small business accounting
small business accounting
Small Business Scams & Security Risk
that apply to many individuals
So much information has been stolen by hackers that
virtually everyone in the U.S. has been affected by a data breach in some way,
even those who never go online.
FAKE DOT COMPLIANCE FILINGS
In September 2016, the FTC charged that James P. Lamb, Uliana Bogash, DOTAuthority.com Inc., DOTFilings.com Inc., Excelsior Enterprises International Inc. and JPL Enterprises International Inc. tricked small businesses into purchasing their registration services by falsely claiming to be affiliated with government agencies in violation of the FTC Act. They also allegedly failed to disclose the service fee associated with their services or to adequately distinguish it from the actual government registration fee.
In addition, the FTC alleged that the defendants failed to disclose adequately that they were enrolling consumers in an automatic billing service for future payments in violation of the Restore Online Shoppers Confidence Act.
The operators have agreed to settle Federal Trade Commission charges that they impersonated, or falsely claimed affiliation with, the U.S. Department of Transportation and other government agencies to get small trucking businesses to pay them for federal and state motor carrier registrations.
SELLING OR RENTING VEHICLES
Systems in newer cars do a great job keeping you and your employees connected while on the road. But those vehicles are likely storing more information than you realize because technology doesn't just allow the driver to use GPS and hands-free dialing but, can transfer information from the phone to the vehicle's computer, information that could be accessible to the next person in the driver seat.
This information includes contact lists and other data downloaded when you synced your phone, log-ins for apps, location data, and even garage entry codes for your office or home.
Just unplugging the phone does NOT delete the information. The driver needs to delete all the information from the vehicle and cancel or transfer subscription services like satellite radio.
Independently, each of these areas of exposure pose an enormous risk,
but scammers, fraudsters and hackers often utilize an simple and organized combination to penetrate your devices and collect your business, personal and financial information.
EMPLOYEE USE OF PERSONAL DEVICES (to access business information)
Many people expect that iPhone or Android devices are secure by default, when in reality it is up to the user to make security configuration changes. With the right (inexpensive) equipment, hackers can gain access to a nearby mobile device in less than 30 seconds and either mirror the device and see everything on it, or install malware that will enable them to siphon data from it at their leisure.
When an employee uses their personal device (phone, tablet, laptop, etc.) to check business email messages, or to log in to the corporate network, your company's data security, and it's 'connected' devices, are at great risk, especially if the employee ever:
uses (outside) public wi-fi (hackers target these to collect a large amount of information quickly)
fails to strictly secure their device with lock codes, timeout functions and passwords
doesn't properly update their device or apps
allows (personal) apps to access device information (including Facebook Messenger)
downloads personal photos, videos, files or (malicious) apps
leaves their device unattended (or allows others to use the device)
loses their device
trades in or sells their device without restoring the factory settings (deleting all information)
employee turnover or termination
although you may have changed your company's passwords, the information previously accessed/downloaded information remains on that device until fully deleted
Pairing is fundamental to the use of Bluetooth, but vulnerabilities can be exploited to silently monitor and manipulate phones and laptops, even if you're not using your Bluetooth. Less than a year ago, experts warned of a virus spread over Bluetooth that took over almost 5.3 BILLION smartphones without any Bluetooth connection or clicking any links. This virus impacted Android, iOS, Windows, and Linux Devices.
Last month, millions, if not hundreds of millions or billions, of devices were likely affected by another similar flaw exposing all information on your phone, laptop or tablet. If your Bluetooth was on and were within 100 feet of an attacker, your phone, and ALL of it's contents were easily accessible.
Directly pairing your device (or your computer) with an infected device poses an even great risk because your device (and personal) information is more quickly and easily transferred to the attacker.
iPHONES AND POP-UP NOTIFICATION SCAM
Although Apple denied any breaches, and the vulnerability was patched with iOSs 11, information from several iCloud accounts had been compromised from major hacking incidents that have affected companies like Yahoo & Gmail, often targeting business owners (see above).
Once access to the account was obtained, scammers sent a customized notification malicious software was downloaded by the phones owner by sending a generic pop-up notifications to your device using simple online tutorials.
CHARGING PORTS (Juice Jacking)
USB cords and adapters allow both data and power to be transferred between two connected devices. While they may look harmless, fraudsters can use these cables to collect your data, share your screen or even infect your device.
Public charging stations can also be programmed to install malware onto your device, after plugging your device in, As soon as you plug in your device the scammer can either view all the data in your phone or install software that will give them direct access to your phone.
A few years ago, researchers also discovered there was a Trojan horse built into an iOS device: the charger. If a hacker wanted to, they could use a modified charger (which costs less than $45) that would install malware onto any device running iOS.
This text within any notification can be easily manipulated and modified using information from Apple's website.
And when a user clicks either option, malicious software will be downloaded allowing a hacker full access to your device.
SOCIAL ENGINEERING, PHISHING AND RANSOMWARE
Scammers use phishing emails, social media contacts, or phone calls that seems to come from a trusted source (see neighbor spoofing). Phishing scams usually come through unsolicited emails that appear legitimate at first glance, but that are actually designed to spread a virus to the victim's computer when a link is clicked, or an attachment downloaded.
These viruses can collect personal information including passwords, social security numbers, bank and credit card information, and more. Some emails may look like routine password update requests or other automated messages but are actually attempts to steal your information. Scammers also can use malware to lock organizations’ files and hold them for ransom.
Because of the tremendous amount of personal information stored on most computers, phishing scams are a particularly significant threat to small businesses.
The release of of iOS 11.3 finally fixed over 40 security flaws. Exploitation of these flaws could result in an attacker being able to run arbitrary code on the vulnerable device, in malicious applications elevating their privileges, user interface spoofing, data exfiltration, interception of encrypted email contents, denial of service, keylogging, the disabling of features on the device, or in causing device restarts.
Scammers are sending emails falsely claim to be from phone-service providers, such as Verizon Wireless or Comcast. The Verizon email claims to be about an unpaid bill; in fact, if you click on a "see details" link, your computer, or phone, becomes infected with malware. The Comcast con asks you to update the credit card "used to pay this account."
One way to detect a scam email: hover your computer mouse over any link in the message, without clicking. This should cause the link to display its underlying address. If it's a third-party website, that's a sign of a con, so don't click on it.
WIRE TRANSFER SCAMS
Criminals are targeting social media and email to steal information. The Federal Bureau of Investigation warned that such attacks are on the rise. According to the FBI’s data, victims in the U.S. and abroad totaled 2,126 between Oct. 2013 and Dec. 2014, resulting in a combined loss of $215 million.
There are dangers in wiring money, and criminals are becoming more sophisticated in exploiting lapses and vulnerabilities in companies’ wire transfer policies and procedures - or exploiting the fact that no policies, procedures or safeguards exist in the first place.
There are numerous versions of this type of scam, but most often, fraudsters target the CEO's and CFO's at various companies and hack their computers, phones or social media accounts using various methods. Although there are multiple variants, a common situation involves an attacker gaining access to the email system of a company, or the company’s vendor, and monitoring email traffic about an upcoming transaction.
Version 1: Scammers collect enough information to learn the types of billing the company pays, who the payees are and their employees. A request is then made for a wire transfer from the compromised account to a second employee within the company responsible for processing such requests.
Version 2: Scammers collect enough information to learn their frequent contacts, typically close friends or significant others. They then spoof the business owner via email or by logging into a social media site posing as a close friend or significant other. Sufficiently bated, they will then ask if the business owner would be willing to accept an incoming wire to their personal bank account. Once the money hits their bank they manipulate the account.
Version 3: The fraudster will send requests to various vendors identified from the employee's contact list for invoice payments to fraudster-controlled bank accounts.
Business E-mail Compromise scams, according to the FBI:
Frequently target businesses and personnel using open source e-mail;
Often hone in on individuals responsible for handling wire transfers within a business;
Use spoofed e-mails to very closely mimicking a legitimate e-mail request;
Use fraudulent e-mail requests for a wire transfer that are well-worded, specific to the business being victimized, and do not raise suspicions to the legitimacy of the request.
Approximately 18.5 MILLION websites -- are infected with malware at a given time each week; while the average website is attacked 44 times every day(securityweek) and over 50,000 websites are hacked every day. This includes 1 in 5 law firms during 2017(layersmutualinc).
If your website is hacked by malicious software then it’s possible that your internal systems and devices connected to it could be vulnerable to ransomware and other attacks. Just as concerning, infected sites can launch unwanted ads or download malicious software and viruses to unsuspecting visitors who click on links.
Cyber security research shows that smaller companies face a disproportionately higher risk
when it comes to the financial losses associated with a security.
It’s not about the size of your website, your traffic, or even what you are promoting – it’s about abusing your website and server resources. Small businesses get hacked because they typically have fewer resources and are weaker in online security and therefore are a primary target for hackers.
DIRECTORY LISTING & ADVERTISING SCAMS (the phony phone book)
Scammers claiming to be from the Yellow Pages have been tricking small businesses into paying for bogus directory listings. It usually begins with a call, fax or letter asking the business owner to "confirm" its phone number and address for a “free” listing or say the call is simply to confirm your information for an existing order. Later, you'll receive an invoice for a listing in a nonexistent directory. In recent years, crooks have added bogus online directories to the mix.
CREDIT CARD PROCESSING AND EQUIPMENT LEASING SCAMS
Scammers know that small businesses are looking for ways to reduce costs. Some deceptively promise lower rates for processing credit card transactions, or better deals on equipment leasing. These scammers resort to fine print, half-truths, and flat-out lies to get a business owner’s signature on a contract.
Some unscrupulous sales agents ask business owners to sign documents that still have key terms left blank. Don’t do it. Others have been known to change terms after the fact. If a sales person refuses to give you copies of all documents right then and there — or tries to put you off with a promise to send them later — that could be a sign that you’re dealing with a scammer.
If you use a point of sale (POS) card swiping device, beware of calls supposedly from the POS supplier, your card processor or issuer saying their engineer needs to modify your equipment. What they might really be doing is hijacking the device by installing an additional piece of hardware that will steal card numbers.
As a small business owner, you understand the value of search engine optimization and how it can benefit your business. What you may not understand, however, is that there are con artists online trying to scam you with claims they can’t back up. Small business owners who fall victim to this type of scam normally receive spam emails or phone calls from con artists claiming to have the ability to “guarantee your listing on the first page of Google” or have some sort of “special relationship” with Google.
Sounds good to be true, right? That’s because it is. Although you might see your Google ranking skyrocket within the first few days, Google will quickly catch on and send your site far down past the first page.
UNORDERED OFFICE SUPPLIES AND PRODUCTS
Someone calls to confirm an existing order of office supplies or other merchandise, verify an address, or offer a free catalog or sample. If you say yes, then comes the surprise — unordered merchandise arrives at your doorstep, followed by high-pressure demands to pay for it. If you don’t pay, the scammer may even play back a tape of the earlier call as “proof” that the order was placed. Keep in mind that if you receive merchandise you didn’t order, you have a legal right to keep it for free.
TECH SUPPORT SCAMS
Tech support scams start with a call or an alarming pop-up message pretending to be from a well-known company, telling you there is a problem with your computer security. Their goal is to get your money, access to your computer, or both. They may ask you to pay them to fix a problem you don’t really have or enroll your business in a nonexistent or useless computer maintenance program. They may even access sensitive data like passwords, customer records, or credit card information..
UTILITY COMPANY IMPOSTER SCAMS
Scammers pretend to call from a gas, electric, or water company saying your service is about to be interrupted. They want to scare you into believing a late bill must be paid immediately, often with a wire transfer or a reloadable card or gift card. Their timing is often carefully planned to create the greatest urgency — like just before the dinner rush in a restaurant.
Scammers create phony invoices that look like they’re for products or services your business uses — maybe office or cleaning supplies or domain name registrations. Scammers hope the person who pays your bills will assume the invoices are for things the company actually ordered. Scammers know that when the invoice is for something critical, like keeping your website up and running, you may pay first and ask questions later. Except it’s all fake, and if you pay, your money may be gone.
GOVERNMENT AGENCY IMPOSTER SCAMS
Scammers impersonate government agents, threatening to suspend business licenses, impose fines, or even take legal action if you don’t pay taxes, renew government licenses or registrations, or other fees. Some businesses have been scared into buying workplace compliance posters that are available for free from the U.S. Department of Labor. Others have been tricked into paying to receive nonexistent business grants from fake government programs. Businesses have received letters, often claiming to be from the U.S. Patent and Trademark Office, warning that they’ll lose their trademarks if they don’t pay a fee immediately or saying that they owe money for additional registration services.
BUSINESS PROMOTION AND COACHING SCAMS
Some scammers sell bogus business coaching and internet promotion services. Using fake testimonials, videos, seminar presentations, and telemarketing calls, the scammers falsely promise amazing results and exclusive market research for people who pay their fees. They also may lure you in with low initial costs, only to ask for thousands of dollars later. In reality, the scammers leave budding entrepreneurs without the help they sought and with thousands of dollars of debt.
CHANGING ONLINE REVIEWS
Some scammers claim they can replace negative reviews of your product or service, or boost your scores on ratings sites. However, posting fake reviews is illegal. FTC guidelines say endorsements — including reviews — must reflect the honest opinions and experiences of the endorser.
FAKE CHECK/OVERPAYMENT SCAMS
Fake check scams happen when a scammer overpays with a check and asks you to wire the extra money to a third party. Scammers always have a good story to explain the overpayment — they’re stuck out of the country, they need you to cover taxes or fees, you’ll need to buy supplies, or something else. By the time the bank discovers you’ve deposited a bad check, the scammer already has the money you sent them, and you’re stuck repaying the bank. This can happen even after the funds are made available in your account and the bank has told you the check has “cleared.”