Small and medium-sized businesses (SMBs) are often lauded as the backbone of the American economy. While definitions of what constitutes an SMB vary, the Pew Research Center estimates that 99.9% of companies in the US could be considered SMBs. Although many of these 33 million small businesses are “solopreneurs” (or sole proprietorships), in that they lack paid employees, the approximately 6 million SMBs with paid staff account for an aggregate of almost half (46%) of private sector employment in the US.

SMBs, like their consumer counterparts, are frequent targets of fraud and scams. Indeed, the risk to SMBs – and, by extension, to their financial service providers – is arguably greater, as the dollar value at risk may be significantly higher and as SMBs lack the same legal and regulatory protections that consumers enjoy.

Our recent Expert Talks session, available on-demand, explored emerging fraud and scam threats in SMB banking and lending, featuring insights and commentary from industry experts and practitioners:

While it is common to group tens of millions of companies together under the label SMB, this flattens the wide variance within SMBs and the different kinds of threats they may face. Businesses, because they are often assumed to be more sophisticated than consumers, enjoy substantially fewer legal and regulatory protections. For example, laws like the Truth in Lending Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, and the Electronic Funds Transfer Act only apply to consumers – not businesses. SMBs, which may take legal forms such as a limited liability company (LLC), partnership, or corporation, like an S corp or C corp, do not enjoy these protections, even when their size, scope, and sophistication may more closely resemble consumers.

As the panelists discussed, the fraud patterns of very small businesses are likely to mirror consumer fraud, including vulnerabilities for social engineering tactics. Smaller SMBs are also more likely to lack controls found in larger businesses, such as dual signing authority and functions like a controller or internal audit, potentially making these firms more vulnerable.

A distinct difference vs. consumer attributes and behavior is the relatively rapid formation rate of new business: in 2023, about 5.5 million new businesses were formed. And, one of the most common first tasks for a newly formed business? Opening a bank account. Yet, the relative lack of data available on newly formed businesses can make onboarding more challenging.

It’s a truism that combating fraud and scams is like playing “whack-a-mole.” Bad actors are constantly probing for weaknesses in financial providers’ and others’ systems and, once found, will ruthlessly exploit them until such attacks are discovered and the underlying gap is remediated.

In the SMB space, according to the panelists, account takeover and wire fraud remain prevalent threats, often targeting businesses conducting higher dollar-value transactions. Middleman scams, in which bad actors intercept communications related to a legitimate transaction, have also been on the rise. In these scenarios, the middleman will typically impersonate a party or service provider to a transaction, causing payments to be redirected to their own account rather than to their intended destination.

Look-a-like and synthetic business fraud have also been on the rise and were particularly popular during the COVID-19 pandemic, with government relief programs like the Paycheck Protection Program (PPP) giving fraudsters lucrative targets. There is also growing concern about “bust out” fraud, in which entities will take the time to build a legitimate-seeming footprint in order to apply for credit and then disappear with the funds. Digital tools and platforms have made it increasingly quick, easy, and fairly inexpensive to register a business, allowing fraudsters to quickly spin up new entities for such schemes. Finally, the growth of crypto has contributed to an increase in social engineering schemes like “pig butchering,” ransomware attacks, and other types of fraud and scams that take advantage of the gaps in crypto controls.

Bank-fintech partnerships have powered a new generation of innovative banking and lending products, but these operating models also increase the complexity of identifying and mitigating fraud and scam risks, the panelists explained. Banks engaged in partner relationships, sometimes referred to as banking as a service (BaaS), need to treat BaaS as a core business, rather than as an “experiment” or a test, and to make the necessary investments to run such business units in a safe and sound manner.

The risk and compliance management framework, and the corresponding policies and procedures, systems, and staff are likely to look quite different in a bank-fintech partnership operating model than in a traditional bank directly serving SMB clients. Customer-facing fintech partnerships need to integrate their compliance processes and operations with those of their bank partners. Perhaps most importantly, banks and their fintech partners need to understand each others’ objectives and achieve alignment when it comes to balancing growth with safe customer onboarding and lending practices. Increasingly, the sentiment among both fintechs and partner banks is that compliance, done well and properly resourced, can be a competitive advantage.

When it comes to risk in the SMB space, artificial intelligence is both an asset and a threat. In the hands of bad actors, generative AI tools, which can be used to quickly create realistic-looking images and documents at scale, can help supercharge fraud and scam tactics. Given the gaps in readily available data on small businesses, it isn’t uncommon for banks and fintechs serving them to still rely on manually uploaded documents, such as company incorporation papers, bank statements, information on beneficial owners, and the like. But gen AI tools have made it substantially easier and cheaper to create authentic-looking fake documents, increasing the risk for institutions that still rely on manual document reviews.

On the flip side, AI is quickly being deployed to assist in customer onboarding and due diligence processes for SMBs. Our panelists explained how AI can be used to analyze large data sets, including unstructured data, such as text, to identify patterns that would take significant manual effort to recognize. AI tools can also be leveraged to fight back against bad actors using bogus documents by detecting synthetically generated records, including fake identification and invoices.

The landscape of fraud and scams targeting SMBs and the financial institutions serving them is complex and rapidly evolving. When it comes to moving quickly, in many respects, bad actors have the upper hand, as they don’t face the same legal, regulatory, and organizational constraints that legitimate businesses do. This is abundantly clear in the AI space, where fraudsters and scammers are rapidly making use of AI tools to improve and scale their efforts, though the industry continues to push back through the responsible development and adoption of their own AI tech stacks and capabilities.

As small business banking and lending operating models become increasingly complex, collaboration between financial institutions, fintechs, and data providers is and will continue to be essential to stay ahead of bad actors and protect small businesses from financial harm.

Disclaimer
This information provided in this article does not, and is not intended to constitute professional advice; instead, all information, content, and material are for general informational and educational purposes only. Accordingly, before taking any actions based upon such information, we encourage you to consult with the appropriate professionals.