Small Business Fraud Prevention Checklist: Training Employees to Protect Your Bottom Line

Woman meeting to talk with advisor
October 10, 2023 |
Article | 7 min
| Business Insights

Small business owners can’t overlook their fraud prevention strategies. The extra cash you might save from cutting corners isn’t worth the money you could lose to scams and hackers. Ensure your employees are well-versed on all the latest techniques cybercriminals use to obtain corporate money and company data.

Employees are your most vulnerable access point when it comes to fraud. Malicious actors can easily infiltrate their emails and personal devices to swindle money out from under the company's nose. Even worse, they can do irreparable damage to your business' reputation. But you can quickly turn vulnerable employees into a robust line of defense with the right fraud prevention training.

Scammers stay one step ahead of the curve, exemplifying the need for constant training and reinforcement regarding the latest phishing, smishing, and deep fake schemes. Small business leaders must hold regular sessions exploring security threats (both physical and digital) to ensure the safety of their staff and capital—then enforce these lessons, implementing policies to guide employees on properly handling confidential company information such as personnel, client, and financial data.

Let’s dive into some actionable fraud prevention strategies small business leaders can employ today to stay one step ahead of cybercrime:

man on keyboard looking at fraud prevention

Use Work Devices Strictly for Work

The age of remote work has blurred the lines between work and personal activity. Be honest: How often are you sending personal emails, checking social media, or doing a little holiday shopping on your work computer?

CEO using devices for work skeptical business owner fraud prevention

You can assume your employees are doing the same—and while it may seem harmless, it’s leaving the door wide open for fraud.

Using work devices for work and only work is among the most straightforward fraud prevention strategies you can enforce. Once you begin using work devices for personal leisure (such as email and games), you create more opportunities for fraudsters to infiltrate the company. Then there are the remote employees who use their personal devices as work devices.

As a small business owner, you may not have the budget to buy every remote employee a work laptop. As such, you must remain vigilant regarding fraud prevention, especially amongst remote staff.

Employees must be extra careful about using work devices in public spaces. Surfing the web on public WiFi may be tempting, but it’s not worth the risks. Public WiFi is a feeding ground for scammers and hackers, as encryption-free servers make it easy to obtain personal information like passwords and usernames. If private WiFi is unavailable, ensure your employees have access to a virtual private network (VPN).

Verify All Payments and Transactions

Payment, vendor and supplier fraud affects more and more small businesses every year—and it’s not just the little guys, either. In 2019, Facebook and Google lost millions to an invoicing fraud perpetrated by one man and his small team of co-conspirators.

CEO verifying all payment and transactions for skeptical business owner fraud prevention

Consider the following scenario to understand how sneaky payment fraudsters can be:

Your small business receives email invoices from the same vendor several times monthly. Your accounting team usually sees a new email, recognizes the vendor, and issues payment.

Months later, you realize the invoice was fraudulent and sent from an email that looked incredibly similar to your vendor’s. Unfortunately, it’s too late to recover your money—it’s already in the scammer’s bank account. They convert it to cryptocurrency, resell it for clean cash, and make off without a trace.

Verifying all payments and transactions is crucial to the fraud prevention puzzle. The more familiar your team members are with suppliers, the easier it becomes to recognize fraudulent invoices and emails.

Ensure you’re leveraging robust business credit card solutions [link to Payment Solutions page] when making payments, and continuously monitor your suppliers past the initial vetting process.

dual control banking for CEO and employee

Small business owners can also leverage dual-control banking to prevent fraudulent transactions. Dual-control banking requires two people to authorize transitions, like wire transfers and ACH payments.

The first person—the initiator—makes the payment request. Then, the second person—the approver—checks and authorizes the transaction. If a fraudster slips past the initiator, the approver is there to catch them before it’s too late.

Keep Accounting and Bookkeeping in Separate Teams

Too many small businesses rely on one person to handle all their accounting and bookkeeping needs: Processing payments, making bank deposits, paying invoices and handling cash. This unrestricted access to company money leaves the fraud door wide open. Can you trust this person not to skim a little (or a lot) off the top?

accountant working separate from bookkeeper

Any CPA will advise you to divide accounting responsibilities so that no single person has complete control. If you don’t have enough staff to delegate these responsibilities evenly, consider rotating them every few months.

Having an extra set of eyes is essential to your fraud prevention strategy. If your accountant also handles your bookkeeping, they’ll be less likely to catch their own mistakes.

Unfortunately, they may also take advantage of your trust. For example, consider the case of one accountant who defrauded his employer for nearly $1.5 million after assuming complete control over the company finances.

That business owner would have been better off hiring a separate bookkeeper to manage his daily financials, and a year-end accountant to review the data. Aside from fraud, having two sets of eyes can help avoid mistakes resulting in costly penalties. Take the time to reinforce expense reporting education to ensure your books are as accurate as possible.

Consider a Secure Internal Password System

Admit it: You probably use the same password (or a variation of the same password) for almost everything. While this makes them easier to remember, you’re opening your entire company to fraud once that password falls into the wrong hands.

unsecure internal password used on laptop

Your first alternative might be keeping sticky notes of all your different passwords, but that only leads to its own set of problems. So if using the same password or sticky notes is out of the question, what can small business owners do to secure multiple business-related passwords?

The answer is password management software, a secure internal program that houses passwords and other vital information in one location. Password managers can also generate unique and complex passwords, depending on your needs.

These random passwords contain multi-case letters, numbers, symbols, and punctuation—making them nearly impossible to guess, even for the most advanced hacking software.

According to the US National Institute of Standards and Technology (NIST), the best practice is to create long passphrases that are easy to remember and tough to crack. They recommend passwords/phrases around 64 characters long! Thankfully, password management software can remember and autofill those passwords—so you don’t have to.

woman trying two-factor authentication

You can also leverage two/multi-factor authentication (2FA/MFA) to verify users attempting to log in, especially from a new device. You likely use MFA when logging into your mobile banking app or Amazon account.

What makes MFA unique is that it requires multiple assets outside of passwords. For example, you’ll get a text on your phone alerting you that someone is trying to log in.

If it’s you, you can approve the login request with a one-time code. If it’s a scammer who’s obtained your password, they won’t get very far, since they don’t have access to your phone.

Educate Employees About Business Email Compromise (BEC)

All organizations, but small firms in particular, are highly susceptible to business email compromise (BEC) scams. In BEC scams, cybercriminals impersonate employees and trusted vendors to commit wire fraud.

woman with laptop skeptical about business email compromise

Educating employees about BEC scams is essential for fraud prevention. Ensure they can recognize the following red flags whenever they receive a suspicious email:

  • False sense of urgency: Scammers want to get in and out with your money as quickly as possible. BEC scammers may pose as a company executive, attorney, or trusted vendor and send spoofed emails asking employees for money. They’ll say there was a problem with the last invoice, and they need to send the funds ASAP. They might also say they’re about to close a business deal but need up-front cash. This false sense of urgency usually comes with a request for secrecy.
  • Fake domain name: Scammers may email you from a domain name you think you recognize. However, upon closer inspection, you’ll notice something off, like a doubled character or a slight misspelling. For example, is someone you know and trust, but is a scammer. Would you catch the missing “i” on a busy Monday morning?

Train your employees to recognize the tell-tale examples of BEC scams. As Tracy Swaim, VP Fraud Risk Manager at HTLF, says, "Pay attention when you get an email from a vendor, or even an employee, saying they need to change payment account information. Contact the person directly at a trusted number to confirm the message. If something feels suspicious, it probably is."

Prevent CEO Fraud with Employee Training

CEO fraud, also known as whaling, is a (generally) sophisticated type of social engineering and BEC scam where fraudsters impersonate the CEO, owner or another high-ranking employee within the company.

CEO dealing with fraud

They’ll contact lower-level employees with urgent requests for money or information, and the employees will hand it over, thinking the request comes from higher up.

But CEO fraud isn’t reserved for large corporations. Small businesses can be just as susceptible, with scammers impersonating the owner or a high-ranking manager to scam other employees.

For example, a scammer posing as the owner may email an employee around the holidays. They’ll mention how they want to give everyone gift cards as a holiday bonus but don't have time to order them.

So, they ask the employee to order the gift cards and email them the serial numbers to disperse them amongst the staff digitally. The scammer reassures the employee that they’ll be reimbursed ASAP, but they never see that money again.

team getting educated about CEO fraud

While that seems a little fishy, and our victim would never fall for it outside of work, seeing an email from the boss’s account paints a false sense of trust. Gift cards aside, scammers might use CEO fraud to obtain crucial company information from HR or IT. For example, they might email someone asking for bank account numbers and passwords.

Train your employees to speak up and double check, even if the request looks like it’s coming from the boss. The higher-ups will appreciate their vigilance even if it’s a legitimate request.

Implement a Whistle Blowing System

As a small business owner, you want to hire people who genuinely care about your company's success. If they see something or someone within the company that’s impeding those goals, you’d want them to say something, wouldn’t you? Instilling a culture of internal reporting—also known as whistleblowing—will keep you on the path to success.

However, whistleblowing can be a tough sell among staff and executives. People are inclined to fear whistleblowing reports because most of them mean trouble. However, that fear only lets unreported abuse and corruption grow.

team setting up a whistleblower system

Regarding fraud prevention, an anonymous whistleblowing system allows employees to report suspicious activity without identifying or implicating themselves. Such systems help keep these situations within the company, allowing you to remedy them without making a public spectacle.

At the same time, your employees must trust that you’ll do something when they blow the whistle. If they don’t trust you or the authorities, they may take their case to the police or media.

Let’s say one of your trusted managers is stealing from the company, perhaps logging fake hours or writing fraudulent reimbursement receipts. Then, someone beneath them catches onto their scheme and reports them through your anonymous whistleblowing channel. You would have been oblivious to your manager’s dishonesty without that whistleblower. What are you going to do? Plan ahead so your company will always be prepared to take action in situations like these, even when it’s difficult.

Secure Your Business Finances Against Fraud Today

Small business owners can’t overlook their fraud prevention strategies. The extra cash you might save from cutting corners isn’t worth the money you could lose to scams and hackers. Ensure your employees are well-versed on all the latest scams and techniques cybercriminals use to obtain money and company data. Invest in cybersecurity software, password management tools and VPNs to keep your information within the company.

Implementing these best practices may come with certain fees, but Dubuque Bank & Trust, a division of HTLF Bank can assist you with navigating the latest fraud prevention trends.

Contact Dubuque Bank & Trust, a division of HTLF Bank today to speak with a commercial banker. Together, we can build a fraud prevention strategy to help protect your small business in mitigating your cybercrime risk.