Written by Solène Gabellec
on December 20, 2019

Fraud of all kinds continues to be a major source of loss for businesses large or small. According to data from the Federal Trade Commission (FTC), “People reported losing $1.4 billion (yes, with a ‘b’) to fraud [in 2018].” Internet fraud has become ever more prevalent with the rise of online shopping, smartphones, and pervasive internet connectivity.

While the FTC data cited refers to the general population, businesses aren’t immune to online transaction fraud. In fact, according to information cited by Merchants Insurance Group, “companies with less than 100 employees lose approximately $155,000 as a result of fraud each year.” With this in mind, how can business owners protect themselves and their companies against online transaction fraud?

Here’s a quick explanation of transaction fraud, as well as some simple cyber security measures that can be taken to prevent or limit it.

What is Online Transaction Fraud?

Online transaction fraud is a kind of catch-all category for fraud involving online transactions or online banking. It includes things like using skimmed card data, phishing attacks, vishing attacks, fake bank apps to capture banking info, and the like.

Business owners need to be cautious of the risk of falling for the different forms of online transaction fraud because the obvious financial costs. Additionally, internet fraud should be avoided to help protect the business’ reputation.

6 Transaction Fraud Risks Small Business Owners Should Be Aware Of

  1. Card Skimmers. Card skimmers are devices used to capture credit card data as the card is being used. This often involves a card stripe reader, but can also include cameras or other devices that can capture the numbers and name on the card. While not online fraud in and of themselves, card skimmers are often the first step in committing transaction fraud because they put payment card data in the hands of fraudsters.
  2. Phishing Attacks. Phishing, or the practice of sending fraudulent messages in an attempt to make a target take a specific action that compromises their internet security (such as downloading malware, clicking on a suspicious link, or surrendering privileged information), is a common element of online transaction fraud. These attacks are commonly carried out via email or social media. In many cases, the phisher will pose as a legitimate vendor or member of the company asking for information or verification.
  3. Vishing Attacks. Vishing, or voice phishing, is similar to the standard form of phishing, but is carried out using telephone communications (or voicemail). Many vishing attempts involve the attacker posing as a reputable vendor to trick recipients into surrendering sensitive information.
  4. Fake Banking Apps. Some cybercriminals create fake apps for mobile devices that are modeled after apps from legitimate banking organizations. However, instead of taking users to their personal banking portal, these fake apps steal the victim’s personal banking information—such as their username and login. Using this information, fraudsters can siphon funds from the victim’s bank account or sell it to other cybercriminals.
  5. Pagejacking Redirects. Some fraudsters can reroute traffic requests so that, instead of winding up on their favorite ecommerce storefront, victims land on a fake website designed to steal data and/or install malware. Owners of eCommerce businesses need to be especially cautious of pagejacking on their own online storefronts so their customers do not fall victim to this type of online fraud.
  6. Merchant Identity Fraud. Some internet fraudsters will set up merchant accounts with vendors while posing as legitimate businesses. They will then use stolen credit card data to make illegitimate purchases—usually as many purchases as possible before the victims discover the fraud and reverse/challenge the transaction. Once discovered, the scammer will disappear with their ill-gotten goods—leaving the vendor/payment facilitator holding the bag for the loss and any applicable chargeback fees.

How Small Business Owners Can Avoid Online Transaction Fraud

Knowing what some of the biggest online fraud risks are, what can be done to avoid them—or at least mitigate their potential impacts. There are a great many things that small business owners can do to reduce internet fraud risks or to reduce the impact of fraud attempts. Here are a few simple things that can be done:

  • Install Basic Antivirus/Antimalware on Your Devices. Every business owner should take the baseline precaution of installing antivirus or antimalware apps on their corporate devices. While these cyber security tools won’t stop everything, they can help prevent basic malware attacks or provide alerts if a device is compromised—making it easier to know when an attack has occurred.
  • Use Strong Passwords and ID Verification Schemes. For many cases of online transaction fraud, the fraudulent transactions happened largely because the victim’s account protection was weak. Short, simple, easy-to-guess passwords used without additional identity verification factors make it easier for fraudsters to hijack bank and ecommerce accounts. Using longer passwords that combine case sensitive letters and special characters (like *$&%^#@) make them harder to guess. Additionally, two-factor authentication settings can help prevent hackers from being able to use stolen passwords to commit fraud.
  • Don’t Respond Directly to Suspect/Unsolicited Emails. Many online fraud attempts using phishing techniques. This can include supplying fake invoices as PDF or word files that contain malware code, applying shock tactics (including rude language and insults) to enrage the reader so they won’t think too much about clicking on a suspect link or emailing back a panicked response, and/or posing as legitimate employees asking simple questions about some file or website. The best way to avoid risk is to never respond directly to an unsolicited or suspicious email—and to not click on any links in emails or download files. Instead of hitting “reply” in the email if it appears to come from a known source but asks for sensitive information, send a new email to the person using your contacts list information to verify the validity of the original message. Also, it’s good practice to never send privileged information via an email in the first place.
  • Exercise Caution When Adding New Software/Apps. Many, many hackers like to disguise their malware as legitimate applications on online storefronts. While most device-specific storefronts (like the iOS or Android phone app stores) do try to carefully screen their apps for malware, there is always a little risk. So, it’s important to carefully check to make sure that apps or software come from a trusted source before downloading them. Using basic internet protection tools such as file checkers that scan apps and files for malware before downloading and executing them can also help.
  • Keep Separate Devices for Work and Personal Use. Maintaining a separate set of devices for both work and personal use helps to compartmentalize things and increase internet safety. For example, say that a business owner used just one computer for processing work, personal online shopping, and recreation. One day, while shopping online, the owner gets hit by a pagejacking redirect, going from their favorite eCommerce site to a knockoff page that opens a download for a malware program. Now, the owner’s computer is compromised, and all of the sensitive personal and work-related data on it is at the mercy of an attacker. Then, the attacker uses the stolen information to log into sensitive company systems and commit fraud. Had they used a separate device for their online shopping and recreation, at least the work data and user logins could have been spared.

Following simple steps such as taking basic cyber security precautions and keeping work and personal devices separate can both help to avoid online fraud (or at least limit the impact of it). Want to learn more about cyber security and how to protect your business online? Subscribe to the Knogin blog today.

New call-to-action

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Small Business

Multi-standard compliance: A possible dream

  Throughout the 1970ies, the Netherlands National football team disrupted the "status quo" of the way of playing footba...

Cybersecurity Awareness

New Challenges for Managed Services Provider

Over the last number of years, several surveys across the MSP community have revealed various challenges - some more pre...

Cybersecurity Awareness Cybersecurity Fundamentals

¿Cómo mejorar la visibilidad de la Ciberseguridad de su organización?

El 25% de las empresas en América Latina no cuentan con antivirus y el 40% de las empresas sufrió una infección con malw...