Central Insurance Blog

Many small to mid-size business owners still believe they’re too small to be a cybercrime target, but that perception can come at a high price. Cybercriminals typically look for the path of least resistance, which often means targeting businesses without a dedicated IT team, thorough employee vetting, or consistent password protocols.

“No company is too small to become a cybercrime target,” says Jared Turnwald, senior loss control manager at Central Insurance. “Bigger companies are getting harder to exploit, so criminals are going after those that haven’t caught up yet. Unfortunately, their target is often small businesses.”

So, how can business owners protect themselves? We spoke with Turnwald and Jeff Lieberman, Central’s director of anti-fraud and recovery, to identify the most common modern cyber threats facing small and mid-sized businesses, and the simple steps these organizations can take to avoid becoming victims. 

Common Cybersecurity Threats for Small and Mid-Sized Businesses

1. Social Engineering Scams

Setting the Scene: You’re wrapping up invoices when your phone rings. The caller ID shows your bank, and the voice on the other end sounds professional, even familiar. The caller informs you there’s suspicious activity on your account, and the bank needs to verify your information to freeze the fraud. You’re in a rush, and the request seems reasonable. Ten minutes later, someone drained $92,000 from your account.  

This cybercrime tactic is known as social engineering. It involves manipulating people into divulging confidential information or transferring funds under false pretenses. These scams often impersonate trusted sources like banks, vendors, or executives, and prey on employees’ instincts to be helpful or responsive.

According to the FBI, business email compromise (BEC)—a form of social engineering—caused $2.9 billion in reported losses in 2023, with small businesses among the most impacted groups. BEC scams target organizations of all sizes, and scammers often spend weeks researching an organization’s structure and vendor relationships before launching an attack.

Real-World Example: A Florida school district lost over $846,000 when scammers impersonated a construction vendor and rerouted payments. Read news coverage of this incident here.

How to Prevent Social Engineering Cyberattacks

Here, Lieberman and Turnwald outline three key practices for preventing social engineering scams at your organization. 2. Phishing Emails

Setting the Scene: A new email lands in your bookkeeper’s inbox. It looks like it’s from your payroll provider—same logo, colors, and tone. After a system update, the message asks them to click a link to confirm account access. They click. The site looks real, so they enter their credentials and log in. The next morning, someone rerouted employee direct deposits to unknown accounts.

This practice is known as phishing, one of the most common forms of cyberattacks on small and mid-sized businesses. In fact, 91% of all cyberattacks begin with an email. 

Phishing emails often appear to come from a trusted source and are designed to trick recipients into clicking a malicious link, downloading malware, or handing over login credentials. The email may mimic your accounting software, spoof a client’s email address, or include a fake invoice. Some cybercriminals now use AI-generated language and logos to avoid detection.

Real-World Example: Small businesses using QuickBooks became the target of a phishing campaign where scammers sent fake invoices via email. These messages urged recipients to click a link to review a charge, which directed them to a fake QuickBooks login page designed to steal credentials. The breach exposed sensitive business and financial information and impacted organizations across multiple states.

Turnwald notes that phishing emails have become more sophisticated in the past two years. “Phishing emails are harder to detect than ever,” he says. “They used to be full of bad grammar and obvious mistakes. Not anymore”.

1. Never rely on email alone to approve fund transfers; verify using a second communication channel.
2. Train your team to be cautious with any request involving money or credentials, especially if it seems urgent.
3. Establish call-back procedures and dual-authorization requirements for high-risk transactions.

How to Prevent Phishing Scams

Turnwald and Lieberman note that it doesn’t take sophisticated cybersecurity programs to protect against phishing scams. Here, they outline three steps small and mid-sized businesses can take today to prevent phishing attacks:

1. Implement email filters and spam detection tools.
2. Use security awareness training platforms to simulate phishing attempts and train staff.
3. Teach employees to hover over links and carefully inspect sender addresses before clicking.

3. Weak or Reused Passwords

Setting the Scene: Your office manager’s email stops working, and your website goes down. A short time later, you discover your billing software is locked. The same password she used for your system was also used on a shopping site with a data breach last year, where a hacker found it and used it to hijack your business.

A 2023 study found that 57 percent of small business employees reuse passwords across work and personal accounts, significantly increasing vulnerability. Compromised credentials cause 80% of hacking-related breaches. Simple, repeated, or outdated passwords leave accounts vulnerable to attacks or credential stuffing.

Real-World Example: In 2023, a credential stuffing attack on 23andMe compromised over 14,000 accounts, but the fallout didn’t stop there. The  interconnected user features exposed more than 5.5 million profiles. The attack started with reused credentials from earlier data leaks, a reminder that even minor password hygiene lapses can scale into major cybersecurity incidents. Read more about this incident here.

How to Reduce Risk of Password-Related Cyberattacks

Setting password requirements at your organization is an easy way to manage this common risk. Here are three steps to guide you through this process:

1. Require unique, complex passwords for each account and change them regularly. 
2. Use password managers to store and generate secure credentials.
3. Enable multi-factor authentication across all critical systems.

4. Unmonitored Financial Accounts and Vendor Portals

Setting the Scene: You own a small bakery that delivers through DoorDash. Orders have been steady, but your bank account balance doesn’t reflect it. After some digging, you realize someone quietly changed the bank routing number in your DoorDash account. For the past two months, payouts have been going to someone else.

Small businesses typically lose 5% of their revenue to fraud annually, with online payment portals becoming a new frontier for unnoticed theft. The Association for Financial Professionals found that 74 percent of organizations experienced payment fraud in 2023, with external fraud via digital payment platforms and vendor impersonation as growing tactics. When payment systems and vendor platforms like delivery apps, e-commerce sites, or invoicing software go unchecked, attackers can quietly reroute deposits or modify payment instructions.

Real-World Example: Hackers infiltrated Santa Fe’s vendor payment portal, changed banking details for a legitimate contractor, and diverted $324,000 before anyone discovered the error. Read more about this incident here.

How to Prevent E-Commerce Related Risks

If your business relies on digital payments, online marketplaces, or customer portals, here are a few simple steps to help prevent e-commerce-related risks:

1. Review financial accounts, portals, and deposits weekly.
2. Set up alerts for changes to account information.
3. Require administrator access and multi-approval workflows for account edits or payout requests.

5. Inadequate Employee Vetting and Access Controls

Setting the Scene: You’re short-staffed and need help fast, so you hire a new admin with glowing self-provided references. He seems sharp, so you hand him the reins to billing, ordering, and vendor communication. Three months later, he’s gone, and so are nearly $40,000 in fraudulent payments he made to a “consulting firm” he quietly set up in your vendor portal.

Lieberman explains that Central begins every financial loss investigation by asking one critical question: Who are the players? Background checks, social media scans, and multi-signature controls all play an important role in properly vetting employees.

Many small and mid-sized businesses skip basic background checks or assign too much financial responsibility to a single employee without oversight, opening the door to insider threats. 

In 2023, 43% of data breaches involved insider threats, including employee misuse, negligence, or credential sharing. Businesses with poor internal controls experience a rate of fraud losses twice as high as those with basic segregation of duties in place. 

Real-World Example: An office manager at AMK Heating & Cooling managed both payroll and accounting software. Over two years, she wrote over 100 fraudulent checks to herself, disguising them as payroll or loan advances. She also used a coworker’s personal data to open a credit card account in their name. Her crimes went undetected until a review uncovered more than $158,600 in fraudulent activity. Read more about this incident here.

How to Improve Employee Vetting Practices

Thorough employee vetting is key to protecting your business. Start with these practices to reduce internal risk and improve oversight:

1. Run background checks and verify employment history before hiring.
2. Limit access based on role.
3. Use separation of duties to prevent one person from initiating and approving payments. 

Get insights like this right in your inbox. Subscribe to the Central Blog below.

Test Your Cyber Readiness

How prepared is your business to spot or stop a cyber threat before it spreads? Use this quick quiz to evaluate your current defenses. No need for tech expertise—just answer honestly and see where you stand.

1. Do you use multi-factor authentication on all key systems, including email, payroll, and vendor platforms?
2. Have you trained your employees to recognize phishing and social engineering scams through simulations or online modules? 
3. Do you review vendor portals and payment platforms at least once a week for changes or unusual activity? 
4. Do you require more than one person to authorize large payments or changes to financial account details? 
5. Do you rotate passwords and prohibit reuse across personal and business accounts? 

Count your “yes” responses:

• 4-5: Your security is in strong shape!
• 2-3: You’ve taken key steps, but have opportunities to tighten security. 
• 0-1: Your business is potentially exposed and at high risk for a cyber incident.  

The Central Difference

Cybercrime can feel overwhelming, but protecting your business doesn’t have to be. 

Central’s Cyber Suite coverage features a responsive incident recovery team and hands-on training tools that support your people, safeguard your data, and keep operations running smoothly. Whether you’re building a stronger defense or responding to an event, our team is here to help. Talk to an agent to learn how Cyber Suite fits your risk management strategy.