Does shopping at a small business protect you from identity theft and data breaches?


At Bankrate we strive to help you make smarter financial decisions. While we adhere to strict , this post may contain references to products from our partners. Here’s an explanation for

If data-breach stories involving big companies such as Target, Home Depot and Anthem have had you spooked, you may feel safer shopping at small mom and pop businesses, either in person or online.

But your sense of security may be a false one, because a small business can be even more susceptible to ID thieves and hackers than a large one. As a consumer, you have to stay vigilant to limit your vulnerability to identity theft and financial fraud, no matter where you do business.

Have you checked your credit report lately? Get it free at myBankrate.

Attractive targets for hackers

According to information compiled by the public-private National Cyber Security Alliance, nearly half of all small businesses have been a victim of a cyberattack, and 71 percent of security breaches target small businesses. Ninety-five percent of credit card breaches discovered by Visa Inc. are from its smaller-business customers, the alliance says on its website,

“Small- to medium-size businesses typically don’t have the same level of sophistication as larger companies when it comes to protecting data,” says Michael Kaiser, the alliance’s executive director in Washington, D.C.

“Many of them use older technology that is more vulnerable to a cyberattack,” he adds. “A lot of small companies are still using Windows XP, even though Microsoft is no longer offering support or security upgrades to that system.”

A growing problem for small businesses

Balboa Capital Corp., a provider of small-business financing, says 18 percent of all businesses with fewer than 250 employees experienced a cyberattack in 2011. That doubled to 36 percent by 2014.

“All it takes is one person to realize someone is capturing valuable information and then to figure out how to get it,” says Matthew Edenhofer, Balboa’s director of information technology.

“Small businesses are also vulnerable to internal breaches when an employee realizes that Social Security numbers or credit cards are visible to them,” he says. “The employee can take a screen shot or export the information to Excel and sell this information on the black market.”

More On Identity Theft:
Create a news alert for
"smart spending"

However, small businesses do have some fraud-fighting advantages, says Yaniv Chechik, a vice president at Zooz, a payment technology provider. For example, he says most small businesses don’t store your data the way larger companies do.

Protect yourself shopping with mom and pop

Whenever you shop in a mom and pop store or spend money with any other kind of brick-and-mortar small business, you must rely on your intuition to gauge your vulnerability to fraud.

“Follow your gut instinct,” says Kaiser. “If you’re in the doctor’s office, are files lying around, or are they being put away immediately? I also encourage people to just ask about what precautions are being taken with their personal information.”

Beware of businesses that don’t use an electronic terminal for credit card transactions or who write down your credit card number, Chechik says. They’re putting you at risk.

Consumers are particularly vulnerable if they are asked to send credit card information via email or text, Edenhofer warns. He also recommends that you use a prepaid debit card or a credit card you designate just for shopping at small businesses, rather than using your bank debit card, in order to limit your exposure if your account information is stolen.

Be careful with smaller online businesses

Online shoppers at the checkout for a small business’s website should always make sure that the URL starts with “https.” Or, look for the “SSL Secure” label or the lock symbol on your browser, which indicate a secure site, says Kaiser.

Another good idea is to research reviews of unfamiliar sites to see if consumers have complained about a data breach.

“If you’re not sure you’re dealing with a legitimate business, look up the physical address and check it out on the Google Earth website,” says Edenhofer. “You can also go to with the URL of the site and find out how long the website has been in existence and any other information that’s available.”

Be smart with passwords, too

A major no-no is to register on the website of a smaller company with the same password you use for your bank account, says Edenhofer.

“If that password is stolen, a hacker will try it out on all your other accounts,” he says. “If you want to designate a generic password that you use for shopping at all other sites, that’s fine as long as there’s nothing to connect it to your important passwords.”

Chechik adds that you should also avoid using your email password for any other site, because if a fraudster accesses your password, you are vulnerable to identity theft based on information that can be gathered from your emails.

No matter where you shop, watch for red flags that indicate your personal information is not being protected, and always monitor your own credit report and accounts.

“Consumers can’t entirely eliminate the risk of identity theft or financial fraud,” says Kaiser. “Just use your instincts and don’t give away information if you don’t have to.”