Phishing, Payments Fraud, QR Code Threats on the Rise: Is Your Business Cyber-Safe?
October is Cybersecurity Awareness Month, serving as a reminder for businesses to review, reset and enhance their fraud prevention systems. However, safeguarding data is a year-round necessity. The Federal Trade Commission reported that in 2023, consumers lost over $10 billion to fraud—a nearly 15% increase from 2022. For businesses, the FBI’s Internet Crime Complaint Center (IC3) put last year’s financial losses from cyber-related fraud at more than $12 billion.
In this Q&A, Kathryn Albright, Umpqua Bank’s Executive Vice President and Head of Global Payments and Deposits, shares insight about emerging cybersecurity threats and what companies can do to protect themselves and their customers.
Q. How serious of a threat are cyber-attacks on U.S. businesses?
Fraud and compromised systems remain significant issues for enterprises, especially as they use more digital applications to conduct day-to-day business. Our clients tell us that breaches are increasing and becoming more sophisticated. Umpqua’s proprietary data supports this as well. Our 2024 Business Barometer found that four in 10 small businesses experienced phishing threats in the last 12 months.
In a 2023 survey by the Association for Financial Professionals, 80% of organizations reported experiencing payments fraud, an uptick of 15-percentage points from 2022. These statistics indicate that fraud not only remains a significant issue but continues to increase year over year.
Q. What are the biggest fraud vulnerabilities for businesses?
We continue to see the abuse of wire payments and changes in ACH payment templates as the biggest risk, with email systems being compromised through phishing and business email compromise attacks. Fraudsters are exploiting wire transfer systems to steal money by tricking businesses into sending funds to fraudulent accounts. Additionally, they are altering account and routing transit numbers on ACH payment templates to redirect payments to their own accounts. Altered and washed check payments are becoming increasingly common.
In fact, in the 2024 annual Association for Financial Professionals survey, 65% of the business industry reported being impacted by a recent check fraud loss. Additionally, fraud due to interference with the U.S. Postal Service is also up, with 20% of the industry respondents reporting check payments being intercepted in mail transit. Fraudsters intercept these payments in the mail, alter the check details, and then cash them for their own benefit. There are also more incidents of imposters posing as a company’s CFO and using stolen credentials over the phone to steal sensitive information. These are among the biggest vulnerabilities for businesses right now.
Q. What are examples of other threats that are more often being reported?
The Better Business Bureau has alerted businesses to the rise of fraudulent QR codes being used for illegal schemes. While we often use QR codes at conferences or restaurants without much thought, it’s important to be cautious. Deceptive QR codes can direct users to phishing websites or fraudulent payment portals. To protect your business, ensure that QR codes are from trusted sources and consider using secure QR code management tools that can verify the destination before scanning.
Q. Are you seeing businesses investing more to combat cyber threats?
It is a mixed picture. We are seeing midsize businesses, which tend to have more resources, investing in systems to combat such risks. According to the 2024 Umpqua Bank Barometer survey, 81% of midsize businesses expect to invest in financial tools to protect their payments systems over the next 12 months. On the other hand, only 40% of small businesses indicated they would make such investments. As a result, we are proactively working closely with our small business clients to help them combat current and emerging threats.
Q. What are cost-effective ways businesses can protect themselves from cyber fraud?
There are five practices that should be prioritized by businesses:
- Always validate transaction authenticity: Take the time to pick up the phone and speak directly with the originator to confirm the details.
- Implement dual authorization: If you haven’t already, set up dual authorization for ACH payment template modifications, as well as wire and ACH originations, on all digital banking portals.
- Proactively identify vulnerabilities: Regularly review all your bank accounts for potential vulnerabilities. Set up payee positive pay and ACH positive pay on all disbursement accounts. Positive pay helps prevent fraud by allowing businesses send their banks an authorized check issue file. The bank then compares the issue file with the amount, date, check serial number and payee name for any checks attempting to post on the business’s account. The business is presented with any exceptions identified to allow the business to either pay or return the items in question. ACH positive pay enables businesses to control which approved vendors can be paid electronically, among other features.
- Educate your workforce: Training is crucial. Ensure your employees know how to detect and respond to fraud incidents. This can save you significant time and headaches.
- Prompt notification: The sooner businesses can notify relevant parties about a potential fraud incident, the better. Businesses should ensure their employees escalate any suspected fraud internally and with their bank immediately to increase the chances for loss recovery substantially.
Q. What are your final thoughts about fraud prevention and investment?
Enhancing fraud prevention solutions is paramount for businesses of all sizes. Bad actors are becoming more sophisticated, especially as the marketplace embraces the efficiency and convenience of real-time and final, irrevocable transactions. Investing in advanced security measures not only protects assets — it helps secure our digital economy. It also builds trust with customers, positioning businesses as responsible and dependable partners.