I’m a small business; why would a million-dollar fraud ring bother targeting me?

If you are a small business and have asked this question before, we’d like to shed some light on the actual risk small businesses are exposed to.

According to the Verizon report, in 2017 there were 53,000 incidents – security events that compromise the integrity, confidentiality or availability of data – and 2,216 confirmed data breaches. Among those, 58% targeted small businesses. That’s more than half.  

Why bother, you ask?

Truth is small businesses are as targeted or more as large companies, and there are many reasons for this, but today we’ll talk about one.

Let’s say that bad actor – Bob, for example – wants to take over a big eTailer’s accounts – let’s call it Shipments. Bob and his ring want to purchase goods and resell them online. But Shipments has been learning from generations of attacks and has now all their system’s protection nailed down. To make matters worse, Bob’s boss, Mr. Ring Boss, is moving up deadlines and wants profit by yesterday.

Bob knows that if he steals the customer data from a smaller company, many of those clients will also have an account with Shipments. Bob starts to look online for small businesses to crack their security and collect the stored customer data. He comes across OrganiMus – a fictional company that sells small-batch hummus and is a member of One Percent for the Planet. Unsurprisingly, this small business has weak barriers around its system and Bob breezes through them, stealing all the customer data he finds (names, usernames, passwords).

Using the stolen data from OrganiMus, Bob runs a script against the Shipments login interface to find the credential combinations that open Shipments accounts. Twenty percent of customers use the same password for all accounts, so odds are on Bob’s side. This particular technique, called credential testing, yields an average of 1-2% positive results.

Now that Bob has the credentials that open Shipments accounts, he can go ahead and buy as many goods as he wants and make help make the million-dollar ring a multi-million dollar one. Depending on Shipments’ security, Bob’s attempt may be identified as anomalous and blocked. However, many company’s security still relies on personally identifiable information – meaning that as long as the credentials presented are correct, Bob can roam free and make purchases from the stolen account.

Hiding in plain sight

Small-size entities tend to think they are well hidden in the online crowd and don’t need to invest money in security solutions – because, why would they be targeted? However, same as you wouldn’t leave your bike unlocked on the street, you don’t want to leave your system’s doors open to cybercriminals.

To learn more about security systems that can protect your small or medium business have a look at the Paladin report on our website for a review of the 2017 vendors, what they do, and how they can help you.

At the end of the day, if you store any data in your system, even if you think it’s not valuable, the sad truth is that you are susceptible to become a victim of a data breach any day.  

Related to this post: The malware awards: The most devastating attacks that everyone talked about in 2017


See our full blog here.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply