HTTP, on the address bar.
- Only doing sensitive online transactions over a secure wireless network (not a Wi-Fi hotspot).
- Keeping your software up to date, including on your company’s website.
- Only working with trusted, verified vendors. Do not trust unsolicited emails!
The FTC has other Small Business Computer Security Basics if you want more practical suggestions to maximize security.
Since there is so much scamming online, it’s not a surprise that many individuals and businesses still prefer to receive sensitive communications like invoicing through the mail. And unlike email, the USPS is protected by over 200 federal laws.
With DocuSend, all it takes is a few clicks, and you’re securely sending sensitive information like billing and customers’ personal data over the mail. For a few cents, you’ll have the peace of mind that your business transactions are safe from online attacks. Try it free!