How to Protect Your Business and Customers from Cyber and Fraud Threats

October is cybersecurity awareness month, but even if it weren’t, small business owners and managers should consider how they can protect their business and how communicating with their customers may protect them from cyber and fraud threats.

Criminals do not need to break into a company’s technology to cause significant damage to a business’s customers. It’s far easier for bad actors to simply impersonate a business. Fortunately, you can provide customers with best practices to mitigate risk by protecting themselves. The same best practices that protect customers can protect your small business.

There were 2,365 cyberattacks in 2023, with 343,338,964 victims, Forbes recently reported. Last year “saw a 72% increase in data breaches since 2021, which held the previous record,” the publication said. “Email is the most common vector for malware, with around 35% of malware delivered via email in 2023.”

Bad actors commonly use the same entry point in a cyber-attack as in a fraud scheme aimed at your customers: Some form of digital communication. You, your staff, or your customer will receive a “legit-looking email, phone call, or text that appears to come from a bank fraud department, a tech support helpdesk, a national [brand]…to send money, provide personal information, click on a link, or download software,” the Federal Trade Commission (FTC) wrote.

Preventing Harm from Cyber or Fraudulent Attacks

According to the FTC, fraud reports and losses reached historic highs in 2023, with even higher numbers expected for 2024.

Business imposter scams involving scammers falsely claiming to be affiliated with a well-known company or a financial institution were the most frequently reported scams to the FTC in 2023. Consumers reported $752 million lost in 2023 to business imposters with variations spanning schemes impersonating Amazon, Geek Squad, and even local, state, or federal agencies.

Whether a criminal is impersonating your business from the inside or the outside, small businesses can eliminate significant risks through simple communications informing staff and customers of a few key practices. Consider communicating that you never ask for your account numbers, PINs, or passwords. If someone asks for these, STOP talking with them and call support directly.

You can also recommend that employees:

• Never click on a link in a digital message, even if it appears to be a legitimate organization, and instead visit the organization directly through an internet browser.
• Use complex passwords unique to you that don’t repeat across accounts.
• Never leave your phone or computer unattended after signing in to your account.
• Sign out of your account after accessing it from a shared device.
• Carefully check the URL of any site visited only to ensure it is not a copycat website hosted at a similar address to a legitimate business.
• Contact customer service through the mobile app – if your company provides one – rather than via phone numbers in a communication.
• Never update bank account or routing numbers over email —call to confirm requests instead.

Criminals will usually demand immediate action of some kind, the FTC cautions. The more urgent the request, the more small business executives, owners, and customers should “pump the brakes,” even if the request appears to come from someone in an authority position.

Creating a Cyber and Fraud Response Plan

You do not want to learn that your business has had a data breach – whether hackers took personal information or stole customer information – and not know: What should we do now? The same can apply if you learn that fraudsters are impersonating your company.

While the FTC has a complete list of recommendations on its website, here are the general expectations of the state of Washington:

In general, businesses must notify Washington residents “in the most expedient time possible” and within 30 days of discovering the breach. Read the complete requirements here.

Businesses and individuals may not delay notice unless:

• Law enforcement is contacted after discovery of the breach, and the law enforcement agency determines that notification will impede a criminal investigation; or
• The delay is due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

If a data breach affects more than 500 Washington residents, notification must also be provided to the Attorney General’s Office, which can be done electronically via the Washington Attorney General’s website. This notice is also due within 30 days of discovery of the breach.

Communications must be in plain language and must include:

1. The name and contact information of the reporting person or business;
2. A list of the types of personal information that were or are reasonably believed to have been the subject of a breach;
3. A time frame of exposure, if known, including the date of the breach and the date of the discovery of the breach; and
4. The toll-free telephone numbers and addresses of the major credit reporting agencies if the breach exposed personal information.

If the breach involves an individual’s username and password, the notice must inform the resident that they should promptly change their password and security question or answer and take other appropriate steps to protect their online account(s), including those not associated with the breached entity, that use the same email address, password, or security question or answer.

Importantly, if the breach involves a resident’s login credentials for an email account, the breached entity may not provide the breach notification to the resident via that email address. You would be wise to gather customers’ names, emails, phone numbers, and mailing addresses during the billing process to ensure all can be quickly notified about a breach. It can also ensure you are prepared to notify customers of a fraud threat.

Taking proactive steps to safeguard your small business from cyberattacks and fraud not only protects your customers but also strengthens your company’s resilience. By fostering a culture of vigilance and clear communication, you can empower your team and customers to recognize and respond to threats, reducing the risks posed by cybercriminals.