Cybercrime Attacks on Oil & Gas Industry Exemplify Threats to Smaller Businesses

September 17, 2024

How You Can Protect Your Business

Key Takeaways:

Small businesses are easy targets for cyberattacks, especially if they lack strong security measures.
Fraudulent check schemes show the need for daily account monitoring and better internal controls.
Simple steps like using multi-factor authentication and reviewing IT reports can protect your business from cybercrime.

Cybersecurity breaches don’t happen just to global corporations with millions of customers. They happen locally, too, disrupting small and medium-sized businesses and potentially inflicting significant financial damage.

The oil and gas industry is not immune to these types of attacks. Known instances of cyber-attacks, such as fraudulent check-writing, occurred in the summer of 2024 to companies within the oil and gas industry. These incidents highlighted the importance of diligent internal controls and effective cybersecurity measures – especially in smaller businesses, where multiple layers of security are often missing.

Small and medium-sized businesses – defined as those with fewer than 250 employees – are more frequent targets of cybercrime than larger companies, in part because cybercriminals know that smaller companies have fewer cybersecurity tools in place to protect their data. Moreover, they are less likely to have trained their employees in how to recognize such tactics as phishing emails and social engineering.

In 2021 more than one-third of companies (37%) hit by ransomware had fewer than 100 employees. Moreover, 59% of small business owners with no cybersecurity measures in place believed their businesses were “too small” to be attacked.

What Makes Crime a Cybercrime?

On the surface, a check-writing scheme may not seem like a cybercrime. However, since a majority of small and medium-sized businesses use online or mobile applications to do their banking, cybercriminals may gain access to bank accounts by stealing login credentials through a phishing email scam.

The fraudulent check writing attack in July that hit the regional oil and gas industry noticed that unauthorized checks had been written on their banks accounts. The fraudulent checks were credible reproductions of the victims’ actual business checks, and the signatures on them were exact matches to the legitimate owners’ signatures. The fraudulent checks were for larger check amounts that are not abnormal in the ordinary course of business as it relates to exploration cost.

These fraudulent check writing instances were drawn on multiple different banks, local and national banks. The identity of the fraudster(s) is not yet known, nor is the full extent of the check-writing scheme.

An examination of the victims’ computer systems and servers did not indicate any incursions. But in the oil and gas industry, a lot of money moves around among multiple vendors, a situation that creates opportunities for cybercriminals.

The check-writing scheme should signal to all smaller business owners – especially those in the oil and gas industry – that it’s time to be more intentional about cybersecurity. Many business owners think their operations are too small to attract the interest of cybercriminals, but they are wrong. And when it hits close to home, they tend to start taking it seriously and put some protective strategies in place.

What can Smaller Businesses Do?

Some basic practices should be put in place for all businesses that don’t already have them:

If you have access to online banking, check your checking account balance every day and take note of where the checks are going. Some business owners report that they only check their accounts online once a month or less. Online banking is a powerful tool for monitoring your accounts and catching problems quickly before they get bigger. If a vendor reports that they didn’t receive a payment that you sent, it’s a red flag. Payables may be diverted digitally to a fraudster’s account. Don’t immediately assume it was just lost and issue another check. Notify your bank to void the check or stop payment immediately, so they are aware of the issue and can potentially prevent funds from leaving your account if the check was stolen and cashed. It is also a good idea to report it to the local police and Post Office.
Contact your bank and establish a protocol for monitoring checks written for unusually large amounts. Ask that your bank alert you and wait for your confirmation before processing payment.
If a vendor reports they didn’t receive a payment that you sent, it’s a red flag. Payables may be diverted digitally to a fraudster’s account. Don’t immediately assume it was just lost and issue another check. Notify your bank to void the check or stop payment immediately, so they are aware of the issue and can potentially prevent funds from leaving your account if the check was stolen and cashed. It is also a good idea to report it to the local police and Post Office.
Ask your CPA to help you review your company’s internal controls. If your company is small, it may be difficult to establish segregation of duties, but your CPA can recommend changes or suggest technology platforms that can help. Contact your critical vendors and ask them to contact you if they see any changes to your account, such as a change in email address, bank accounts or routing numbers, payroll information, or the names of those authorized to process their invoices. Also, establish proper change procedures and inform them that all changes made to your account will be made by phone and will not be made by email or text message.
Talk to vendors and ask them to contact you if they see any changes to your account, such as a change in email address, bank accounts or routing numbers, payroll information, or the names of those authorized to process their invoices. Also, establish proper change procedures and inform them that all changes made to your account will be made by phone and will not be made by email or text message.
Review your technology controls and security in general. Specifically, make sure you have advanced email security, including multi-factor authentication (MFA). Many businesses forego MFA and other security tools because they are time consuming. But when you weigh that against the potential to lose hundreds of thousands of dollars, the investment of a little time to authenticate email users is minor.
If you have IT reports, read them regularly. If you notice something unusual – for instance, someone logs in every night at 11 pm – check it out. Fraudsters who gain access to your system may watch you for a long time to learn the rhythms of your business before they strike. If you know the rhythms better than they do, you have a chance to protect your data.

Questions?

Small and medium-sized businesses are even more vulnerable to cybercrime than global corporations. But there are self-protective measures all business owners can implement to protect their organizations’ data.

If you would like a review of your company’s cybersecurity profile, contact an Adams Brown technology advisor.

Categories: Oil & Gas, Cybersecurity,

Nicole Koelsch:

How I help . . . I first knew I wanted to be an accountant after taking accounting classes in high school. At Adams Brown, I help our clients save money on taxes through entity structuring and retirement planning. I love what I do because it’s challenging and fast-paced. There is never a dull moment […]

Chris Schneider:

How I help . . . I’ve focused my career on problem solving and creating solid growth plans for my clients. My goal is to support clients by building technology plans, managing implementation strategies and gaining trust and buy-in from across the organization. Technology is a tool to help businesses achieve their goals and operate […]