

“I’m too small to have anything worth stealing.”
It’s a common refrain from small business owners, said James Lee, CEO of the Identity Theft Resource Center (ITRC), a nonprofit that provides assistance and anti-fraud education to companies and individuals.
But fraudsters think otherwise. Smaller companies often have fewer security resources, making them attractive to cybercriminals looking for quick wins.
“Small business owners are a hot target for fraudsters. These bad actors know that many small businesses have no time for cybersecurity because they are preoccupied with the endless tasks that come with being an entrepreneur,” said James Mirfin, SVP and Global Head of Risk and Identity Solutions at Visa. “But unfortunately, it needs to part of the conversation on business priorities just as much as payroll, hiring, and strategy.”
The good news? Knowing the risks is the first step toward building resilience. And many attacks are preventable with the right safeguards, including regularly updating software and training your staff. Ahead of Small Business Week, we’re sharing seven essential insights about today’s fraud landscape to help protect your small business and customers, and to provide peace of mind.
Fraud risks: Today’s fraud landscape
1. Three-quarters of small business fraud cases exploit people, not technology
Cybercriminals don’t always need sophisticated hacking tools — human error is often their greatest weapon.
Some years ago, the controller of a Nebraska-based agricultural supply chain company received an email from the company’s CEO, authorizing a payment related to an acquisition the company was making. But the email wasn’t from the CEO — it was from a scammer who had spoofed the executive’s email account. The controller wired $17 million to the attacker.¹
Business email compromise (BEC) scams like these, where criminals impersonate trusted individuals to trick businesses into sending money, prey on the human tendency to trust. These sophisticated phishing scams have become so prevalent that 22 percent of all small businesses have experienced one.² In 2023 alone, BEC scams resulted in nearly $3 billion in reported losses across businesses of all sizes.³
2. Attacks on technological weaknesses are growing more advanced
Bad actors are able to steal credit card account numbers at scale with cutting-edge technology. In digital skimming attacks, for instance, malicious code on a checkout page automatically steals customer payment information. In enumeration attacks, hackers use software to rapidly guess and confirm customer payment details, while 404 page-not-found scams use a fake payment form overlaid on top of a legitimate checkout form. To give a sense of the scale, in the six months between June and December 2023, Visa blocked 50 million fraudulent transactions totaling $5.6 billion.⁴
Another rising threat is purchase return authorization (PRA) fraud, in which scammers exploit return policies to steal from businesses. Between June and December 2023, Visa saw an 83 percent increase in PRA fraud investigations compared to the previous six months.⁴
3. Small vendors supplying to big companies are especially vulnerable
Cybercriminals don’t always attack major corporations directly. Instead, they use smaller businesses as backdoor entry points. According to a recent data breach report, 62 percent of network intrusions originate from third-party vendors, including small businesses.⁵ These companies often serve as the weakest link in supply chain attacks. By infiltrating a small vendor’s systems, hackers can gain access to the larger enterprises that those vendors service.
For small businesses that serve high-value clients, a cyberattack isn’t just a direct threat — it could mean losing trust, contracts and business with bigger companies.

What you can do to protect yourself from small business fraud
The good news is that keeping your business safe from fraud doesn’t have to be complicated or expensive. Experts recommend focusing on these four essential actions:
1. Educate your employees
Since most fraud attempts target employees, your strongest defense is a well-informed team. “You can have the most bulletproof cybersecurity in the world, but if an employee falls victim to phishing, it can all be undone,” said Lee at the Identity Theft Resource Center (ITRC).
Staff should be trained to recognize scam emails, fraudulent invoices, and other red flags. Companies also need processes in place to prevent money from flowing out the door to criminals, such as rules about never sending passwords or sensitive information by email, cross-referencing suspicious emails to determine their authenticity, and multi-step approval processes for financial transactions. And while roughly half of small businesses (48 percent) say they trained staff on cybersecurity measures in 2024, that leaves more than half of small businesses operating without those safeguards.⁶
Organizations like the Cybersecurity and Infrastructure Agency (CISA) and the Identity Theft Resource Center offer small-business training programs, as do many local chambers of commerce.
2. Let others provide security for you
Enumeration attacks — basically, guessing or testing various payment card details — to steal information, are on the rise. In 2024, the U.S. region was the most targeted in these types of attacks, with an increase of 16 percent from the same period in 2023.⁷
But no matter your location, “it’s worth offloading risk, instead of trying to handle everything yourself,” said Justin Cappos, a professor of computer science and engineering at NYU. Instead of managing network security in-house, consider migrating essential services to a managed security service provider. This could be as simple as using cloud platforms like Google Workspace or Microsoft 365 for enterprise email and document management. “These services are built and maintained by world-class security engineers at an affordable price,” said Cappos, and can ultimately help your small business focus on its core business while staying protected and secure.
3. Keep your software updated
According to Cappos, this simple action is a “non-negotiable no-brainer.” Software updates aren’t just about adding new features. They also patch critical security vulnerabilities, which hackers actively exploit. Failing to update leaves your business exposed. Outdated software and virtual private network accounts with poor cyber hygiene, such as weak usernames and passwords, contributed to nearly 30 percent of ransomware attacks in just one quarter in 2024.⁸
“There’s minimal hassle and no cost,” said Cappos. “Businesses should be immediately updating when they receive a notification to do so.”
4. Make it harder for criminals to break in
In January 2024, cybersecurity researchers found a massive database with 26 billion stolen user records, including usernames, passwords and personal information supposedly taken from thousands of sources.⁷ Instead of relying solely on passwords — which can be stolen or guessed — requiring multifactor authentication (MFA) for logging into company systems is another simple yet powerful way to protect your business. MFA adds an extra layer of security by making cybercriminals jump through multiple hoops before gaining access.
MFA requires at least one additional identifier, such as a one-time passcode sent to a phone or authentication app, or a fingerprint or facial recognition. This way, even if hackers steal an employee’s password, they still won’t be able to access your systems without the second verification step.
- Infosecurity Magazine. (2015, February). Email Scam Netted $17m From Single Firm.
- Nationwide. (2024, October). What is Business Email Compromise and How to Educate Your Clients.
- Federal Bureau of Investigation. (2023). Internet Crime Report 2023.
- Visa. (2023, December). Visa Biannual Threats Report.
- Verizon. (2022). 2022 Data Breach Investigations Report (DBIR).
- U.S. Chamber of Commerce. (2024, Q1). Small Businesses Think Cyberattacks Are Biggest Threat, Survey Shows.
- Visa. (2024, Fall). Biannual Threats Report.
- STATESCOOP. (2024, November). Poor cyber hygiene enabled nearly 30% of cyberattacks last quarter.