Fraud presents a serious threat to all business owners, whether you’re a new or seasoned entrepreneur. It can break trust with your customers, damage your brand, hurt your credit, and diminish your bottom line. But who do you need to watch out for?
While cybercriminals and hackers commonly come to mind, it’s not always somebody outside the business who is working to deceive you. When looking at the main perpetrators of the most disruptive business fraud events, 43% were external, 31% were internal, and 26% were a mix of both, according to PwC’s Global Economic Crime and Fraud Survey 2022.
So here’s a look at how to protect your business from fraud, both internally and externally, in 10 steps.
Fast facts about business fraud
- Organizations estimate that they lose 5% of revenue to occupational fraud each year. (Association of Certified Fraud Examiners)
- A typical fraud case causes a loss of $8,300 per month and lasts for 12 months before being detected. (Association of Certified Fraud Examiners)
- The most common external perpetrators of fraud are hackers, customers, organized crime rings, vendors/suppliers, agents, and competitors. (PwC)
- The most common internal perpetrators of fraud are employees from the operations, accounting, upper management, or sales departments. (Association of Certified Fraud Examiners)
- Common types of fraud that impact small businesses include billing schemes, malware, phishing emails, payroll fraud schemes, financial statement fraud, asset misappropriation, intellectual property (IP) theft, identity theft scams, cybercrime, and workers’ compensation fraud. (I Sight)
- In 2020, global gross credit card fraud losses totaled $28.58 billion. (The Nilson Report)
- The U.S. accounted for 35.83% of global card fraud even though it accounted for only 22.40% of total card volume. (The Nilson Report)
How to protect your business from fraud in 10 steps
What steps can you take to help protect your small business from fraud? These 10 will help you cover your bases.
Preventing fraud starts with being aware of how fraud schemes work so it’s important to educate yourself and your employees. Consider implementing a training program on topics such as:
- Identifying phishing emails
- Protecting sensitive information
- Avoiding suspicious downloads
- Recognizing internal fraud tactics
Doing so can pay off, according to the ACFE, which reported that fraud training increased the likelihood that employees would detect and report fraud by 8% and 16%, respectively.
2. Implement an anti-fraud policy
By implementing an anti-fraud policy and code of conduct, you can raise awareness around fraud and require that employees agree not to commit specific schemes. This removes the excuse of ignorance and can help to deter employees who might otherwise consider committing an act of fraud.
For example, your policy may include specific details on how company credit cards can be used and require that purchases be authorized by more than one person. Having those checks can prevent situations like the one that happened with an employee at Georgia Tech who used the school’s purchase cards to buy over 3,800 personal items. She fraudulently charged over $300,000 on items including video games, a popcorn machine, and a wave runner!
ACFE reports that 89% of small businesses with 100 or more employees have a code of conduct, while just 53% of businesses with less than 100 employees have one.
3. Outsource a formal fraud risk assessment
It can be hard to know where your business is vulnerable and how to best protect it. That’s where a formal fraud risk assessment can come in handy. You can hire a third party to audit your business and identify potential risks, both internal and external.
They can look for signs of fraud from your board (if you have one), management, and employees. Internal fraud can include things like bogus sales, commission schemes, inappropriate bonuses, personal purchases, improper labor practices, the improper capitalization of expenses, fraudulent reporting, expense manipulation, price-fixing, money laundering, insider trading, stock option manipulation, and more. Then, there are the fraud schemes that can come from suppliers, customers, and other malicious attackers. As a business owner, it can be hard to spot complex fraud schemes as there are so many different types and many creative ways to conceal them. It’s often best to call in the experts who know how to spot red flags.
4. Keep clean machines
Your best protection against malware, viruses, and other cybersecurity threats is having the latest antivirus software, keeping it up to date with the latest updates, and running automatic scans on a regular basis.
Additionally, your operating system should always be kept up to date. Hackers study software programs and devise how to hack them so you always want to install the new updates as soon as they’re available.
5. Protect your credit cards and bank accounts
Another point of vulnerability for any small business owner is payment processing. Fraudsters may target your bank account or card processing system trying to break in, collect sensitive personal information, and/or steal money. Being so, it’s essential that you work with banks and card processors that have the latest, most trusted anti-fraud systems in place.
You also should isolate your payment systems from other programs, and you never want to log into your online banking or card processing account from an unsecured device. Remember, your customers trust that you are taking every precaution to protect their information. If that trust is broken, your business can take a big hit.
Lastly, consider the risk of employees or business partners spending more than you’d like them to spend on business credit cards or debit cards. While it may not be deemed fraud by your card provider, it could cost you more money than you had planned. To avoid this situation, consider adding spending limits or restricting spending to certain expense categories.
6. Secure your IT infrastructure
It’s critical that you safeguard your internet connection using encryption and a firewall. Further, any Wi-Fi networks should be secured and hidden so the network name is not broadcasted.
If you have employees that are working from home, it’s important that their home systems are also protected by a firewall. As for mobile devices, you can require employees to turn on password protection, encrypt their data, and install security apps that protect sensitive data when they are using public Wi-Fi networks.
7. Back up your data
You don’t want all of your company’s data stored solely on your primary computers. If you fall victim to a hacker, you could lose it all or have it held for ransom. By automatically backing up your data on a regular basis — offsite or in the cloud — you won’t be at risk of losing it, even if it does become compromised. PC Mag recently ranked some of the best business cloud backup services such as Acronis, Arcserve, iDrive, and BackBlaze.
8. Limit access
It’s also a wise idea to limit access to your data. Unauthorized individuals should not be able to access your business’s computer systems. If they can physically access a computer, such as a laptop, it should be password protected. Beyond that, employees should only have access to the data systems that are necessary and relevant for their work duties. Administrative privileges should be restricted to trusted IT staff when required.
9. Create a password policy
When you or your employees have weak passwords, hackers can use a brute force attack to guess them. A password is weak if it’s too short, a system default, common, or something that’s used across many other accounts. You also want to avoid words in the dictionary, names, and birthdays.
According to the SBA, a strong password has at least 10 characters and a mix of uppercase letters, lowercase letters, numbers, and special characters. You can help to ensure all employees are using strong passwords by implementing a password policy. Additionally, you can further protect your systems from scammers by requiring multi-factor authentication. To make it easier to remember complex passwords, you can consider getting a password manager such as 1Pass.
10. Start a fraud hotline
Lastly, a fraud hotline is a phone number where people can report fraudulent activity anonymously. It turns out that organizations with these hotlines detect fraud sooner and cut their losses in half, on average. The median duration of a fraud scheme was 12 months for companies with a fraud hotline vs. 18 months for those without one, according to the ACFE. Further, the median loss amount for companies with fraud hotlines was $100,000 versus $200,000 for those without them.
Protect your small business against fraud
Building a small business is no easy feat. An estimated 20% of small businesses fail in the first year and 50% fail by year five, according to the SBA. The threats fraud present only make it more challenging. However, you can prevent attacks and losses by being proactive with these 10 steps. If you need more information, you can reach out to a small business fraud prevention company for additional guidance and support.