From the rise in business email compromise schemes to the ever-present threat of check fraud, small businesses must navigate an increasingly complex threat landscape. No matter the size of your business, it’s possible to become a victim of fraud. Criminals constantly evolve tactics, targeting technology and human behavior for potential weaknesses and security lapses. 

For many reasons, often related to understandable budget constraints, small businesses can lack robust security measures and dedicated IT and fraud teams. Nonetheless, small business owners must stay vigilant, educate their employees, and adopt security practices that make them less likely to become victims.

“Cybercrime is not going to disappear. Financial crime has become more prevalent because criminals are hiding behind a screen,” says Ana Campaneria-Villarini, Senior Vice President and Director of Corporate Fraud at BankUnited.

So how can small businesses with limited budgets combat fraud, especially when criminals are increasing their use of artificial intelligence to make their fraud attempts harder to detect and prevent?

From Campaneria-Villarini’s perspective, business email compromise schemes are one of the most common and financially damaging forms of fraud targeting businesses of all sizes. 

According to the FBI, business email compromise (BEC) is a scam in which “criminals send an email message that appears to come from a known source making a legitimate request.” This can take the form of a vendor sending an invoice with an updated mailing address, a title company messaging a recent homebuyer with false instructions for a wire payment, or your own company’s CEO reaching out with an urgent request to purchase dozens of gift cards. 

“In the past, we used to frequently see more email compromises, where the email addresses consisted of a missing digit on the email address, or an extra L or an extra I,” says Campaneria-Villarini. “In addition to that, the verbiage in the body of the email contained grammar and spelling errors, which made it a little bit easier to detect that something was not right.” 

However, criminals today are much more sophisticated in how they compromise and use email to commit fraud.

“Now the entire email account is being compromised and the fraudster then studies the behavior of that victim, to make the email communication seem more realistic. So, the email address is the same, and the verbiage and the communication style are very similar to the actual party,” adds Campaneria-Villarini. 

With this insight, the emails criminals send to deceive someone into sending a payment are much more convincing. BEC is most effective from Campaneria-Villarini’s perspective when the email is well-timed. “If the victim is expecting an invoice or payment instructions, let's say for a real estate deal, they're simply going to proceed because it's not an unsolicited email.” Campaneria-Villarini notes that most, if not all, BECs could be prevented with a simple call back to the email sender's number on file for verification.

While BEC schemes plague businesses, an even older form of financial fraud continues to generate significant losses. In fact, Campaneria-Villarini notes that financial institutions are seeing substantial increases in check fraud losses. 

“We have a mail theft epidemic resulting in a check fraud epidemic,” says Campaneria-Villarini. “Checks intercepted and stolen in the mail are being posted on the dark web within 24 hours, resulting in counterfeits and stolen checks being negotiated quickly by unauthorized parties.” 

Cybercriminals are also using stolen check information and personal identifiable information (PII) to commit account fraud. “Fraudsters are opening accounts online with the intent to commit fraud. It is much easier behind a screen to open an account and deposit stolen checks via mobile deposit,” notes Campaneria-Villarini.

While combatting fraud is the primary goal, Campaneria-Villarini emphasizes the need for small businesses to understand the nuances of fraud liability. 

“There is a misconception that financial institutions must reimburse account holders for all fraud, even when the account holder originates the payment,” says Campaneria-Villarini. Yet, different rules govern each payment type. “For example, with checks, financial institutions are expected to reimburse the account holder when their signature on the check has been compromised (i.e. counterfeit, forged maker) if the fraud incident is reported timely, according to the financial institution's Depositors Agreement,” adds Campaneria-Villarini.

These misconceptions can create friction when small business owners expect the bank to cover losses from fraud. While Campaneria-Villarini stresses that financial institution's fraud teams will work hard to recover funds, the liability ultimately may rest with the customer in many cases.

Therefore, she encourages small businesses to educate themselves on liability for fraudulent transactions, as this manages expectations and helps to maintain a productive and fully informed relationship between a business and its financial institution.

Given the sophistication of the threat facing small businesses, it is essential to adopt a multifaceted approach to combating fraud. 

The security of email accounts is paramount to preventing BEC schemes. Complex passwords and multi-factor authentication are critical to preventing unauthorized access. Blocking employee access to personal email and social media on work devices can also help, as they can serve as entry points for phishing scams.

Campaneria-Villarini also recommends that small businesses partner with reputable web hosting and information security companies that can provide advanced endpoint security, including anti-virus and malware protection. She also recommends cybersecurity insurance and a willingness to continually evaluate its processes and procedures for potential weaknesses.

When it comes to ACH and check fraud, Campaneria-Villarini strongly encourages business owners to enroll in the fraud prevention products most banks offer to prevent fraud. For example, ACH alerts send emails to the account holder when there is an ACH debit from an unapproved party, while Payee Positive Pay can also help detect and prevent check fraud by generating an alert when a check is presented for payment that does not match the account holder's issued checks and Reverse Positive Pay generates an email for all checks being presented for payment for the account holder to approve or reject the item. Additionally, Campaneria-Villarini recommends that checks be dropped off directly inside the post office or via USPS Scheduled Pickup, avoiding street USPS collection boxes, apartment and building cluster box units, residential mailboxes and any other public mail drop off. 

From sophisticated email compromise to persistent check fraud, your business faces an ever-evolving landscape of fraud threats. To combat the threat, you must stay vigilant, leverage your bank’s fraud tools, and implement strong cybersecurity measures. By doing so, you can significantly reduce the risk of becoming a victim of fraud.

BankUnited’s suite of treasury solutions offer ACH services, as well as other fraud prevention tools to keep your hard earned finances safe. Learn more here.