Professional service firms, healthcare practices, construction companies, and other privately owned businesses process payroll, client information, contracts, and multi-million-dollar transactions daily. That makes them attractive targets for digital fraud.

Digital fraud is any type of criminal activity conducted over email, text, phone, or online to access money, credentials, or sensitive information.

Most often, it manifests as fraudulent wire requests, compromised email accounts, ransomware, or stolen client records. The damage can be financial, but often it’s operational.

A single incident might lock staff out of systems, delay billing, interrupt payroll, and make for uncomfortable conversations with clients.

AI-powered tools make these sorts of attacks all the more convincing, at scale.

How digital fraud typically works

Most of the attacks start with social engineering, whereby the attacker researches your website, LinkedIn profiles, press releases, and public filings. They seek information on the people in charge of the companies, the operations managers, the finance people, and the people directly in charge of payments or vendors.

They will then attempt to make contact in one of the following ways:

• Phishing emails which are allegedly from Microsoft 365, a company executive, or a trusted vendor
• Business email compromise whereby a legitimate mailbox is accessed and monitored before the funds are redirected
• Fake wire instructions sent near the end of a legitimate transaction
• AI-drafted voice calls that sound like the owner calling for urgent attention
• Malicious links or attachments for capturing login information

AI allows an attacker to write emails that match tone and grammar. It also allows an attacker to scrape existing public information and send emails that are tailored toward real projects or vendors. Some of its tools include an individual’s tone of voice with just a small audio clip. However, suspicious spelling is less likely.

Once credentials are obtained, attackers tend to keep a low profile. They monitor messages, familiarize themselves with billing patterns, and wait for an opportune time. With fraudulent commands that are issued, they match with a legitimate action. All staff comply because they recognize that it is a standard and expected practice.

Why growing businesses are exposed

Many organizations depend upon Microsoft 365 default levels of security and regular virus checking. Shared passwords are still frequently in use. Formal verification processes for changes to financial data are not necessarily in place.

In businesses with between 10 and 100 employees, technologies are often a mix of outdated hardware and new cloud technologies. In such organizations, there are often no IT personnel, or perhaps an individual employee who is serving as the IT department and does not have enough time to deal with technological issues. Lack of documentation and monitoring can mean problems are not recognized.

The owner/operators are busy people with revenue, staff, and customer service issues, etc., so if an urgent email, which appears genuine, is prioritized, it may well be approved.

Additionally, there is the human factor. Leaders often feel a tremendous burden of responsibility for their team and their clients. They don’t want to appear before them without proper preparation. Indeed, this can cause them to experience a “secret fear” of whether their current defensive position is adequate.

Practical defenses that reduce risk

Fraud prevention is not an item but rather an orderly system.

Multi factor authentication for email access, remote access, and cloud apps should always be enforced, which will stop most potential attacks even with leaked passwords.

Email security requires advanced detection of phishing emails and analysis of suspicious links. It is beyond the scope of the spam filters to protect against such attacks.

The wire transfer/payout process, on the other hand, must be documented. Verification, if there is to be a change in the payment instructions, should be done by dialing a phone number that has been validated in advance. There is no room for urgency in the process.

Access controls must follow the principles of least privilege. In other words, employees should be granted access to systems only when they need to perform their jobs.

The security awareness training should be short, specific, and repeated. For example, the staff has to get exposure to some examples of phishing and AI-supported scams.

Backups have to be encrypted and monitored. In addition to that, backups have to be tested. In case of ransomware, there are backups that the attacker cannot alter.

Monitoring and logging provide early warning. Unusual access locations, repeated failed logins, or unexplained mailbox rules should prompt investigation.

The requirements for cyber liability insurance are becoming more robust. There is a requirement for multi-factor authentication, endpoint protection, and security policy requirements by most insurers before issuance or renewal of a policy.

Businesses are built on trust, and business owners have worked hard to establish that trust. And that is what digital fraud preys on. Rules, security, and controls minimize risk and get us back on top of the business. Technology ought to work “behind the scenes” so that business owners can focus on serving clients and running the business.