Human error leaves small businesses exposed to cyber fraud

Sharing OTPs, passwords, lack of awareness are major problems, experts say
Star Business Report

Cybercriminals are exploiting basic human error, including sharing passwords, weak access controls and low awareness, to defraud small businesses as they grow more dependent on digital payments and online platforms, experts said at a roundtable yesterday.

They called for stronger public awareness, institutional coordination and policy reform at a roundtable titled “Strengthening Cyber Resilience for MSMEs: Tackling Financial Fraud and Improving Grievance Mechanisms,” organised by The Asia Foundation and The Daily Star with support from Google.org at The Daily Star Centre in Dhaka.

Nawshad Mustafa, director at Bangladesh Bank, said most fraud could be prevented through basic digital discipline rather than better technology.

“Nearly 99.99 percent of financial fraud occurs because people share their passwords or one-time passwords (OTPs). This should never happen under any circumstances,” he said, calling cybersecurity a behavioural challenge rather than a purely technical one.

Nawshad Mustafa, director at Bangladesh Bank, said most fraud could be prevented through basic digital discipline rather than better technology. Nearly 99.99 percent of financial fraud occurs because people share their passwords or one-time passwords

He said the central bank has introduced financial literacy lessons into secondary school textbooks and now allows teenagers aged 14 and above to open mobile financial service (MFS) accounts under guardian supervision, to build safe habits early.

The BB director also urged entrepreneurs to separate personal and business transactions, restrict employee access by role, and revoke digital access immediately when staff leave.

Farzana Khan, deputy managing director of the SME Foundation, said digital transformation is now unavoidable for micro, small and medium enterprises (MSMEs), making cyber resilience equally essential.

“We have to go down this path; there is no alternative,” she said, adding that while the foundation trains entrepreneurs on digital literacy and website development, awareness of not sharing OTPs or passwords remains the strongest defence.

She also stressed the need to build a unified cybersecurity ecosystem to better protect small businesses from financial fraud.

Law enforcement officials noted that fraudsters increasingly rely on deception over technical hacking.

Md Hafizul Islam Babu, additional deputy commissioner of Dhaka Metropolitan Police’s Cyber and Special Crime (South) Division, said criminals commonly use fake payment confirmations, cloned business pages and social engineering to deceive victims.

“When I caught a suspect in the morning, the account had Tk 3,000. By evening, it grew to Tk 40,000,” he said, describing a real-time investigation that illustrated how rapidly fraudulent operations can generate money.

According to him, fraudsters even spend money promoting fake pages on social media to attract more victims. He called for a unified national cyber fraud reporting cell empowered to freeze assets before stolen funds disappear.

Fasbeer Eskander, co-founder and publisher at The Front Page, argued that Bangladesh needs structural reform in cybersecurity standards and compliance.

Questioning existing digital management practices, he said, “For every single trade license I take, every single business I launch, I need a different phone number. Why is that?”

Restricting unnecessary access and functions is essential to reducing cyber risks, he noted, calling for stronger device security policies, internationally recognised compliance frameworks, and mandatory device policy enforcement.

Md Shazzad Hossain, professor and dean at North South University, said human error remains one of the biggest vulnerabilities, recalling a ransomware incident triggered when an employee clicked a fraudulent online ad.

Through its partnership with The Asia Foundation and Google, the university has set up a cybersecurity centre that has already trained MSMEs, he stated.

The professor proposed establishing a cyber intelligence lab for digital forensics and fact-checking, with greater student involvement in national cyber resilience work. M Abu Eusuf, executive director of Research and Policy Integration for Development (RAPID), said even educated people fall for sophisticated impersonation scams.

Recalling his own experience with a fraudster pretending to be a senior Anti-Corruption Commission official, he admitted, “Even I didn’t suspect a thing.”

He suggested capping the number of SIM cards registered per person as an additional administrative safeguard.

Syed Ibrahim Saajid, head of digital banking at City Bank PLC, said fraudsters consistently adapt faster than institutions can respond, aided by widespread data leaks that make impersonation easier.

He proposed letting banks verify customer mobile numbers through the Bangladesh Telecommunication Regulatory Commission, estimating that this alone could cut fraud by half.

Entrepreneurs described the direct toll of cyberfraud on their livelihoods.

Beauty Akther, whose husband works as an MFS agent, said the family regularly fields fraudulent calls but has learned to stay cautious.

Shahana Akter, an SME entrepreneur, said hackers took over her Facebook account and posted inappropriate photos, badly damaging her beauty parlour business. In a separate incident, she lost money after paying in advance for an online makeup training course that never materialised.

Tanjim Al Fahim, founder of cybersecurity community Cyber71, said many SMEs seek help only after suffering major losses.

In one common scenario, he said, entrepreneurs lose their entire digital infrastructure because they maintain no secure backup. “Their entire database is gone— they have no backup, and there is no digitally secure backup available.”

Another common mistake involves businesses relying entirely on a single Facebook page without understanding platform policies.

Entrepreneurs often ignore temporary restrictions until their business accounts are permanently disabled, he added.

Tahsin Ifnoor Sayeed, director for impact and innovation lab at Spreeha Foundation, observed that many small businesses have already developed practical ways to reduce cyber risks.

He noted that pharmacy operators and other service-oriented businesses are particularly vulnerable because of their constant interaction with customers.

Izlal Hossain, senior programme manager at The Asia Foundation, said protecting entrepreneurs is fundamental to protecting Bangladesh’s economy.

“If entrepreneurs are the core essence of our Bangladesh economy, protecting them and making them aware is not just our duty,” he said.

Kazi Faisal Bin Seraj, country representative at Sajida Foundation, stressed that protecting MSMEs from cyber threats requires balancing technological advancement with stronger cybersecurity awareness rather than restricting digital growth.

He urged stakeholders to build an ecosystem where entrepreneurs can operate safely while embracing digital transformation.

He, however, warned against overreacting to cyber risks by limiting innovation, saying, “We don’t want to compromise on growth.”

Underscoring the importance of grassroots awareness, he added, “There is no alternative to building awareness from childhood if we want a safer digital future.”

Md Nomanuzzaman, director at Sajida Foundation; Tania Wahab, managing director at Karigar; Taifur Rahman, deputy director at BTRC; also spoke at the event. The roundtable was moderated by Tanjim Ferdous, head of Strategic Partnerships at The Daily Star.