Tax Season Adds Extra Fraud Weight For SMBs

Tax season is upon U.S. small businesses, and fraudsters are taking advantage.

In a new report from Proofpoint, researchers warned that any businesses with the word “tax” in its domain is at risk of being spoofed by phishing attackers targeting small to medium-sized businesses (SMBs). These cybercriminals are taking to impersonating legitimate tax service businesses and sending SMB targets with malicious email attachments and links designed to infect that SMB with malware.

“While the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately,” wrote Sherrod DeGrippo, who published the research on Proofpoint’s website last week. “The construction industry targeting, in particular, is a reminder that no one sector is immune.”

Indeed, tax season isn’t the only threat hitting SMBs, either. According to the latest research from Bottomline Technologies, businesses said the fraud threat is on the rise. Meanwhile, Forbes reported separate analysis from North Carolina State University warning that as pressure mounts for chief financial officers to hit their financial targets, they’re less likely to report fraud.

This week’s B2B Data Digest takes a look at the latest data points behind more cases of B2B payments fraud.

41 percent more ransomware attacks were initiated last year, the New York Times reported, citing data from Emsisoft, with 205,280 businesses losing access to their data as a result. Separate research from Coveware found companies paid an average of $84,116 to recover their files in Q4 2019, reports said, adding that public entities accounted for about one-tenth of 2019’s cases.

76 percent of corporates say fraud threats rose last year, according to Bottomline Technologies’ latest Treasury Fraud & Corporate Controls survey report. Meanwhile, 67 percent of bank sand corporates said they have experienced a Business Email Compromise (BEC) scam attack.

2,100 corporates were targeted in a widespread business email compromise (BEC) scam recently uncovered by cybersecurity company Agari, the firm revealed last week. The cyberattack group, named Exaggerated Lion, had targeted more than 3,000 individuals at those businesses with their BEC scam email attacks between April and August 2019, with the vast majority of targets being employees working within the accounts payable department as more cyberattackers infiltrate corporates’ B2B payment processes.

$75,000 is the average loss of a BEC scam, new data from the FBI has revealed. Analysis of BEC complaints filed in 2019 found that BEC scams accounted for nearly half of the $3.5 billion in total cybercrime-related losses for the year.

$77,000 in losses occurred at Australia’s oldest ice risk thanks to a BEC scam, Information Age reported last week. The cyberattack was linked to a Hungarian bank account, reports noted, with fraudsters targeting the Sydney-based business by hacking its email. The ice risk received a legitimate invoice from a real supplier for the $77,000 payment request, but shortly after, hackers sent a fraudulent, amended invoice with updated bank account details, tricking the ice rink into sending funds to the hacker’s account.

$2.6 million was lost by the government of Puerto Rico, which fell victim to an email phishing scam in the latest example of B2B fraud attacks targeting public and government entities. The scam involved an email claiming a new bank account connected to remittance payments. The government’s Industrial Development Company finance director has reportedly alerted the FBI of the alleged crime.

$8.7 million was stolen from a Pennsylvania construction firm by one of its own employees, and the company said Citizens Bank is to blame. Reports in the Pittsburgh Post-Gazette said a former controller at the company has admitted to the theft by generating payroll checks to pay her own contracting company. In a lawsuit, the business claims that Citizens had suspicions about the fraud but never alerted the construction firm — a case that raises the debate about who holds the responsibility to catch such fraudulent activity.