Small businesses are the most frequently targeted victims of cybercrime — not because attackers prefer them over large corporations, but because small businesses have valuable data and far less security infrastructure to protect it. The FBI’s Internet Crime Complaint Center (IC3) consistently reports that small businesses account for a disproportionate share of business email compromise (BEC), ransomware, and payroll fraud losses.
For Utah small businesses, the financial exposure from a successful cyberattack extends beyond the immediate theft. A ransomware attack that encrypts your accounting files can halt operations for days. A payroll redirect fraud can drain your payroll account. A business email compromise can result in fraudulent wire transfers that are rarely recoverable.
FJ & Associates, PLLC advises Utah small businesses on the cybersecurity fundamentals that protect their financial systems, payroll data, and client information.
Questions about your financial system security? Call (801) 927-1337 or email admin@cpaone.net.
The Three Cyber Threats Utah Small Businesses Face Most Often
1. Business Email Compromise (BEC)
BEC is the highest-dollar cybercrime category in the United States. The attack pattern: an attacker compromises or spoofs a business email account (often the owner, controller, or CFO) and sends fraudulent payment instructions — redirecting a wire transfer, changing a vendor’s bank account, or diverting payroll direct deposits.
Real scenario for small businesses: An employee receives an email appearing to come from the owner: “Please wire $18,500 to this new vendor account by end of day — I’m traveling and can’t call.” The email looks authentic. The wire goes out. The money is gone.
Protection: Implement a verbal confirmation policy for any payment instruction received by email — no exceptions for urgency, executive authority, or business justification. Every wire transfer and bank account change must be verbally confirmed with the requestor at a known phone number before execution.
2. Phishing and Credential Theft
Phishing emails trick employees into entering their credentials on fake login pages — capturing usernames and passwords for email accounts, accounting software, banking portals, and payroll systems. Once an attacker has valid credentials, they have access to everything those credentials unlock.
Indicators of phishing emails:
- Urgency language (“Your account will be suspended in 24 hours”)
- Mismatched sender email address (name matches a legitimate contact but email domain is wrong)
- Links that hover to a different domain than displayed
- Requests for credentials, payment, or sensitive information
Protection: Multi-factor authentication is the single most effective countermeasure against credential theft. Even if an attacker steals a password, they cannot access the account without the second factor. MFA should be enabled on every system — email, accounting software, payroll, banking — without exception.
3. Ransomware
Ransomware is malware that encrypts your files and demands payment for the decryption key. Small businesses are particularly vulnerable because they often lack the backup infrastructure to restore from a clean backup, making payment the only recovery option.
Common entry points: Phishing email attachment, malicious link, or compromised remote desktop connection (RDP). Once one system is compromised, ransomware often spreads across the local network — encrypting every connected device.
Protection: The effective defense against ransomware has three components:
- Prevent access — MFA on all systems, no open RDP, email filtering, employee awareness training
- Detect early — endpoint detection software that identifies suspicious file encryption behavior before it spreads
- Recover without paying — immutable offline backups (the 3-2-1 backup rule: 3 copies, 2 different media, 1 offsite/offline) that ransomware cannot reach
The Payroll-Specific Cyber Threats
Payroll Redirect Fraud
Attackers contact payroll processors (or compromise payroll administrator credentials) and change direct deposit information for one or more employees — redirecting pay to attacker-controlled accounts. This is most common against payroll service providers processing for multiple employers.
Protection: Require multi-step verification for any direct deposit change — email notification to the employee at their personal (non-work) email address, plus verbal confirmation before processing.
Fraudulent W-2 Requests
During tax season, attackers impersonate executives requesting W-2 data for all employees. An employee complying with the request sends a spreadsheet of all employee names, SSNs, and addresses — which is immediately used for identity theft and fraudulent tax return filing.
Protection: Establish a written policy: W-2 data and employee Social Security numbers are never distributed via email under any circumstances, regardless of the requester’s identity or stated urgency.
Essential Cybersecurity Controls for Small Businesses
These are not advanced enterprise security tools — they are standard controls that every Utah small business with financial data should implement:
Multi-Factor Authentication (MFA)
Required on: business email, accounting software, payroll system, banking portals, cloud storage. This single control stops the majority of credential-based attacks.
Password Manager
Using unique, strong passwords for every system — which MFA requires — is only practical with a password manager (1Password, Bitwarden, Dashlane). A password manager also identifies weak or reused passwords across your accounts.
Email Security Filters
Modern email platforms (Microsoft 365, Google Workspace) include email security filtering that catches most phishing emails before they reach your inbox. Ensure these features are enabled and configured — they are not always on by default.
Endpoint Protection
Traditional antivirus is no longer sufficient. Modern endpoint detection and response (EDR) tools identify behavioral patterns of malware — including ransomware encryption behavior — rather than relying solely on signature matching. Microsoft Defender (included with Windows 10/11) provides a strong baseline when properly configured.
Backup — Tested and Offline
Your backup is worthless if it has never been tested. Schedule quarterly restore tests from backup. Maintain at least one backup copy that is physically disconnected from your network or stored in a write-once cloud location that ransomware cannot reach.
Employee Training
The most important security control is employee awareness. Staff who can recognize phishing emails, understand why verbal confirmation of payment instructions matters, and know not to share credentials are your most effective security layer. Annual cybersecurity awareness training — even a 30-minute online course — significantly reduces successful attacks.
Cybersecurity and Your Business Insurance
Cyber Liability Insurance
Cyber liability insurance covers costs associated with a data breach or ransomware attack: notification costs, credit monitoring for affected individuals, legal fees, regulatory fines, and ransom payments. Small business cyber liability policies start at a few hundred dollars annually — a fraction of the average cost of a small business breach ($200,000+).
Most cyber liability insurers now require MFA on email and remote access as a condition of coverage. Insurers may deny claims if basic security controls were not in place at the time of the attack.
How FJ & Associates Approaches Our Own Cybersecurity
We hold ourselves to the same security standards we recommend to clients:
- MFA required on all staff accounts across all systems
- Secure client portal for all document exchange — no unencrypted email attachments for sensitive data
- Employee training on phishing recognition conducted annually
- Written payment verification policy for all wire transfers and banking changes
- Cyber liability insurance in place
When you work with FJ & Associates, your financial data is handled by a firm that takes security seriously — not just for compliance, but because protecting your information is a fundamental part of being a trustworthy financial partner.
Protect What You’ve Built
A single successful cyberattack can cost a small business more than a year of profit — and some businesses don’t recover at all. The controls that prevent most attacks are not expensive or technically complex. They are consistent, implemented across your team, and reviewed regularly.
Call (801) 927-1337 | Email admin@cpaone.net | 612 N Kays Dr Suite 120, Kaysville, UT 84037
About the Author: Missy Dennis, CPA | Partner | FJ & Associates, PLLC | Kaysville, Utah
Missy holds a Master of Accounting degree from the University of Utah and is a licensed Certified Public Accountant. She is committed to providing clear, accurate, and actionable guidance so clients can navigate complex financial decisions with confidence. With more than twenty years of public accounting experience, Missy Dennis specializes in: Tax preparation and tax advisory; Bookkeeping strategy alignment; Estate and trust taxation; Audit and consulting services; Low-income housing tax credits; Non-profit accounting; Small- and mid-sized business advisory.
