Middle-market business owners and CEOs are extremely concerned about cybercrime, and with good reason. The threat has never been more urgent.

According to the 25th Annual Global CEO Survey conducted by PWC, global CEOs are most concerned about cyber risks, and ranked it as the top threat to growth.

And for good reason. According to the Identity Theft Resource Center’s 2021 End-of-Year Data Breach Report, in 2021 there were more data compromises reported in the United States than in any year since the first state data breach notice law became effective in 2003.

A cybercriminal could wreak havoc on your company. Now is the time to protect yourself.

Proactivity is the key to fighting cybercrime

“A lot of business owners think cybercrime will never happen to them, but in reality the chances are quite high that it will,” says Cadence Bank Treasury Management Sales Officer Joseph Cascio. “It is critical to be proactive in taking steps to protect your business from the potentially devastating effects of a cyberattack.”

According to Lori Frady, also a Treasury Management Sales Officer with Cadence Bank, middle-market businesses could be especially susceptible to cybercrime during the coronavirus pandemic.

“Whenever there’s a significant event, cyber criminals are quick to try to capitalize on it,” she says. “The coronavirus pandemic is no exception. Many employees are distracted due to working from home and dealing with personal issues like childcare, which can make them more vulnerable to falling victim to cyberattacks.”

Frady’s message? “Never let your guard down,” she says. “Cyber thieves and fraudsters win when you’re not paying attention.”

The link between cybercrime and fraud

Cybercrime and fraud typically go hand-in-hand, since thieves often use cyberattacks to commit fraudulent activities. According to the Association of Certified Fraud Examiners (ACFE) 2022 Report to the Nations, the typical organization loses 5% of its revenue to fraud each year, and the median fraud loss is $117,000. What’s more, the typical fraud case runs for 12 months before detection and causes an average loss of $8,300 per month.

While large firms detect more incidences of cybercrime than small and mid-sized businesses, according to the ACFE, middle-market businesses are often the most vulnerable to cyberattacks. “These businesses are in the cybercrime ‘sweet spot’”, says Frady. “They’re large enough to have significant corporate bank accounts, but they often don’t possess and deploy the latest cybersecurity defenses like large firms do.”

Much of the cybercrime directed against middle-market U.S. businesses is perpetrated by highly organized criminal operations located overseas that operate through proxy servers enabling them to mask their location. For example, the cybercriminals could be overseas in the Ukraine but it looks like they’re in Houston or Atlanta. Cybercrime activity targeting middle-market businesses often originates from former Soviet bloc countries and other nations in this region, such as China and Romania.

Recognizing cybersecurity threats

Boosting cybersecurity and reducing fraud starts with recognizing the biggest cyberthreats. One of these is business email compromise, or BEC, which is similar to email phishing and spear phishing.

Sixty-two percent of all businesses experienced this kind of cyberattack in 2020, according to the 2021 Association for Financial Professionals (AFP) Payments Fraud and Control Survey. Although the percentage of companies financially impacted by BEC has been declining, the survey says, it continues to be the primary source for attempted or actual payment fraud. Global losses attributed to BEC topped $43 billion between June 2016 and December 2021, according to the FBI.

“Business email compromise can take many different forms, but it almost always targets employees who have access to corporate finances,” says Cascio. In a typical BEC scam, cyber thieves use their knowledge of the company to trick an employee into initiating wire transfers to bank accounts that they think belong to trusted partners. But the money is actually transferred into accounts controlled by the cybercriminal.

“This may sound simple, but the level of sophistication is unprecedented,” says Cascio.

Once a wire transfer is sent, it can’t be reversed, which makes BEC an especially dangerous kind of cyberattack.

“For this reason, businesses should view every wire transfer request as potentially fraudulent until it has been verified,” says Frady. “Employees should call the initiator of the wire transfer to confirm its authenticity and verify the phone number in your system instead of using a phone number in the email. I’m aware of many BEC schemes that have been caught by taking this simple step.”

In addition, Cascio recommends requiring at least two separate employees to originate and approve all wire transfers and other electronic funds transfers. “We also recommend activating tokens and using multifactor authentication provided by your financial partners,” he says. “And use a dedicated computer for all financial transactional activity with no email use or web browsing allowed on this computer.”

Other best practices recommended by Cascia and Frady for preventing cybercrime include the following:

• Train employees on the basics of computer security
• Create individual user accounts for each employee
• Update anti-virus/spyware software on a regular basis
• Lock down your computer hardware
• Add key-logger detection software to all company computers
• Use the latest versions of web browsers with pop-up blockers
• Implement employee awareness training for red flags

“It’s also important to educate employees about the importance of password security,” Cascio adds, “including setting strong passwords and usernames, and changing them regularly. A strong password is one that’s hard to guess but easy for the employee to remember without having to write it down.”

3 additional cybersecurity threats

1. Social media

The use of social media presents unique cybersecurity risks for businesses today.

“Many cyberthieves are using popular social media sites to trick employees into downloading malware or giving out sensitive information that allows thieves to hack into corporate accounts,” says Cascio. “Therefore, businesses need to establish social media policies that detail what kinds of social media activity is and isn’t allowed on work computers and other devices. This includes prohibiting social media activity on work devices, if necessary.”

2. Mobile devices

Mobile devices are a primary target of cyberthieves because they’re such an easy point of entry.

“Whatever your security policies are for corporate data and software should also be applied to mobile devices,” Frady says. “For example, they should be programmed to delete content after a certain number of failed log-in attempts. And you should be able to wipe them clean remotely in case they are ever lost or stolen.”

3. Cloud computing

The nature of cloud computing also presents unique cybersecurity risks.

“You have less control over your data when it’s stored in the cloud, so you need to be more proactive when it comes to protecting sensitive data from cyberattacks,” says Cascio. “You should apply your business’ cybersecurity standards to the service providers who are storing your data. Also identify any third parties your service providers work with and determine if they will have access to your data—and if so, what kinds of cybersecurity standards they have.”

Cadence Bank has fraud prevention solutions for middle-market businesses

Cadence Bank offers a wide range of solutions designed to help minimize the risk of cybercrime and fraud for middle-market companies. For example:

• Cadence Bank requires multifactor authentication for wire transfers to help prevent unauthorized wires from being sent to fraudsters.
• Positive Pay helps combat check fraud by comparing checks presented to the bank for payment to a list of checks your business has actually issued. Only checks that match the check-issued file are paid—all others are flagged and reported to you (via email or mobile) for a pay or no-pay decision.
• ACH Positive Pay helps protect you from automated clearing house (ACH) fraud by reviewing incoming debits against a list of approved vendors. You can also use filters to cap the amount of money that can be paid to any one vendor. Transactions that fall outside these boundaries prompt a notification and create exceptions items for a pay or no-pay decision.

Reach out to a banker to discuss fraud protection and how Cadence Bank can help.

This article is provided as a free service to you and is for general informational purposes only. Cadence Bank makes no representations or warranties as to the accuracy, completeness or timeliness of the content in the article. The article is not intended to provide legal, accounting or tax advice and should not be relied upon for such purposes.