No one likes to get ripped off. Some small business owners, though, are under the impression that their size makes them less of a target than large corporations. The numbers, however, tell a different story. According to a recent Guardian Analytics study, most small and medium-sized have not implemented effective fraud prevention practices for their online financial and merchant processing accounts. Guardian Analytics says 74 percent of businesses suffered losses due to fraudulent ACH, wire and other transactions. What's worse is they were only able to recover lost funds about 39 percent of the time.
"When you're a small organization, you're basically a handshake away from the customer," says Larry Ponemon, chairman and founder of the Ponemon Institute, a co-sponsor of the study. "Sometimes that's not good enough in today's world because the bad guys are focusing on the weakest link—and the weakest link is usually a small organization."
Enhance your security
Fraudsters seem to have an unlimited capacity for finding new ways to circumvent the system and steal. Ponemon reports that one type of payment fraud that a small business might be vulnerable to involves business logic abuse. Essentially, this is when a website is poorly designed, leaving flaws or openings for the criminal to exploit and cause harm.
For example, a criminal can buy a list of credit cards with personal information on the black market, go to your business website, and punch them in to see which numbers are active and which are closed. As the business owner, it's likely that you wouldn't know if this is a potentially criminal act, because some legitimate customers could have more than one credit card in their name.
Beefing up the security of your website is a necessary first step. At the very least, Ponemon says, make sure that any personal information entered on your site from the customer is encrypted using SSL, a security protocol for Internet communications. Another option is to use a third-party payment processor, such as CyberSource.
"You want to be careful and understand the reputation of the online payment companies," Ponemon says, noting that PayPal is the most commonly used, but that others, such as Google Wallet are emerging. Joining an association like the Merchant Risk Council—an advocate for e-commerce merchants—can add to your knowledge and awareness.
Small businesses need to be as resourceful and dogged in protecting their interests as criminals are in trying to undermine them. That should include employing both external and internal controls to slash risk.
Jack Craven of John F. Craven, CPA, a New York-based accounting firm, recommends the following steps that every small business should seriously consider adopting:
1. Limit the number of people authorized to sign checks.
2. Have the small business owner personally open the check statements from the bank to keep tabs on what is being paid.
3. Consider using an independent or outside CPA to reconcile any statements from the bank.
4. "In general, I think it's a good thing to have a budget in place at the beginning of the year and track [transactions] by month," Craven says. "If there's stuff going through that's inappropriate, it might stick out in the budget process."
5. Have a clear process in place to check out and approve the introduction of new vendors into the accounting system.
6. "There's something called positive pay, where you send a list of checks that were drawn by the company to the bank and they match them off against what the bank pays," Craven explains. "This is really a control against somebody who prints up a check that looks like an official company check. If it wasn't on the list, the bank wouldn't pay it."
7. Material for official signatures—both signature plates and stamps—should be kept locked up with only a limited number of people who can access them.
"Another important thing is separation of duties, where the person who writes the checks shouldn't be the person who's reconciling the bank account or preparing the checks or mailing out the checks," Craven says. "It's a good control to have different people involved in the process."
Take nothing for granted
It goes without saying that being the victim of a fraud is emotionally unsettling and financially perilous. While there are official law enforcement channels at your disposal, the reality is that the burden of going after stolen funds often rests heavily on the small business itself.
That was the case for Lifestyle Trimco Viaggio, a leading manufacturer of mannequins in the United States. The privately held, New York-based firm with 200 employees ran into trouble in May 2012 when the controller wasn't able to access their bank online to send out a wire transfer. The initial diagnosis was a computer virus, which was cleaned up the next day—or so it was thought.
"The controller printed out the activity of the prior day, which is normally done early morning. We found that $1.2 million had been siphoned out to different banking locations, both domestic and offshore," recalls Lloyd Keilson, Lifestyle's CEO.
Keilson's financial institution confirmed this. Retrieval notices were sent out immediately, and the domestic transfers were stopped. However, the transfers that went through a bank in China proved more troublesome. According to Keilson, it was only through his own contacts in China—not through the FBI or the government—that he was able to get a lead on his missing funds. The cyberthief's identity was never publicly established, though.
Eventually, he retrieved all but around $150,000 of the $1.2 million. "Ultimately, the FBI decided that the $1.2 million didn't merit their attention because it wasn't a sufficient sum," he says. "The retrieval came through the efforts we put out."
The company has since changed their security procedures, of which they understandably choose not to discuss specifics. "When you take the human element out of a transaction and you leave it to mechanisms, those mechanisms can be duplicated by people who are much smarter and much more clever than we are," Keilson warns. "There's nothing a small business owner can take for granted."