Cybersecurity requires vigilance as scams become more complex with the use of artificial intelligence. While there is no single foolproof method to thwart fraudsters, getting educated about the most common scams threatening your business and learning how, even as a small team, you can protect your finances from these attacks is a step in the right direction.  

The technology at our disposal, and that of our adversaries, has changed drastically over time, making many cybersecurity threats harder to spot. Although AI enhances deception capabilities, fundamental security practices such as authentication and verification remain the most effective defense. 

When thinking about cybersecurity, it doesn’t hurt to weigh your suspicion heavily, particularly when it comes to sensitive financial information. If you get a message, call, email, or alert that seems even just slightly off, listen to that feeling. Your gut often knows something’s off before your mind does. 

Common scams for small businesses to be aware of and prepared for include: 

• Business email compromise: Business email compromise scams occur when a hacker logs into an individual's work email and uses it to appear as the hacked person. Hackers use this cloaked identity to gain sensitive financial information from colleagues or other businesses with close working relationships. These scams tend to be the hardest to detect because they appear to come from a trusted source, bypassing red flags employees learn from typical cybersecurity trainings. 

By educating employees about business email compromise scams and putting secondary authentication methods in place — such as requiring confirmation through a known phone number — employees are better prepared to detect these scams and are an active part of helping mitigate risk.

• Deepfake scams: Scammers use AI to create fake videos, images, or audio of people that are realistic enough to deceive victims. The scammers impersonate trusted contacts and convince employees to send money or sensitive company information. 

Establish ground rules for any instructions that deviate from the usual practices or channels. For example, require verbal authentication for any change in wire or deposit instructions through a known channel, such as a verified vendor phone number on file. Also, consider establishing a code word only known by your leadership team that can be used to verify one another’s identity. Remember, credible financial institutions will never initiate a request for your personal or company's financial information. 

• Invoice or payment diversion, executive gift cards, and fake information technology support scams: These scams come in many forms and are designed to manipulate employees into taking actions that compromise the company's finances or data. They are carefully crafted to appear legitimate to the targeted employee and often play off emotion. They exploit trust and human error and demand urgency.  

These scams are best countered by establishing clear rules within your cybersecurity plan and then teaching and enforcing them alongside your support of the guidelines. For instance, explicit policies noting that executive leadership will never request gift card purchases over email and that a secondary form of communication is required to verify purchase or payment requests over a certain dollar amount can reassure employees that they are doing the right thing by verifying an incoming request, even if a scammer is putting pressure on them not to. 

• Credential theft, account takeovers, and ransomware: These scams involve attackers stealing login information to gain access to business accounts. Encouraging strong passwords and requiring multifactor authentication for everyone are important layers of security for company accounts.  

Multifactor authentication, also known as two-factor authentication, is a simple, free security technique that can deter cyber criminals. It requires authorized individuals to verify their identity twice when logging in to company systems — once with their login credentials and again with a different method, preferably through a separate physical possession such as a cellphone. 

By adding multifactor authentication as an extra layer of security against unauthorized access, even if a scammer steals an employee’s login information, the scammer is far less likely to access the account without being in possession of the second authentication method. 

Email is particularly critical to lock down using multifactor authentication as it contains loads of personal information and is often one of the easiest accounts to hack. And, if a hacker has access to email, they may be able to sidestep any multifactor authentication prompts that are directed there — one more reason to ensure multifactor authentication notifications are sent to a phone or another physical device.

With the advent of AI has come a virtual arms race between fraudsters and security teams both working to protect their interests, yet the fundamentals of protecting your small business remain the same.

Create a policy-based plan with clear rules that emphasize authentication. Once a policy is created, ensure all employees review and understand it. Reinforce it through webinars, practice drills, faux phishing emails, and other regular reminders so that it becomes baked into employee protocols. Finally, talk to your team about the importance of working together to reduce risk and how doing so impacts your entire organization.  

By illustrating your understanding and regularly reinforcing, and personally backing, the guidelines across all levels of your organization, you can effectively amplify an investment in information security by arming employees with knowledge and a shared commitment to reducing cyber risks.  

Nick Stafford, chief security officer at ICCU, oversees cybersecurity, information security, and physical security for the full-service, federally insured financial institution.