When it comes to the security of your business, we know how much is at stake: your brand’s credibility, your hard-earned money, and the countless hours it would take to mitigate a security breach. Unfortunately, not everyone else acts in your business’s best interests. From scams to malware, you have a lot to protect your business from.
Threats to cybersecurity are ever-changing and require small business owners to stay one step ahead of the game. Recently, Square Security and Knowledge Platform Lead Sam Quigley joined the Small Business Administration’s #SBAchat on cybersecurity. Here are his tips on how to protect your business from hackers, malware, and more.
SBA: What’s the most common cybersecurity mistake that small businesses make?
Sam: The most common attacks that we see hit our customers at Square are various kinds of scams. There are lots of scary stories in the news about hackers and malware, but everyday fraud has a bigger impact, especially online.
For example, a scammer hires a wedding photographer but asks them to charge an extra $5,000 on the credit card and wire it to the “caterer.” The photographer is excited to work a big wedding, but when it turns out that the credit card was stolen, the gig is canceled and they’re out $5,000.
The best thing for small businesses to do is to know your customer. You should be on the lookout for things that seem too good to be true, or for stories that don’t add up. If someone asks you to send funds to a third party, that’s definitely a warning sign, but making unusually large or urgent orders might be, too. You know your customers best.
What are some warning signs of cyber attacks?
There are a bunch of things you can look for. Unusual orders are one, but you can also look out for discrepancies like the shipping address not matching the billing address, or customers who ask you to split the charge across multiple cards. You can learn more from our comprehensive list of potential signs of fraudulent buyers.
Payment providers, like Square, can also help keep you safe. Square uses sophisticated machine-learning systems, trained across millions of small businesses, to look for unusual and fraudulent transactions.
Accept Apple Pay and chip cards everywhere.
Order the Square contactless and chip reader.
What are the first steps to take if your small business has been compromised?
If you’re worried that you’ve fallen for a scam, the first thing to do is to cancel the order and refund the transaction. Once you ship the goods, it will be a lot harder to get them back. If you don’t catch it in time, contact your payment provider. They may be able to help.
Are there any free or inexpensive cybersecurity best practices?
Small businesses should always make sure they have a signed contract with their customers. Contracts give legal protections against scams and can also set expectations to avoid disputes. Square has a set of free contract templates for small businesses available to help you get started.
If you’re accepting cards in person, make sure to insert or tap the card into a chip and contactless reader rather than swiping it. EMV chip cards are more secure than magstripe and have additional protections to ensure the merchant gets paid.
I would also recommend asking your customers for ID if you think something is unusual. Don’t forget to check that the ID matches the name on the card and contract.
What should small business owners tell their employees about cybersecurity?
Business owners should make sure their employees know what to look for, and who to contact if something is suspicious. Oftentimes, employees will think something is wrong but process the transaction because they don’t want to lose a sale. Just having a conversation about fraud and scams can ensure everyone is on the same page.
What are some unexpected or emerging cyber vulnerabilities to watch?
One of the emerging scams we’ve seen is called the “business email compromise.” A fraudster sends an email to an employee, pretending to be the CEO or owner and asking the employee to transfer money to a new account. Of course, the account is owned by the fraudster. It’s surprising how often this works, even in big companies.