For small businesses, efficient banking is essential to day-to-day operations. However, as the digital landscape expands, so do the risks. One of the most prevalent and dangerous forms of financial crime today is account takeover (ATO) attacks. In this type of attack, fraudsters gain unauthorized access to business bank accounts, often draining funds or using these accounts for illicit activities.
With so much attention being given to consumer banking fraud prevention these days, small business banking fraud often goes unaddressed. Yet the impact and financial losses for small businesses subjected to payment fraud and ATO is significantly higher.
While the average loss of a consumer banking ATO attack ranges from $6000-$13,000, small business losses are often over $50,000. In November 2023, a Florida small business owner was the victim of unauthorized withdrawals of nearly $150,000, while an Alberta, Canada small business owner lost $65,000 in an ATO attack last December.
And, while many banks and businesses have adopted modern security measures like one-time passcodes (OTPs) and hardware tokens, these traditional authentication methods are increasingly falling short of protecting small businesses from sophisticated fraud. Most modern authentication tactics are designed for individuals doing retail banking tasks, such as logins, checking their account balance, and transfers but fall well short for small businesses.
Accounts payable individuals, for instance, may face tedious authentication requirements, such as OTPs or secure access codes, multiple times from the same device or may require access, but a manager or business owner gets issued with the authentication mechanism. And if hardware tokens are used, often that token is issued to the business owner, not the accounts payable person, adding more friction to the process.
With so much attention being given to consumer banking fraud prevention these days, small business banking fraud often goes unaddressed. Yet the impact and financial losses for small businesses subjected to payment fraud and ATO is significantly higher.
While the average loss of a consumer banking ATO attack ranges from $6000-$13,000, small business losses are often over $50,000. In November 2023, a Florida small business owner was the victim of unauthorized withdrawals of nearly $150,000, while an Alberta, Canada small business owner lost $65,000 in an ATO attack last December.
And, while many banks and businesses have adopted modern security measures like one-time passcodes (OTPs) and hardware tokens, these traditional authentication methods are increasingly falling short of protecting small businesses from sophisticated fraud. Most modern authentication tactics are designed for individuals doing retail banking tasks, such as logins, checking their account balance, and transfers but fall well short for small businesses.
Accounts payable individuals, for instance, may face tedious authentication requirements, such as OTPs or secure access codes, multiple times from the same device or may require access, but a manager or business owner gets issued with the authentication mechanism. And if hardware tokens are used, often that token is issued to the business owner, not the accounts payable person, adding more friction to the process.
Why small businesses are particularly vulnerable
While consumer banking customers often have automatic bill pay via Automated Clearing House (ACH) transactions, the size and volume of small businesses ACH and wire transactions are typically much higher. With ACH fraud on the rise, authenticating these payments has become a critical use case.
Unfortunately, many small businesses rely on banking systems that are not customized for their specific security needs, which makes them easier targets for criminals. Additionally, small business owners may not have the time or expertise to stay updated on the latest cybersecurity threats and solutions. The high reliance on banking platforms that use basic two-factor authentication (2FA) methods like OTPs or hardware tokens exposes them to risks that these methods cannot fully mitigate.
However, most small business digital banking is performed on a company laptop or desktop. While today, most consumer digital banking is via a mobile device. This provides SMBs with a unique advantage in their fight against ATO fraud.
Moving beyond OTPs and tokens: The future of fraud prevention
Given the growing sophistication of ATO attacks, small businesses need to look beyond OTPs and hardware tokens to protect their accounts. Fortunately, banks and fintech companies are developing more advanced security measures that offer stronger protection against small business banking fraud, including:
However, even combinations of these capabilities may not enable optimal protection or user experiences for small businesses. For example, some systems will claim to provide a frictionless experience by basically “bypassing” authentication on a familiar device, exposing that customer to increased fraud risk.
Unfortunately, many small businesses rely on banking systems that are not customized for their specific security needs, which makes them easier targets for criminals. Additionally, small business owners may not have the time or expertise to stay updated on the latest cybersecurity threats and solutions. The high reliance on banking platforms that use basic two-factor authentication (2FA) methods like OTPs or hardware tokens exposes them to risks that these methods cannot fully mitigate.
However, most small business digital banking is performed on a company laptop or desktop. While today, most consumer digital banking is via a mobile device. This provides SMBs with a unique advantage in their fight against ATO fraud.
Moving beyond OTPs and tokens: The future of fraud prevention
Given the growing sophistication of ATO attacks, small businesses need to look beyond OTPs and hardware tokens to protect their accounts. Fortunately, banks and fintech companies are developing more advanced security measures that offer stronger protection against small business banking fraud, including:
- Biometric authentication
- Behavioral analytics
- Risk-based authentication
- Passkeys
However, even combinations of these capabilities may not enable optimal protection or user experiences for small businesses. For example, some systems will claim to provide a frictionless experience by basically “bypassing” authentication on a familiar device, exposing that customer to increased fraud risk.
Entersekt’s modern authentication for small businesses – silent and frictionless
As previously stated, SMBs do have an advantage over consumers when it comes to online banking – leveraging a “trusted device” that enables fast, frictionless fraud protection via a combination of both active and “silent” authentication methods.
This advanced authentication goes beyond traditional authentication methods by integrating seamlessly with the digital banking platform not only for login protection, but also across high-risk and high-value transactions, and never bypasses authentication. This includes use cases such as ACH payments, wire transfers, even demographic profile changes, like adding a new phone number or email address to an account.
This advanced authentication goes beyond traditional authentication methods by integrating seamlessly with the digital banking platform not only for login protection, but also across high-risk and high-value transactions, and never bypasses authentication. This includes use cases such as ACH payments, wire transfers, even demographic profile changes, like adding a new phone number or email address to an account.
Entersekt’s frictionless authentication:
- We create a unique device identifier using industry standard security that is stored on the device.
- When a device logs in, we check if it is “trusted”. If it is trusted, we will then challenge the device silently, we call this “silent authentication”. So, the device must prove to us that it is the same device we trusted before by signing a challenge (authentication) request with the device identifier we assigned to it. This means that on a trusted device, the accounts payable person can login without owner or manager interaction.
- If the device is not trusted, we then reach out to one of the trusted devices, for example a mobile banking app. This would be referred to as “active authentication.”
- So, at every interaction where Entersekt is involved, we ALWAYS challenge but we choose either silent or active authentication.
Frictionless SMB banking fraud prevention
Account takeover attacks represent a significant threat to small businesses, and relying solely on OTPs or hardware tokens is no longer sufficient to prevent fraud. The rise of phishing, social engineering, and more advanced cyberattacks means that businesses must adopt stronger, multi-layered security strategies to protect their assets, while avoiding cumbersome user friction.
Entersekt is the first and only digital banking authentication solution available that offers both silent and active authentication for retail and small business banking.
Small business owners should work closely with their banks to ensure that their accounts are protected with the latest fraud prevention technologies designed to support the specific needs of small business banking. By staying ahead of cybercriminals and implementing more robust, frictionless security measures, small businesses can safeguard their financial future and avoid the devastating consequences of a successful account takeover.
Entersekt is the first and only digital banking authentication solution available that offers both silent and active authentication for retail and small business banking.
Small business owners should work closely with their banks to ensure that their accounts are protected with the latest fraud prevention technologies designed to support the specific needs of small business banking. By staying ahead of cybercriminals and implementing more robust, frictionless security measures, small businesses can safeguard their financial future and avoid the devastating consequences of a successful account takeover.