Banks must take the time to educate mid-size business clients about how to defend themselves against hackers, Javelin Strategy & Research says.
Of micro and small businesses absorbing 2013 fraud incidents, 58% experienced misused business credit card accounts, but enjoyed the same "zero liability" offered to consumers. However, 52% of middle-market businesses experienced the card fraud without any liability protection, said Al Pascual, senior analyst for Javelin and author of a recent report on business payment fraud.
When a major retail breach takes place, business credit card accounts are always among those that get exposed. "Businesses shop, too," Pascual said.
But the businesses also need more security for debit or wire transactions, Pascual said. "Banks should be having these conversations with their clients to have more security solutions and increase adoption of electronic funds."
Banks could charge for better protection but must provide incentives to businesses to use the measures, he added.
Currently, only micro and small merchants are covered by the card brands or through Uniform Commercial Code protections, whereas larger businesses using corporate accounts and credit cards are not, Pascual said.
"The biggest liability issue really lies with electronic funds transfers, the Automated Clearing House and the wires," he added. "The protections are favorable to banks, but not the business banking clients."
Javelin surveyed more than 1,000 business payment decision-makers and influencers this year in compiling the report data, which indicates even though major retail data breaches get the national headlines, hackers are regularly attacking small and midsize businesses.
Criminals' use of fraudulent checks remains the most common misused form of payments for midsize businesses, affecting 65% of businesses that suffered some type of fraud, the report said.
In addition, one third of the businesses surveyed indicated they were reluctant to adopt electronic payments because of security concerns. Even though fraud rates for ACH and wire payments are low, they represent high-value transactions. Midsize businesses suffering wire transfer fraud are likely to experience a cumulative fraud loss of more than $500,000 in a year, the report said.
"Criminals really like wire for moving a lot of money fast," Pascual said. "After three days, the transaction is irrevocable, so that money is gone."
Fraudsters will test a fraudulent wire transfer of about $50,000 and, if they are not caught, will up the ante to hundreds of thousands of dollars, Pascual added.
Businesses that provide employees with mobile devices have a payment fraud rate of about 10%, the report said. Those that allow employees to use their own personal devices for company business suffered a 25% payment fraud rate, or 2.5 times greater, Pascual said.
"'Bring Your Own Device' contributes significantly to the rate at which business accounts are misused," he added. "It's not that the services are not secure, it's just that the business is relying on its employees' security acumen on their personal devices."
Employees can unwittingly download malware, transmit sensitive data on unprotected lines, expose passwords that may be used in other facets of the business or expose the full payments network, Pascual said.
"It's something no one has taken a close look at, but we have quantified what it means to a business," he added.
Banks should help businesses establish security policies surrounding the use of personal devices, Pascual said. "That would help strengthen the relationship between the bank and the business."