Here's a nightmare scenario. You realize $80,000 is missing from your company. What's worse, it turns out an employee you trusted stole it. This isn't some made-up scenario. It's a real story and it could happen to any company.
While early-stage entrepreneurs take big risks, they often ignore the substantial risk of theft or loss when they can least afford it.
Why should you care? Small-to-medium enterprises are particularly vulnerable because they are much less likely to make fraud prevention or cybersecurity a priority. But consider the consequences: the Securities and Exchange Commission has estimated that half of the small businesses that suffer a cyberattack go out of business as a result.
We've consulted experts and compiled tips to help you protect your startup from fraud. Don't be scared; be vigilant.
Common Types of Fraud and How to Protect Your Startup
There are three categories of fraud that early-stage companies should know about:
- Social engineering or imposter fraud
- Employee fraud
Avoid Becoming a Fraudster's Chum
Cyberattacks have grown much more sophisticated in recent years. Your website alone is a beacon for virtual sharks, who range from dark web gangs to government-sponsored organizations to a bored teen. Here is a list of the most common cyberattacks targeting businesses like yours today:
- Botnets: Also known as a "zombie army", these attackers use a network of computers to spread malware among machines connected to the network. This makes it very easy for an outside source to control all of the infected computers. DDoS: A Distributed Denial of Service attack is a
- DDoS: A Distributed Denial of Service attack is a coordinated effort aimed at crashing your company's server by sending too many requests.
- Web Application (CSS): This attack exploits vulnerabilities in a website's Cross Site Scripting to misrepresent a legitimate website, typically with the goal of stealing a user's login details or credit card information.
- SQL Injection (SQLI): This is one of the most common attacks, targeting the application layer of websites. Hackers take advantage of shoddy web development techniques and inadequate database security to steal entire database contents.
The good news: In many cases, cyberattacks can be prevented or at least the damage reduced.Tips for reducing your cyberattack risks:
- Incorporate security measures in all of your processes, and, if you have the resources, hire a security expert to help you. If you don't have the resources to hire a security expert, there are ways to mitigate the risks yourself, including but not limited to double checking code, updating software frequently and regularly monitoring logs and events posted on your website. Make sure the review includes asking operators of third-party sites you link to for their security protocols.
- Prepare incident response plans, then train your entire staff to quickly identify suspicious activity and put the response plan in place.
Learn Fraudster Tricks of the Trade
Social engineering, or imposter fraud, simply takes advantage of human nature. Many people fall for social engineering scams because they are so well-crafted. The results are immediate and can cost a business hundreds of thousands of dollars overnight. Here are some tips to avoid this type of fraud.Tips for reducing your risk of social engineering hacks:
- Stop before you click any links related to a financial transaction to check the "from" address in the email. Also, hover over the link to reveal the URL. Even if it is only one letter off of the original site, don't click. For your most sensitive information, use dual authentication, which is described in the next section.
- Get familiar with social engineering fraud: phishing, baiting, pretexting, diversion theft, quid pro quo and tailgating. It is important to note that digital tools aren't even necessary to commit some of these types of fraud.
- Obvious but often ignored: never divulge passwords or other confidential information via email or chat, over the phone or even in face-to-face encounters if you do not know the person. Watch the Fusion documentary linked above to see how even customer service reps are easily duped.
Don't Forget to Look Inward for Security Risks
Not all fraud is committed by strangers. In fact, many cases involve employees, contractors and even partners well known to a company. Employee fraud takes many forms, from check forgery to theft of intellectual property.
Often, your bank can advise you on how to protect your accounts, but at a minimum, you need to develop a system for keeping track of where your money is.Tips to mitigate employee fraud:
- Make the primary administrator — someone who is tasked with administering the startups accounts — responsible for initiating, authorizing, preparing, signing, mailing payments and reconciling bank statements.
- Require dual authentication for all money transfers. Dual authentication requires that two separate people with separate duties authorize transactions.
- Keep your checks in a locked and secure place, and consider safely storing digital check images instead of paper copies. If you must use paper, physically void returned checks and check copies, and shred them on a regular schedule. Whatever you do, don't leave them in your desk drawer. A safe is highly recommended.
- Call your banker when making changes to signature cards and authority expenditure levels, and review them annually. Consolidate or eliminate bank accounts that you don't use regularly.
There are three ways to transfer money among accounts: Automated Clearing House (ACH), checks, and wires.
- For ACH, you can easily and inexpensively send and receive U.S.-based payments such as payroll deposits, vendor payments and tax payments. You can also safely accept ACH debits to your accounts with ACH block and filter options. Cost? $20 a month per account at SVB.
- For ACH and wires, dual approvers require that you and someone you trust (co-founder, etc.) must both authorize wires and/or ACH transactions. It's free (and easy to set up) from SVB Online Banking.
- For paper checks, consider using a service to match the account number, payee, check number and dollar amount of each check presented for payment against a list of checks previously authorized and issued by your startup. If there's a mismatch, the check will not be accepted. Cost is around $55 per month for <25 checks at SVB.
To learn more, please visit the Fraud Prevention Center on svb.com.