Banks and their merchant clients face a costly problem stemming from how prepared they are to deal with attacks that sidestep the point of sale.
Rather than overcome EMV security, fraudsters are finding it far easier to simply attack the business account a small merchant holds at the bank, according to a new report from Javelin Strategy & Research.
Nearly half of fraud attacks on small businesses target the merchant's own credit card account, enabled either through the theft of customer payment data or a hack into the business e-mail or other messaging systems.
Javelin reports 5.7% of micro merchants and 6.5% of small merchants were affected by a data breach last year against their customers or within the operation to obtain information that could be used to steal from their accounts.
Micro merchants, or those with between $100,000 and $1 million in annual earnings, had an average of $14,724 initially stolen, while small merchants, at between $1 million and $10 million in annual earnings, had a far lower average at $6,058.
Javelin conducted an online survey with 1,000 business payment decision-makers, 500 each from micro or small merchant operations, during February 2016 to compile the report.
The number affected by breaches represents a significant threat and a driver of a considerable portion of the billions of dollars criminals steal through breaches annually, said report author Al Pascual, research director and head of fraud and security for Javelin.
Yet, small merchants aren't hugely motivated to resolve the issue, and banks may be to blame for the lack of anxiety.
"We considered the opportunity to fix this problem, because it is at the bottom of the list of topics and threats that small businesses are concerned about," Pascual said. "They list malware [at the point of sale] at the top of concerns, so it makes me believe banks are not talking about this enough."
Only one in four small and micro merchants gets alerts from their banks regarding their business account transactions. In the same manner that banks and the card brands are pushing alert technology to help consumers protect their card accounts, small merchants should be doing the same for their business accounts, Pascual added.
Even though only a quarter of merchants uses account transaction alerts, "it's all downhill from there, as all of the other possible defenses are being used even less than one in four," Pascual added.
With limited security in place, criminals find small merchant accounts easy prey.
"Whether it is a small firm or a doctor's office, there is more cash in the business account than in the consumer account, and the criminals know this," Pascual said.
Stealing a business plan or hacking a company's e-mail system allows the fraudster to learn enough to eventually trick the business into making payments to the criminal's account. The FBI associates business e-mail compromises with losses exceeding $1.2 billion annually, the report said.
A fraudster who knows when a company intends to pay vendors for certain projects or monthly bills can intercept the payment. Just prior to a payment being due, the fraudster will pose as the vendor and ask the accounts payable department to send the payment a couple of days earlier to a new account, Pascual said.
"By hacking the e-mail account, they know the accounts payable person likes to be called 'Beth' rather than Elizabeth, and they will ask 'Beth' to make that payment ahead of time," he added.
In some cases, the fraudsters will act like the business and move payments out via the Automated Clearing House, a process the business may not even use much. In fraud against micro businesses, 15% of cases involve wire transfers and 10% involve ACH payments, the report said.
"They just don't have ACH protections on their radar and, in the meantime, it is a great way for criminals to move money," Pascual added.
The Javelin report found that 41% of small merchants and 68% of micro merchants closed their accounts with their bank after a fraud incident, and more than 40% of small business fraud victims sued their banks. Overall, 29% switched to a different financial institution.
"These are valuable relationships for a financial institution," Pascual said. "They are not just depository relationships, because they provide so many other services for merchants."
The entire small-business banking initiative is based on bundling services like card deposit accounts and merchant processing. If the bank loses that account, it loses card business and merchant acquiring business.
"Those are some serious risks," Pascual said.