Hacker at their computer stealing data

Hackers Are Changing How They Attack Small Businesses 

7 min read • Jun 18, 2020 • Joe Kukura

We now have the first cyber-scandal under COVID-19—a minor Bank of America data breach where businesses that applied for a PPP loan had their data made briefly visible to other banks and lending institutions. By all accounts, it was an honest mistake and was fixed quickly. But hackers and cybercriminals have been capitalizing on honest mistakes for years. Your small business needs to consider protection against data breaches, as a new report estimates at least $7 billion worth of cybercrime swindles were attempted on US businesses last year.

That report is Verizon’s 2020 Data Breach Investigations Report, a well-respected annual industry analysis now released for the 13th consecutive year. It analyzes more than 100,000 data breach incidents attempted over the last year and how hackers are shifting their strategies with phishing, malware, and stolen payment credentials. The entire report is 119 pages long, but it’s a fun and snarky read that’s written in plain English with plenty of humor. But for those who don’t have time to read all 119 pages, we’ve done a quick CliffsNotes-style summary of what it all means for small businesses.

Verizon’s report details how data burglars now use distinctive varying tactics to target 15 different sectors, including food service, arts and entertainment, healthcare, retail, and many others. You may want to pull up the PDF and scroll through directly to the section that covers your industry—because these days, cybercriminals are not just going after large corporate targets but also small businesses like yours.

How Hackers Target Small Businesses Differently

Hackers used to only go after large corporations that had oodles of plunderable cash, which is still their preference. But the emergence of web-based and cloud tools among both large and small businesses means that your business may have some of the same vulnerabilities as the big corporations, and hackers are taking advantage. 

Small and medium-sized businesses with 1,000 employees or fewer (or SMBs, as Verizon calls them) used to make up a very small percentage of data breaches. Now, small businesses suffer about 28% of those breaches. One advantage small businesses have is that they usually discover their data breaches more quickly—not necessarily because they’re more diligent, but because they don’t have as much of a cushion and tend to notice money missing immediately.

An interesting behavior Verizon found is what hackers don’t do anymore. In earlier years of their report, criminals’ favorite targets were ATMs and Point of Sale (PoS) machines. Those tactics don’t even register anymore in the 2020 report, as hackers can now find easier money by compromising your mobile devices, email communications, and social media accounts.

Businesses small and large are experiencing the same types of data breaches, but small businesses encounter certain types of attacks more frequently. Here’s what Verizon sees as the most common data breach threats to small businesses, ranked by how frequently hackers tried to pull them off this year.

1. Phishing Small Businesses 

The modern art of phishing is more than just stealing your email login or duping you with a fake online dating profile. These days, cybercriminals would rather phish your or your employees’ company usernames and passwords and bank login credentials. They can also get this information by requesting electronic payments while falsely claiming to be one of your clients or debtors.  

The number 1 way to fight phishing is to enable 2-factor authentication, which requires major transactions to be verified on a second device. Set as many alerts as possible so your financial transactions will notify the business owner or bookkeeper.

2. Stolen Credit Cards and Small Businesses

Smart criminals don’t steal business credit cards anymore. Business credit card credentials are where the action is now, as those credentials can be used again and again all over the web in a brief window of time.

Conduct online credit card purchases via trusted sources only. If a hacker can obtain your business’s credit card name, address, number, expiration date, and CVV code, they can do huge damage in short order. Check with your bank or credit card issuer on whether theft protections are in place.

3. Human Error in Small Businesses

Human error is not much of a factor in big business because transactions involve many levels of accounting busywork and middle management sign-off. But less-staffed small businesses are uniquely susceptible to simple, innocent mistakes. This could be the classic ‘Reply All’ email gaffe, or accidentally sending sensitive financial or login information to the wrong recipient.

We can’t tell you how to fix human error, which has plagued businesses since the dawn of time. But we will note that intentional employee misuse of systems, be it embezzlement or stealing sensitive data, is most common in the financial and insurance sectors. So be vigilant in hiring, especially if your business is in those fields.

4. IT Misconfiguration in Small Businesses

Misconfiguration is the technical term for “human error by the tech department.” This issue could stem from your own tech staff or consultant, the site or platform that runs your online store, or any other cloud service on which your business keeps databases with sensitive information.

This type of breach generally involves databases left publicly exposed and usually gets pointed out online by security pros or academics outside of your company before doing major damage. However, they might call you or your online service provider out in a blog post that goes viral. 

5. Trojan Horse Attacks in Small Businesses

In internet terms, a “Trojan Horse attack” is when a website talks you into downloading some strange new app or program in order to see or do the thing you’d been trying to see or do. But that download can then give your device a virus or some other unwanted malware mechanism. 

Trojan Horse attacks had their heyday in the illegal file-sharing era of the mid-2000s before smartphones were invented. They’re pretty rare now, though recently resurgent in the “Congratulations!” pop-up ads that still occasionally disrupt your mobile web browser on iOS or Android phones.  

6. Ransomware in Small Businesses

You’ve surely heard media reports of nightmare scenarios where companies or entire cities have their computer systems held hostage in a ransomware request. These stories are true, and they are indeed scary. Verizon’s report notes that ransomware is very frequently directed at the education sector.

What makes ransomware easier to fight, though, is that ransomware attackers tend to use the same malicious software over and over. That repetition means security researchers are well familiar with the “plug and play” ransomware tools that hackers commonly buy on the dark web. If your business has ransomware concerns, it’s not hard to find preventative tools like antivirus software and firewalls.  

This data was all collected before the COVID-19 pandemic, and new coronavirus scams are emerging. But cyber protection firms are stepping up and adapting to the computer virus threats coming out of the coronavirus uncertainty.


Joe Kukura

Joe Kukura is a San Francisco freelance writer whose work also appears in SF Weekly and SFist. He’s written financial advice for NerdWallet, tech industry analysis for the Daily Dot, sports content for NBC Bay Area, and good, old-fashioned clickbait for Thrillist.