FARGO — A recent cyber attack waged against his Fargo business left Carpet World owner Bruce Kautzman scratching his head.
Kautzman was not entirely sure how the attack even began in the first place. After a customer requested an emailed invoice, Kautzman opened his email and his wife, who was working remotely and monitoring the inbox, quickly alerted him to something awry.
"I don’t know how it happened," Kautzman recalled. "I went to email a customer on something and my wife was monitoring my email from home because she works remotely and she asked 'What is going on?'"
After placing a call to their service provider to shut down the account and contacting the customer — who had received fraudulent emails from Kautzman's account — the breach was halted.
Still, Kautzman thought it was a close call for his business. "It's a scary situation," he said. "It really could have gotten out of hand."
As for the hacker's motive, Kautzman could only speculate, figuring it was financial. "I think they were just trying to cut in to get any kind of money they could."
While Kautzman found it "so odd" that his locally owned small business found itself the victim of a cyber attack, small businesses are often the victims of such attacks.
That's according to Kristine Lunde, the lead treasury management specialist for Alerus. Lunde said it's a "common misconception" that fraudsters will only target large businesses with abundant resources and leave small businesses alone. In fact, "they specifically usually target small- to medium-size businesses," she said.
Small businesses prove ripe targets for hackers for two reasons, Lunde said.
The first is that small businesses tend to have lesser information technology protections and smaller IT staffs. "Sometimes the fraudster can be in their system for longer because it's not detected as often," Lunde explained.
The second reason, Lunde said, is that small businesses don't think they will be targets. "A lot of small business owners think it can't happen to them," she said. "Why would a fraudster be interested in my business? Why wouldn't they go after a bigger fish?"
As a result, Verizon's Data Breach Investigations Report found that 43% of all fraud and breach victims are small- to medium-size businesses, Lunde said.
Fraud on the rise
By all measures, internet crimes have exploded in recent years, Lunde said. A study from the University of Maryland estimated that hackers attack every 39 seconds for a total of 2,244 attacks every day in the United States.
COVID-19 also led to a dramatic increase in cyber attacks.
Because the pandemic sent millions of Americans out of the office to remote work, fraudsters have "really increased their attacks," she said. Complaints to the Federal Bureau of Investigation's Internet Crime Complaint Center rose from roughly 300,000 in 2019 to slightly below 800,000 in 2020 as a result of the workplace shift, Lunde noted.
Business email compromises like the one perpetrated against Carpet World are among the most prevalent schemes, Lunde noted. These schemes can manifest in "a couple different flavors," she said. They were also the most costly fraud scheme in 2020, with roughly 19,000 victims reporting $1.8 billion in losses to the Internet Crime Complaint Center.
Changes to email addresses, grammar, colors or logos are common red flags of a business email compromise, Lunde said.
Ransomware has also become extremely costly for businesses in recent years. Ransomware, Lunde explained, is when a fraudster downloads malware onto a computer, then proceeds to steal and encrypt the computer's files, holding them for ransom. In 2020, the Internet Crime Complaint Center received 2,747 ransomware complains which cost businesses $29.1 million.
When ransomware first became prevalent roughly five years ago, ransoms were typically $20,000. That figure has increased considerably, however. "Now it’s typically $400,000 to $500,000," Lunde said. "The FBI recommends that you don't pay that, but then you never get your files back. It's really critical that businesses are creating backups to their system in case they would become a victim."
Cyber criminals have also targeted direct deposit information for crimes. "We are seeing a lot of people submit requests to update their banking information for their next deposit of payroll and it’s actually not the employee," Lunde said.
In total, losses as a result of all forms of cyber attacks totaled $4.2 billion in 2020. Cybersecurity Ventures projects the figure will reach $6 billion annually this year.
Fraudsters are often one step ahead when it comes to concealing their crimes, Lunde said. "I've been working with business clients for 15 years and it seems like as fast as we develop tricks and safeguards, they move on to something else," she remarked.
While cybersecurity professionals can fill in the gaps after a breach occurs, criminals are quickly able to find workarounds. "The important thing to remember is we're dealing with hackers and fraudsters that are in the 1% of intelligence in the world," she added.
Legislation has also moved at a glacial pace compared to fraudsters, who often do not get caught. While a bank robber could face a 20 to 25 year prison sentence, cyber criminals may receive as little as probation or significantly less jail time, Lunde said.
"Our laws are slowly adapting to make it more of a penalty, but we're way behind the times of having the punishment fit the crime in this arena," she commented.
Stopping a breach
Should a business fall prey to a cybercrime, the most important step is to keep records of all contact made with the criminal. "The biggest thing is that you keep all of the contact made by the fraudster," Lunde advised. "Keep electronic copies of all the emails."
In the case of a business email compromise, a hacker can create filters which prevent the user from seeing their scheme. In such a scenario, Lunde suggested businesses ask their IT department to detect and stop the crime.
Businesses can also enlist the help of their financial institutions to monitor their account or contact their insurance company if they are covered for cybersecurity breaches. "Businesses should talk with their insurance providers to make sure that they're covered against cybersecurity (breaches)," she said. "Having that coverage really makes a difference should a business falls victim to that."
Victims should also report the crime to local law enforcement as well as the FBI by visiting ib3.gov if the crime was perpetrated entirely online.
An ounce of prevention
The best way for businesses to avoid falling victim to cyber attacks is to focus on prevention, Lunde said. For small businesses, this means partnering with the right software vendors. "If you don't have a large internal IT staff, it's picking the right vendor externally to partner with to provide that ongoing IT support," she said.
Other critical pieces are staying up to date on security patches for business software, limiting administrative rights and not clicking on links in suspicious emails.
Whenever a business receives an unusual request, they should always check for verbal confirmation before making a change. "If you get these types of requests or if a vendor suddenly contacts you and wants to redirect a payment, you should always pick up the phone and contact someone that you know," Lunde said.
There is a "constant need" to remain educated and vigilant of cybercrimes, particularly for businesses which have already been the victim of a breach. If changes are not made, a business is liable to suffer another attack. "They're very networked, so once you become a victim a lot of times they'll sell that information of how they were able to breach your organization to the next fraudster down the road," she said.
Overall, businesses should familiarize themselves with common forms of cyber attacks. "Being aware of what's out there is really important," Lunde said.
Kautzman's advice is simple. "If something doesn’t look right, make sure and attack it right away," he warned.