Navigating the Digital Minefield of Business Fraud

Business owners know all too well that the risk of fraud is always present, especially since methods continue to change over time.

 

To help business owners understand the digital fraud minefield of today, Rockland Trust hosted a webinar about common cybersecurity threats and ways to mitigate fraud risk. The webinar featured insights from Lisa Morrissey, VP, Treasury Management Team Leader at Rockland Trust; Kevin Ricci, partner at Citrin Cooperman; and Lumi Taiwo, manager at Citrin Cooperman and a certified ethical hacker, to help you prevent business fraud.

 

What types of business fraud exist?

Kevin and Lisa agreed that human beings are often targeted by fraud attempts and can be some of the weakest parts of the security chain for businesses.

 

“No one is immune [...] Human error is the source of so many breaches. Again, we need to arm ourselves with the necessary behaviors and skills to help us avoid being that target,” Lisa explained.

 

Bad actors typically leverage several fraud strategies to gain access to IT systems and sensitive information, such as malware, ransomware and social engineering. One of the most common forms seen today is phishing, which occurs when the attack comes through email or a website. Many fraudsters impersonate a trustworthy entity, like an IT provider or other vendor, or a person, like an executive, to obtain sensitive information or get a person to download malicious software.

 

Knowing that many of us spend a good amount of time on our phones and use them for work-related tasks, bad actors have started to use text messaging in a similar way that email or websites are using in phishing attacks. This type of social engineering is known as smishing.  

 

Curious about Smishing or Text Fraud Scams? Check out our Spot the Scam series

 

At Rockland Trust, we often see instances of payments fraud that use these techniques. Fraudsters will impersonate a vendor and supply a new payment method via spear phishing to an employee. If the employee proceeds to send the payment without verifying with a known contact, the business is often unaware of the fraud until their original vendor reaches out regarding the missing payment.

 

“Payments come in all shapes and sizes. Fraudsters know this and are looking for how to infiltrate you in any way, shape or form,” she said. Two common types of payments fraud to familiarize yourself with include check fraud and wire fraud. 

 

Lisa notes that many of today’s fraudsters are going old school by taking written checks out of mailboxes and altering them to their needs. The unfortunate reality is that while digital fraud strategies are compounding – the tried and true methods also never go away.

 

How can businesses protect themselves from fraud attempts?

“The best and only defense against these threats is awareness and education,” Kevin shared.

 

The business world can be fast-paced, but giving yourself a minute to think about a text or email request and approaching it with a healthy dose of skepticism can be a worthwhile investment. If you are unsure about a request, the best course of action is to verify the information by picking up the phone and calling a trusted phone number for that person, whether they are inside or outside of your company.

 

“Use a little bit of caution [...] Take that minute because it can make or break a bad situation. A phone call goes an awful long way,” Lisa advised.

 

PRO TIP: To avoid falling into the “autoclick zone” with common communication channels like email or texting, we recommend using the phrase “1, 2, 3… let me see.” This reminder helps you slow down to really examine that message before clicking on a potentially malicious link.

 

Technological developments like artificial intelligence (AI) also can be used to the advantage of fraudsters. While some tools can make phishing attempts harder to identify, it’s also crucial for employees to take caution before experimenting with AI tools.

 

“If you don’t have a policy in place that authorizes people to use [AI] tools, people can dump in sensitive information that is harvested by others,” said Kevin.

 

Kevin shared several high-level cybersecurity best practices during the webinar – such as enabling multifactor authentication, implementing dual control processes and engaging employees in awareness training – starting at the 44:21 mark in the on-demand video.

 

Can I detect vulnerabilities before an attempted fraud attack?

There are tools and resources that many companies use that can help alert them to security vulnerabilities and fix them before a bad guy takes advantage of them.

 

One option to consider is a risk assessment that occurs annually. Citrin Cooperman developed the SCORE Report to help its clients identify areas of improvement and mitigate the risk of security breaches. Kevin pulled out 10 questions in a free mini-risk assessment during the webinar (starting at 52:22) that can give businesses a sense of what this report offers.

 

Another option to consider is penetration testing – an evaluation that proactively tests an organization’s network or physical space to find security gaps that a bad actor may exploit. These tests help businesses identify weaknesses and improve processes to help prevent fraud from occurring. Lumi shared an example of his work as a penetration tester, during which he walked into a health care center and gained access to a patient file that contained sensitive information including the person’s social security number and full name. Finding this lapse in security through testing – Lumi was not asked for identification or other confirmation before getting the file – ahead of time helps organizations brush up on security measures before harm can be done.

 

What fraud prevention tools can help keep my business funds safe?

Rockland Trust and other banks often offer several preventative tools to help businesses prevent or detect fraud attempts targeting business bank accounts. Proactively implementing tools such as Positive Pay or ACH Debit Blocks, for example, can help stop fraudsters from gaining access to your finances in the first place.

 

If you notice any suspicious activity, it’s important to contact your bank right away. The sooner a fraud occurrence is reported, the more likely it is funds can be recovered.

 

What is the cost of a security breach for businesses?

There are many costs associated with security breaches that businesses should be aware of, including fines and penalties, legal counsel, downtime and technology expenditures. But Kevin pointed out another cost that is sometimes overlooked: Brand reputation.

 

“[Brand reputation degradation] might have the biggest price tag of all because, at the end of the day, your clients, your vendors, your business partners are going to be reluctant to do business with a company or organization that can’t protect their information,” he said. 

 

Businesses should be aware that it costs significantly more – sometimes as much as 14 times as much – to recover from a security incident versus what it costs to prevent it in the first place.

 

Want to learn more? Watch the full Navigating the Digital Minefield of Business Fraud webinar for an exclusive offer from our friends at Citrin Cooperman!    

 

“Citrin Cooperman” is the brand under which Citrin Cooperman & Company, LLP, a licensed independent CPA firm, and Citrin Cooperman Advisors LLC serve clients’ business needs. The two firms operate as separate legal entities in an alternative practice structure. Citrin Cooperman is an independent member of Moore North America, which is itself a regional member of Moore Global Network Limited (MGNL).                               

Rockland Trust Company does not endorse, does not guarantee, and disclaims liability for the views expressed, and the products and services offered, by the guest speakers at this program.