In today’s ever-changing business landscape, fraud is constantly taking on new forms. As criminals continue to get smarter and sneakier, businesses face greater — and more costly — risk.

The cost of fraud can be staggering. In 2021 alone, organizations lost $2.4 billion to business email compromise, $348 million to tech support fraud, $143 million to government impersonation, $82 million to spoofing, and $49.2 million to ransomware, according to FBI data.

On top of the threat of financial losses, the operational and reputational impacts of fraud also need to be considered. The time it takes to recover from an act of fraud can be detrimental to a business, and any disruptions felt by customers can leave a lasting impression on them — and not the good kind.

“Over 71% of businesses were hit by fraud in 2021,” said Wintrust Executive Vice President of Treasury Management Ezra Jaffe. “It’s truly not if, but when. And if you don’t have a plan and defenses upfront, you will spend months digging out.”

With so much at stake, it’s essential for businesses to stay vigilant against fraud. By understanding what to look out for, taking proactive measures, and implementing effective means of fraud prevention, mid-market companies can mitigate the risks.

Fraud takes many forms

While some forms of fraud are old hat, there may be some that you’re less familiar with, or have never even been exposed to. Here are some of the most pertinent forms of fraud for mid-market companies today.

Check fraud: Though checks seem destined for obsolescence in our digital world, check fraud is still prevalent today. Typically, check fraud entails criminals stealing and manipulating checks through tactics such as check washing, where chemicals are used to erase and rewrite payee names and dollar amounts. With mail theft on the rise throughout the country, criminals are increasingly taking advantage of the postal system to intercept checks. However, the threat of check fraud also exists internally, as employees can take company checks and alter them for their own benefit.

Business email compromise: While paper checks may be phased out over time, email, on the other hand, isn’t going anywhere. Business email compromise occurs when criminals send companies emails posing as known sources, often requesting some form of financial action. Though criminals often pose as clients or vendors, they also are known to pose as coworkers and even superiors; it’s not uncommon to encounter fake CEO emails requesting personal information, gift cards, and other lucrative items.

Tech support fraud: The presence of technology is inextricable from the modern workforce, especially in the era of remote and hybrid work. As a result, workers become more prone to technical issues — and cybercriminals have found ways to take advantage via a variety of tactics to pose as tech support.

Criminals may call businesses and claim there’s an issue that needs to be fixed, or even resort to fake emails and computer pop-ups to convince companies to act. Once accepting the supposed support, companies are often charged exorbitant prices for fake or unnecessary services. In some cases, proprietary information and sensitive data are also compromised.

Government impersonation: Deception is a common thread throughout fraud cases, but government impersonation fraud takes it to the next level. Criminals use a variety of channels — commonly phone calls and emails — to masquerade as officials such as tax agents or regulatory inspectors. Creating a sense of urgency through persuasive language and documents threatening legal action, criminals convince businesses to make payments or provide sensitive details.

Spoofing: Spoofing is another prevalent form of fraud that exploits the ease of falsifying information online. Criminals can manipulate phone numbers, email addresses, and websites to appear legitimate, tricking victims into sharing money and sensitive data. For instance, scammers may spoof a bank’s phone number or email address to send fraudulent messages asking for account information or payment.

Ransomware: Ransomware attacks are also a serious threat to businesses, as cybercriminals deploy malicious software to block access to computer systems or data. To regain access to their tech, companies must pay a ransom.

Phishing: Phishing is another form of fraud that relies on social engineering tactics. In a phishing attack, scammers send unsolicited emails, texts, or calls posing as a legitimate organization to request credentials or personal information. Phishing attacks can be highly sophisticated, with scammers creating convincing replicas of legitimate websites. In phishing attempts, cybercriminals are seeking passwords, social security numbers, and other personally identifiable information.

Understanding company risk

Because every company is different, the risks and vulnerabilities when it comes to fraud are different, too. That said, there’s no “one-size-fits-all” approach to fraud prevention; companies today need to count on bespoke solutions to stay safe.

“On one hand, bigger companies are bigger targets,” said Jaffe. “But on the other hand, smaller companies tend to have less urgency and fewer defenses, so the impact can be greater.”

To accurately and comprehensively understand your company’s risks, it’s essential to conduct a fraud risk assessment. A fraud risk assessment identifies the various types of fraud schemes your company could fall victim to, their likelihood of occurring, and the potential losses associated with each.

Fraud risk assessments also scrutinize the internal measures that exist to prevent each scheme, their effectiveness, and whether there’s a need for additional or upgraded controls. Essentially, fraud risk assessments paint a full picture of your company’s needs and priorities for effective fraud prevention.

If your company has the willingness and means, hiring a third-party professional services firm to conduct the risk assessment (or provide a second opinion) can provide a more thorough approach. When bringing in a trusted outside party, internal biases and assumptions are also mitigated, ensuring an objective approach to fraud prevention.

Keep in mind that a fraud risk assessment shouldn’t be a “one-and-done” security measure. Rather, your organization should conduct these assessments on a regular basis; ideally, at least once a year, if not twice.

Emphasizing employee education

From the boardroom to the frontlines, employees play an important role in protecting companies from fraud. That’s why investing in thorough and ongoing fraud-awareness training for your employees can pay dividends.

There are many cost-effective training programs to help employees improve their cybersecurity knowledge and hygiene, including testing on the latest tools and tactics criminals are deploying to trick employees into divulging sensitive information.

While your employees should take fraud prevention seriously, busy schedules may make it difficult for them to take the initiative. To ensure that your whole organization is in the know, consider mandating participation in trainings, as well as requiring periodic testing between classes. Since fraud is constantly changing, the value of regular training cannot be overstated.

Fraud prevention best practices

Once your organization realizes its risks and educates its employees, the real work begins. Following the best practices of fraud prevention should be an everlasting commitment, and if your business sticks to these tried-and-true steps, the odds of successful fraud prevention will be in your favor.

For starters, make sure that your business is set up with positive pay products through your bank. Positive pay is designed to detect fraud, comparing issued checks with checks presented for payment. Through this process, discrepancies are flagged for review, making it less likely for fraudulent checks to be cashed.

“We had a customer whose account was under attack, and the thief was using fake checks to buy items nationwide,” said Jaffe. “However, the customer lost no money and no sleep because they were set up with positive pay. Every one of those checks were returned.”

Regular bank reconciliations are also essential for detecting unauthorized transactions or discrepancies in your business accounts. By reconciling your bank statements with your internal financial records, you can identify any unusual activity and promptly investigate it.

Facing the risk of data breaches, it’s incredibly important to back up your data on a daily basis. Backing up your business data and storing backup copies in secure off-site locations adds an extra layer of protection. Keeping your security software and operating systems up to date is another vital practice; this includes regularly updating antivirus and anti-malware programs, as well as applying the latest security patches. Additionally, be sure to activate firewalls, which act as barriers between your internal network and external networks and help protect against unauthorized access.

Though we often think of fraud as an external threat, it’s crucial to remember that it can happen internally. Implementing an anonymous employee hotline can encourage employees to report any suspected fraudulent activities without fear of retaliation. Ultimately, this can foster a culture of accountability and vigilance against fraud, as employees become your eyes and ears in detecting potential risks. And as you emphasize internal communication, don’t forget to maintain regular communication with your bank on all things fraud.

Finally, take the necessary steps to secure and limit access to paper checks. Storing checks securely, using pre-numbered checks, and regularly reconciling them can help you detect any missing or unauthorized checks.

Staying one step ahead

Although fraud will always be present, the more educated and prepared businesses are, the better their chances of success will be.

Protect your business with our best-in-class services, designed to fight fraud and give you peace of mind.