When analysts at JAVELIN released their report on the implications of back-office and payments fraud for small businesses in the U.S., they calculated financial losses for these companies at $3.1 billion in 2015 alone.
Cybercriminals are nabbing money thanks to strategies that range anywhere from the Business Email Compromise to ACH and wire fraud. But these crimes aren’t just plundering small businesses.
In fact, explained JAVELIN Research Director and Head of Fraud and Security Al Pascual, the financial losses of micro and small business back-office fraud extend far beyond the small business itself, and for financial institutions, those losses are incalculable.
But are banks paying close enough attention to the problem?
“Absolutely not,” he said bluntly in a recent interview with PYMNTS.
Without banks stepping up to combat fraud, small businesses are often left to their own devices. According to JAVELIN’s research, micro and small businesses are hardly using any of these devices at all.
Just one-quarter of the businesses surveyed in the report said they use a security measure as basic (yet effective) as alerts, with other lines of defense seeing even lower adoption rates, researchers found.
“Imagine if, when a high-value wire or ACH transaction was to go out, an alert goes out not only to the person in the AP office but also the CFO,” said Pascual. “I think that could be really effective in managing the risks, like the Business Email Compromise, but it’s just not seeing a high adoption rate right now.”
This presents a massive opportunity for financial institutions to step in and make an immediate impact on small business security by providing these services to their small firm clients, even if those businesses aren’t aware of their options when it comes to safeguarding their back-office functions.
“I don’t think that small businesses are really cognitive of the threat they’re facing,” the executive said.
Pascual pointed to one finding from the research that reveals just how out of tune small businesses are with cybersecurity.
“When you look at the delta between malware and Business Email Compromise and ask the small business how concerned they are, the Business Email Compromise was towards the bottom of the list,” he pointed out. “But the FBI came out and said it’s now more than a $2 billion problem. That just goes to show that maybe there is not enough conversation around the risks that they’re facing.”
Whether it’s public discussion of small business cybersecurity or it’s banks going beyond what they’re required to do in educating their small business customers on the topic, entrepreneurs need to become more educated about these threats and how they can manage them, Pascual added.
“If they don’t know they’re at risk, how can they possibly understand what they need to do to manage that risk?” he asked.
The hurdles of small business security are growing taller, too. While small businesses might not have the piles of cash that these criminals want, their systems are easily infiltrated, giving them a pretty big bang for their buck.
Pascual explained that small businesses’ bank accounts look a lot like retail bank accounts. Business owners use simple login credentials to access their online banking, and often, he said, the same passwords are used across accounts, from business banking to personal banking to even social media.
To target small businesses specifically, criminals can use software that scans one set of credentials across 250 of the top banks to see if they match with any accounts, the executive said.
The crime targets bank accounts with more value than individual consumer accounts but those with the same basic level of security.
These scams have led to an average of $12,139 being fraudulently taken from each small business account in 2015, according to JAVELIN’s report. While that $3.1 billion in combined yearly losses is nothing to scoff at, Pascual emphasized that the problem spreads to banks and financial services players, too.
While a small business bank account may look like a retail account on the security level, small business banking isn’t just about the depository account, he explained.
“If you’re a financial institution, there are a lot of services provided to small businesses on top of having that depository account,” said Pascual. “They offer this trifecta of services, typically, to small businesses — it’s the depository account, the credit card and merchant processing.”
So, when a small business decides to ditch its bank following some type of security lapse — and, according to JAVELIN, one in four small businesses are doing just that — these customers rip out a lot more business from the bank than one may think.
“We see $3.1 billion lost, and in this particular space, bankers don’t seem to be as concerned,” the executive said. “But small businesses are picking up and taking a lot of valuable business from banks or issuers; that’s something they should be concerned about, on top of all of this liability.”
The market’s progression towards faster payments, he added, will only exacerbate the problem, so banks need to act quickly to provide small businesses with the education and tools needed to stop fraudsters.
“There is such a huge challenge when it comes to unauthorized wire transfers. You have maybe three days, if you’re lucky, to get that money back, but after that, you’re basically out of luck,” Pascual said. “Imagine if that settlement was real time and those funds could be withdrawn the second after someone clicks send. Then, what are the implications here?”
He added that Same Day ACH and other faster payment initiatives are likely to boost the instance of back-office fraud for small businesses (and other banking customer segments).
With the small business community already lagging in their anti-fraud efforts, the market is in for a nasty surprise once Same Day ACH becomes a reality, Pascual warned.
“This feels like a space where criminals have had it pretty good, because their enemies don’t know what they’re up against,” he said. “Unless we change that paradigm, then we start to give criminals tools that allow them to move money even faster, and that really ups the risk level. You have an unprepared population. Things could get bad — fast.”