Part of our series on Security for Medium Businesses.
“Bah,” you say. “None of this newfangled fraud applies to me because I do not use the internet to operate my business. How can I fall for a scam if I never read my email? I have it covered. Thanks, but no thanks.”
This is a reasonable strategy: if you only talk to customers, receive payment, pay bills, and go to the bank in person or through the mail, you avoid many modern fraud threats. You lose out on other benefits such as a bigger customer base, more efficient operations, and improved resiliency, but you do have much lower fraud risk.
There is a unique source of fraud that affects you more: scammers registering for the online access to your accounts and using them to defraud you.
Almost every major business allows you to work with them over the internet. You can do all your banking over an online portal or app, submit documents to your accountant, and buy almost any commodity product.
Most people use that online access. For example, 73 percent of people in a Deloitte survey use online banking at least once a month. Home Depot’s online order system is so good that even in-store employees turn to it to find products and inventory in their stores.
Companies also prefer you to engage online. It is cheaper for them, and once people get used to it, they often find simple tasks easier.
As a result, almost no company will ever think twice if your online account is registered. Further, because they want you to use it, they make registering as easy as possible—usually, all you need is the account information that comes on their statements or invoices.
Account information is often available for purchase online, even for paper-only businesses. Companies lose data to thieves frequently, and this information is sold and resold through online marketplaces. The data stolen is broader than you would expect, and in more places than you would expect. Large companies send customer information to many partners, not all of which may apply the same rigor in protecting it. You cannot depend on companies to keep your account details safe; they do not think of this information as sensitive.
Many important account numbers are also fairly public. Your bank account number is written on every check. You provide your credit card number to any customer service rep who asks for it over the phone. While your bank and credit card company have other tricks to prevent fraud from being charged to those accounts, they rarely consider how that information can be used to falsely register an online account with them.
If a scammer acquires your account information and registers, they are able to perform actions on your behalf with that company. For some kinds of accounts, this has little value. Consider airlines: if they get your frequent flyer number, they could steal all your accrued points or miles. This would hardly damage your business. On the other hand, if they register an online account with your bank, they could run off with your current balance.
Create online accounts for yourself even if you never use them. It is much harder to take over an account than to create one, and that protects you. In the security industry, this strategy is called planting your flag. It is frequently recommended for consumers, and works for businesses just as well.
Make sure to protect it correctly: use the longest, randomly generated password they let you and save it in your password manager. If they let you, turn on all the login alerts you can and set up a second factor of authentication.
Do that for all the important accounts, and make sure you do the same for new important accounts. Problem solved.
Creating online accounts protects your business from fraud with those organizations. It takes almost no time to set up, no time to maintain, and works well. If you need help, give us a shout.