A cyber attack at a small business rarely makes headlines. This can lull your clients into a false sense of security. They might think only big firms are targeted.
The truth is that small business cyber attacks are a major problem. Why? Because small businesses have two things:
- Bank accounts with thousands of dollars
- A false sense of security
Even if your clients realize a data breach is possible, they might not realize that their bank will not reimburse them for stolen funds (more about that below).
3 small business cyber attacks
Three small business data breaches were described in a recent article by John Ydstie at NPR. In each case, the small company lost thousands. The banks willingly repaid $0.
Share these examples with your clients if they still do not believe that the threat of a data breach is real.
Wright Hotels attacked via email
This real estate investment and development firm lost over $1 million after cyber thieves drained its bank funds. It all began with a hacked email account.
Once attackers had access to the owner’s email, they could see a long history of correspondence with his book keeper.
They had everything they needed to commit wire fraud. They impersonated the owner and convinced the book keeper to wire money from the firm’s accounts to their own in China.
The attackers also accessed the owner’s Outlook calendar. This helped them schedule transactions while he was busy in meetings, so they had plenty of time to grab the money, delete all communications, and run.
PATCO Construction attacked via trojan
This Maine-based construction firm lost about $588,000 to a cyber attack. Thieves added a Trojan to one of the company’s systems. This allowed them to capture online banking credentials and make a series of ACH transfers from the company’s accounts.
The money was gone in just seven days. PATCO’s bank was able to reclaim some of it, cutting the firm’s net loss to $345,445.
However, PATCO also had to pay interest on hundreds of thousands of dollars in over-draft loans from the bank, according to reporting from Brian Krebs.
PATCO eventually sued the bank for failing to provide a “commercially reasonable” security process for the ACH transfers. The firm lost, but later won on appeal. Some have called the case a victory for victims of small business cyber attacks.
Volunteer Voyages attacked via stolen debit card
This single-owner small business lost over $14,000 due to a stolen debit card. The company leads humanitarian volunteer trips abroad, and after returning from a trip to Peru, the owner was surprised to find his account overdrawn.
Someone had stolen the company’s card number and emptied the account. Despite notifying his bank of the trip abroad, the bank refused to reimburse him.
This case underlines the point: small businesses will not be reimbursed if their accounts are compromised in a cyber attack. Even though Volunteer Voyages is owned by a single person, the bank claimed it was not responsible to repay the owner.
Banks don’t repay small businesses after cyber attacks
If a thief breaks into your personal bank account and drains your funds, then the bank is likely to reimburse you for the loss – but not if you’re a small business.
Consumer accounts and business accounts are treated differently by banks. Banks do not have to repay funds stolen from a business account if “commercially reasonable safeguards” are in place.
What is “commercially reasonable”? That’s an open question. If a small business cyber attack results in a lawsuit, the question will be answered in court.
According to the law firm Manning Fulton & Skinner, whether a bank’s security is “commercially reasonable” will depend on several factors:
- The customer’s wishes with regard to security
- The customer’s transaction activity
- Security procedures generally used in similar situations
Banks can also cover themselves if a business customer refuses a commercially reasonable security procedure and agrees in writing to accept an alternative.
Small businesses have big risks
Small and large businesses are targeted for cyber attacks, but smaller firms are less capable of surviving one.
Small businesses are more likely to have a small number of bank accounts (all their eggs in one basket). An attack that drains thousands of dollars will eliminate a greater percentage of a small business’ net worth. And small businesses have far fewer resources to block cyber attacks and recover.
Since banks do not return funds that are stolen from business accounts, the risk to small businesses is huge.