Small businesses at greater risk of fraud

Small businesses are feared to be particularly susceptible to cybercrime acts such as payment fraud or business email compromise (BEC) attacks, according to a new survey of CFOs, accounts payable managers, and other finance professionals conducted by payment protection provider Eftsure.

The research pointed out that this figure is the greatest concern for CFOs at 98 per cent. Additionally, 60 per cent stated that they’re concerned about fraud going undetected in their business, while 10 per cent said they’re aware of one or more fraud events occurring in their organisation within the past three years.

Despite these concerns, a significant portion of businesses are foregoing control processes that mitigate scam risks, especially so for small (2-19 employees) and medium-sized (20-199) businesses, with 17 per cent of small businesses not using any anti-fraud controls at all.

When asked about security controls, 58 per cent of small businesses admitted that they’re not using segregation of duties policies, while 42 per cent of medium businesses say the same. Only 37 per cent of small businesses and half of medium-sized businesses are using verbal verifications during payment processes while larger organisations (more than 200 employees) tend to use a broader variety of controls, while approval authority processes were the most popular control among organisations of all sizes.

The report however noted that many approval processes can be circumvented by BEC attacks and have already cost Australian businesses $224 million in 2022 according to the Australian Competition and Consumer Commission (ACCC). The Australian Institute of Criminology (AIC) has estimated that small- to medium-business owners and officers are more than twice as likely to be victims of cyber scams than employees at larger organisations.

Eftsure’s research also found that smaller organisations are less likely to work with technology professionals to perform staff security training or develop anti-cybercrime strategies. They’re also less likely to say they’re planning to upgrade or invest in anti-fraud controls.

“There certainly are some immediate steps that small business leaders can take to improve their cybercrime defences right now, including strengthening their anti-fraud controls,” Mark Chazan, Chief Executive Officer at Eftsure, said. “However, smaller organisations are working with fewer resources and smaller headcounts. It’s not realistic to expect the exact same security posture as large international corporations.

“It’s one of several reasons why all organisations should be looking toward collaborative cybersecurity approaches and strategies,” Chazan added. “There’s no limit to malicious actors worldwide, and they don’t need a high success rate to benefit. However, collaborative approaches improve our collective defences and make Australia’s entire business community safer.”

According to Chazan, ‘collaborative cybersecurity’ includes diffusing responsibilities across many different functions within a single organisation, as well as greater information-sharing and community-building between multiple organisations and sectors.

Chazan has urged SME leaders to reassess their people, processes and technology. This means keeping staff informed about scam tactics, updating control procedures and automating certain processes for stronger security.

“Finance leaders can take a page from cybersecurity specialists’ playbook and proactively test your security controls,” he said. “For example, send your AP team a duplicate invoice or have a senior executive ask for an urgent payment via email. This can clarify how closely teams are following anti-fraud procedures and whether there are any gaps that might expose your business to scams.”