It’s everyone’s worst financial nightmare, and we’ve all heard the horror stories: fraud. “My identity was stolen and someone in Maryland charged $2,000 to my credit card!” “Our payroll person has been overpaying themselves for years and we only just found out!” “I opened an email I thought was from the IRS and got hacked!”
Every day, we’re bombarded with stories like these. From our friends, colleagues, and business networks–cyberfraud is everywhere. And as technology continues to shift more of our lives online, we’re only becoming more vulnerable. Especially for business owners, it is critical to take a proactive stance against cyberfraud.
According to the ACFE, the median loss caused by fraud in 2014 was $145,000, with 22% of those cases reporting losses of at least $1 million. Identity theft and cybercrime were among some of the most common sources of fraud in small businesses. And whereas larger companies are more likely to have anti-fraud practices in place, smaller companies usually fail to implement similar controls. So what types of fraud are out there, and what can you do to prevent them?
Employee theft is still the primary way businesses are defrauded. In smaller companies, there is typically only one person acting as the AR clerk, HR generalist, payroll, and accounting departments… all in one. Although the thought of consolidating duties to reduce labor costs is tempting, this can be a recipe for disaster.
Tip #1: The best way to prevent fraud is to catch it before it happens. Try separating duties between payroll and HR. Requiring a second sign off or having another type of financial oversight in place could be the difference between smooth sailing and a million-dollar loss!
Tip #2: Explore and take advantage of the features in your payroll system. Learn what is available to you and use it! For example, SDPConnect users have access to a variety of functions to help curtail employee fraud:
- Threshold reports identify all employees paid above a certain threshold amount,
- “Verify & submit” requires high-level executive review and approval prior to payroll submission,
- Push notifications can be enabled to alert you of total payroll liability after payroll processes.
Email Phishing & Wire Fraud
According to an FBI warning in May 2017, fraudsters sought to steal some $5.3 billion in the second half of 2016 through Business Email Compromise (BEC) schemes. (A sharp increase from only $3.1 billion in attempted theft from October 2013 to May 2016!) BECs occur when criminals request wire transfers in emails seemingly sent from senior executives or business suppliers who regularly request payment.
Tip #3: Always verify the email address of the sender’s email. It’s so easy to manipulate email alias names to match the name of an executive, client, or vendor (try it sometime!). Generally, it’s a red flag if the email address is misspelled or from an invalid domain.
Tip #4: Institute some form of two-factor authentication for wire transfers. This could be as simple as having two people in the office review and approve wires before to sending. You can also contact your bank to set up phone confirmations for wires.
Perhaps the scariest cyber-attack being deployed against businesses is account theft. This happens when criminals log in to an employer’s account using stolen credentials. Usually, they go in to check the date of the next pay run and will log back in just before payroll to change employee direct deposit information. Instead of paying your employees, you will end up sending funds to a variety of money mules (so there is no single point of failure).
Although most payroll companies (and SDP in particular!) have security measures in place to protect their platforms, the end users often pose the greatest weaknesses in operational security. Fraudsters typically begin by sending a payroll admin a “spear phishing” email with an infected attachment or link. Once the recipient opens the attachment or visits the website, malware is installed on their computer. This malware then begins harvesting the company’s information and feeding it back to the cyber-criminal. Sadly, employers are usually completely unaware of this until payday arrives and employees call in a panic that no one got paid.
Tip #5: Protect your company! Make sure you have adequate firewall and IT security protections. When it comes to login credentials, be sure to use unique, challenging passwords, and don’t share them or record them somewhere they could be compromised. (TIP: you can test the strength of your passwords with this tool, which runs locally without sending any data over the internet!) Lastly, take advantage of features like our SDP audits and change listing reports prior to running payroll to catch fraud before it happens.
What Do You Think?
Have you been a victim of cyberfraud, or do you know someone who has? Comment below to share your story and the measures you’re taking to keep yourself and your business secure. Want a demo of some of the features mentioned in the article? Simply fill out this online form to set one up today! And don’t forget to follow us on Facebook, Twitter, and LinkedIn to make sure you never miss a beat!