Banks must rethink how they protect SMB clients

Banks have traditionally focused on servicing enterprise clients or individuals, expecting small and medium businesses (SMBs) to fit in and find an offering that best suits their needs. But the rapid rise in fraud aimed at smaller businesses requires a solution that is appropriate for SMB clients, which remain the growth engine for many banks – and the economy as a whole.

The US Small Business Administration (SBA) reports there are 33.2 million small businesses in the United States that make up 99.9% of all businesses across the country. These businesses represent the backbone of the US economy and, according to McKinsey, delivered 5% annual growth in revenue from credit card, deposits, and merchant payments over the past five years. 

Yet, just 35% of these businesses feel like their primary financial institutions are meeting their digital banking needs. 

Shifting the perception of the lost 65% must start with an authentication offering that is designed to keep their money safe without wasting their time and creating needless employee frustration. 

Not an individual and not an enterprise 

The big challenge for small businesses is getting their banks to understand that they are neither an individual nor an enterprise client, but somewhere in between requiring a unique approach to protecting their finances.   

Most modern authentication tactics are designed for individuals doing retail banking tasks, such as logins, checking their account balance, and transfers, but fall well short for small businesses. This is because the solutions generally rely on SMS one-time PIN codes (OTPs) and username-and-password combinations. They require staff to perform an authentication for every single transaction, which is a huge drain on resources. Authentication credentials also often only reside with the business owner, requiring the accounts payable staff to coordinate times to conduct payments, leading to frustration for both parties. 

Commercial options aren’t much better, often suggesting the use of a hardware token and other complex tools that will also overwhelm a small, busy staff complement. 

Instead, banks need to apply fraud protection capabilities that support small businesses at the same level as their high-end commercial clients, without the burdensome requirements. 

Understanding the SMB fraud pain

Finding a solution requires insight into the problem. 

According to the 2023 Business Impact Report, conducted by the Identity Theft Resource Center (ITRC), 73% of small US businesses with 500 employees or fewer had experienced data breaches, cyberattacks or both in the past year. This significant jump represents a worrying trend for SMBs which, until recently, had largely escaped the attention of bad actors. 

Of interest is a slight shift in the root causes of these breaches over the last year. While external attackers, malicious employees, remote workers, and third-party vendors remain the top culprits, their involvement has slightly decreased. However, breaches from phishing and other social engineering scams have surged, aligning with broader trends in cybercrime. 

But while smaller businesses are now facing all the same threats as their enterprise counterparts, the net effect of these breaches weighs far more heavily on the vulnerable SMB. 

“Smaller businesses often operate on much tighter margins, which means even minor breaches can cause big cash flow disruptions. These losses can jeopardize the business’s ability to pay suppliers, cover their payroll or invest in future growth,” explains Frank Moreno, Chief Marketing Officer at Entersekt. “More than that, fraud can have a devastating impact on the company’s reputation, which can take years to fix. There can also be knock-on insurance investigations and even regulatory penalties if they are found to be negligent. What amounts to a regrettable business incident for an enterprise client can be catastrophic for an SMB.”  

Banks struggling to balance security with great customer experience 

One of the most prevalent and dangerous forms of financial crime today is account takeover (ATO). In this type of attack, fraudsters gain unauthorized access to business banking accounts, often draining funds or using these accounts for illicit activities.

Liminal’s ‘2024 Link Index for ATO Prevention in Banking’ report shows that banks are struggling to keep up with increasingly sophisticated techniques employed by cybercriminals. 

The report also notes that while customers want solutions that can provide frictionless experiences, behavioral signals, passwordless authentication, and regional customization, banks are struggling to deliver, serving up friction-filled authentication methods like the use of passwords. What’s more, while most ATO attacks originate from mobile apps, only 44% of banks utilize mobile device signals for protection. 

Moving beyond OTPs and tokens: The future of fraud prevention

Given the growing sophistication of ATO attacks, banks must look beyond OTPs and hardware tokens to protect SMB accounts. 

Leading banks are increasingly working with authentication experts to deliver stronger protection for small business banking fraud. Using Artificial Intelligence (AI) and Machine Learning, banks are adding technologies such as biometric authentication, behavioral analytics, risk-based authentication (RBA), and passkeys into the mix. 

Biometric authentication, which could include passkeys, enables secure login. Incorporating device signals, it not only checks the person’s credentials when they log in, but also the attributes and characteristics of a device, adding an extra layer of security to enhance multi-factor authentication. It further allows context-aware authentication, which adjusts security measures based on the context of the login.

Behavioral biometrics makes it possible for banks to learn which devices a customer normally uses to transact, how they interact with these devices, and their normal transactional behavior to better determine which interactions are legitimate and which should be flagged as suspicious and stopped before they happen. 

Risk based authentication, using AI, can further detect anomalies that may indicate fraud, calculate the risk posed by transactions, and take appropriate action.

The best solution calls for a multi-layered approach to security, which is much more likely to detect suspicious activities, such as unusually large payments. This includes active authentication at login and to authorize transactions. It also includes invisible security with silent authentication, which matches a device to a person and confirms it as trusted to determine which transactions are unusual and require intervention.  

In this way, small businesses could transact quickly and easily, while remaining resistant to phishing, SIM-swap fraud, and other new forms of cyber attacks.

Banks that offer such authentication for small business banking clients ensure that their customers get enterprise level security that keeps their money safe, without unnecessary friction and employee frustration – going a long way to address the needs of the 65% of clients who feel they are being overlooked.