Cyberattacks are on the rise as criminals target small businesses

Basic information:

• Cyberatta attacks are increasingly targeting small businesses and non-profits with fraud and ransomware
• AI-driven fraud and email spoofing make cyber attacks more sophisticated
• Weak internal controls and lack of verification can lead to significant financial losses
• Experts say multifactor authentication and employee training are key safeguards

---

It seemed like a normal business. A New Jersey real estate company has contributed $500,000 to pay off property taxes in what it believes is Creskill Borough. It wasn’t it. A scammer sent a convincing email pretending to be the city, saying the municipality had changed their bank account and issued new phone orders. No one picked up the phone to confirm. When the crime notices arrived, the money was gone.

Stories like this are becoming alarmingly common, according to Rahul Mahna, an EisnerAmper partner who leads the firm’s Outsourced IT Services group. “Every year it feels like there’s a new perspective, a new technique that bad actors use,” he said. “The risk factor is increasing.”

Mahna noted that cybercriminals used to focus heavily on financial services and healthcare — industries where deep data and deep pockets made for attractive targets. But that number has changed. “In the last few years, I’ve seen a huge increase in nonprofits,” he said.

The reason is down to publicly available information. Most non-profit organizations are required to post their financial statements – 990 reports – online. Savvy hackers can quickly mine that data to identify entities sitting on vast amounts of assets.

New ways

The methods of attack itself have also changed – from the old ransom schemes that intercepted data to today’s “man-in-the-middle” attacks, where criminals insert themselves into email threads or impersonate vendors and government agencies to facilitate payments.

Mahna described a local non-profit that lost a lot of money after a bad actor hacked the CFO’s email and used it to run a wire transfer. The scam was completed on Friday. “A wire transfer can usually be returned within 48 to 72 hours, but if you do it on Friday, you lose Saturday and Sunday,” he said. On Monday, the window was closed.

When EisnerAmper stepped in to help, Mahna says the initial recommendation was not related to technology. His team conducted an audit of the distribution of money, investigated how the money went in the organization and identified gaps in internal control. They found that many people have the ability to call the bank, without checks and safeguards in place. Something as simple as a confirmation call – when the seller changed the payment information – could have stopped the fraud cold.

A technological solution followed. Mahna’s firm now uses about 20 security units, up from five when it started. Multifactor authentication, he stressed, is not enough by itself. The industry is moving towards Extended Detection and Response, or XDR – a holistic approach that not only monitors individual devices, but all of an organization’s digital footprint, including cloud services, email and web operations. “You can’t just look at a person at their computer,” he said. “You have to look at all aspects of the person and the number they’re working on.”

AI is changing everything

Artificial Intelligence is changing the threat landscape in ways that go beyond the security of many organizations, according to David Scott, managing director of forensic & integrity services at Ernst & Young.

Cybercriminals no longer rely on old phishing emails and opportunistic scams. They use AI to plan and execute sophisticated attacks, convincingly impersonating credible humans and mass exploiting vulnerabilities.

“A single bad actor or small group can launch dozens or hundreds of attacks at once,” Scott warned. “Traditional cybersecurity controls are not designed for this environment. Security leaders must rethink the concept of ‘AI first’.”

The EY Cybersecurity Roadmap study of 500 senior enterprise security leaders found that 96% believe that AI-enabled cyber attacks now pose the biggest threat to their organization. Nearly half estimate that a large portion of the cybersecurity incidents they experienced in the past year were powered by AI. But less than half say they have strong confidence in their organization’s ability to defend against AI-driven crimes. ”

Progressive organizations invest in strong governance, regularly assess vulnerabilities and conduct tabletop exercises that run senior leaders through worst-case scenarios, Scott added. “These exercises not only improve technical readiness, but help leaders make decisions quickly and confidently in times of crisis.”

‘Bad people have no morals’

Robert Owen, SAX Technology Advisors partner and CTO, has seen the change firsthand. A New Jersey warehouse and manufacturing company was hit by a ransomware attack that shut down its systems and made its data inaccessible. He recalled: “The company’s IT person did not have an incident response plan and did not have backups that could be used. “The leadership faced a difficult choice: try to build more revenue from scratch or pay hackers and trust for the decryption keys. They paid.”

Basically, “when you pay the ransom, the question is how do you know they’re gone?” Owen added. You associate with bad people. Bad people don’t tell the truth; bad people have no morals.

Where attackers once focused on high-profile targets — big banks, big insurers, Fortune 500 companies — the game has changed dramatically. Owen explained: “They’re spending a lot of money on the whole industry. They’re looking for holes in the company’s armor.

Instead of spending a year trying to destroy a very powerful organization, cybercriminals now simultaneously attack thousands of smaller organizations, “trading whaling to net fishing.”

Leading threats

Even a cyber insurance policy alone will not stop bad actors. Owen said: “Insurance doesn’t prevent anything. It only helps you once something bad happens.”

Worse, crime can cause more than just recovery costs, he warned. All law firms now investigate reported violations specifically for filing class action suits, while state attorneys general – including New York – maintain dedicated divisions that prosecute companies deemed negligent in protecting personal data.

Ahead of these threats, Owen suggests “clear and urgent things” come first.

“Use multifactor authentication in every system, where two or more different factors are required to verify the user’s identity to enter the system,” he explained. “It goes beyond a password, and combines independent features – something you know, like an identification number; something you have, like a phone or token; or something you are, like biometrics – to prevent unauthorized access. So even if one point is stolen, other features will help prevent unauthorized access. This is the single most important investment a company can make. email, text or payment request.”

[Using multifactor authentication] it is the single most important investment a company can make. Next to it is user education…
– Robert OwenSAX Technology Advisors, partner and CTO

No industry is immune

When a multi-site medical practice based in New Jersey was hit by a ransomware attack, it had to shut down operations for two weeks while it rebuilt its digital records, according to Edward Keck Jr., Withum’s partner and practice leader for Cyber ​​​​/Information Security.

“Bad actors got in by ‘compromising’ business email,” he explained. “This is where attackers compromise or compromise legitimate email accounts to trick employees, customers or partners into installing malware, transferring money or stealing sensitive information.”

Once inside, these cybercriminals hid the accounts of the system and demanded a hefty ransom. Instead of paying, the practice called Withum, which conducted forensic investigations, rebuilt systems, improved security, and provided ongoing training for employees.

Keck noted that cybercrime has become a sophisticated, organized industry. Ransomware-as-a-service platforms on the dark web allow criminals with little technical experience to launch attacks for as little as $20 or $30. Your stolen data is bought and sold like any other commodity. “Anywhere they can make money, this has become an organized business,” he said.

No company is too small to be a target. In fact, the opposite may be true. “Small businesses are often targeted because they are believed to be the weakest.”

That vulnerability gap is where CPA firms come into play. Beyond traditional auditing and tax services, firms with dedicated cybersecurity practices now offer clients everything from vulnerability assessments and penetration testing to round-the-clock auditing and digital forensics. Withum operates a dedicated cyber lab at its Whippany facility.

Keck suggests a practical plan – “good cyber hygiene” – that includes keeping software up-to-date and up-to-date, enabling multifactor authentication, using a password manager, training employees to recognize suspicious emails, using device encryption and email filtering, keeping secure backups, and having a written incident response plan. Cyber ​​insurance completes the picture.

“Nothing is really optional,” he said.

The cost of inactivity is high. Keck noted, the recovery of a cyberattack, usually four to eight times more than the security investment. It is a number, he added, that any good accountant can help put in perspective.