QuickBooks Blog
Beautiful blonde in dark office working on laptop and getting net access
technology and security

What small businesses need to know about the dark web

Running a small business comes with many challenges, from hiring the right employees, gaining funding, and building trust with a new group of customers.

The last thing an owner wants is worrying about their data ending up on the dark web. Thankfully, when armed with the right information about the dark web, it’s possible to safeguard company information and put this worry at ease.

What’s the dark web?

The internet is comprised of three layers, and the dark web is just one of them.

First, there’s the surface web, which consists of roughly 2 billion websites users access through search engines, which make up about 10% of the internet. Think of your day-to-day websites, such as Google, YouTube, or Buzzfeed.

Then, there’s the deep web. Despite its somewhat threatening name, there's nothing to be afraid of on the deep web because it consists of websites that require a username and password to access. To fully understand the difference, think of your banking website. It has a standard website that anyone can access on the surface web, and then once you log in with your personal information, your bank account and data are on the deep web.

The dark web is completely different and centers around anonymity. Websites on the dark web are in encrypted networks that hide the identity of the online user. If you want access, you’ll need specialized software. This includes peer-to-peer networks, including a Tor (The Onion Browser) browser or Freenet, which organizations and individuals operate and use to remain anonymous. Sites hosted within the dark web usually have a domain ending in .onion instead of what we’re used to, such as .com or .org. Standard browsers such as Safari and Chrome can’t access onion websites.

What’s on the dark web?

What will you find there once you’ve found your way into the dark web? For starters, a lot of stolen data, possibly even your own personal information.

Despite the dark web being totally legal, it can be a hub for illegal online activity where scammers and hackers sell and buy personal data, including passwords, Social Security numbers (SSNs), and credit card details.

Stolen and counterfeit information comes in many shapes and forms on the dark web. Some types include the following:

●     Personal data: Sometimes called PII (personally identifiable information), this data is essentially your online footprint: your full name, home address, phone number, birthday, SSN, and email address.

●     Financial data: This type of hacked information includes stolen credit card information, online banking usernames and passwords, and even credentials for cryptocurrency accounts.

●     Medical information: Also called PHI (personal health information), this can include medical history, prescription information, test results, and billing information.

●     Online account information: This typically includes username and password combinations that can be used to hack into several online accounts.

What kind of business information can you find on the dark web?

Companies in all industries and sizes need to understand the risks of their business information being found on the dark web, including usernames, passwords, and stolen credit card information. To make matters worse, the dark web can also be the place where your customers’ data ends up, including financial and operational data.

Consider how many usernames and passwords your business relies on to remain up and running. If one of your business names and passwords are found on the dark web, a hacker could access one of your online business accounts in seconds, making decisions that could make or break your company's success.

Think back to when you first opened your business. You likely opened a bank account or applied for a loan. When you did, what type of personal data did you provide the financial institution? Beyond the basics—name, company name, and address—you probably provided your SSN and driver’s license number.

When a hacker combines this sensitive data found on the dark web with the publicly available information about your name and business, they can easily begin to impersonate you and your business, potentially making detrimental decisions.

How to know if my business data is on the dark web?

It’s common to wonder if the data surrounding your small business is on the dark web. Unfortunately, the question isn’t “if” your data will end up on the dark web, it’s “when” will your data will end up on the dark web.


Many small business owners use dark web scanners to know for sure. The dark web scanner by Aura is easy to use and can discover leaked passwords associated with your business email address in seconds. The tool checks if information tied to your business email account has been exposed in data breaches or on the dark web, allowing you to act fast against this data falling into the wrong hands.

The Identity Guard’s scanner is also a good solution. From identity theft, data trading, credit card theft, and more, this scanner can give you the peace of mind you’re looking for.

Besides other alternatives, including LifeLock and Experian you can also know for sure if your business data is on the dark web by getting yourself a Tor browser and using a VPN to access the dark web.

How to avoid the risks?

It’s possible to avoid the dark web altogether, but only if you know how to protect your personal data, small business data, and your customers’ information.

Block all Tor traffic

Since all someone needs to do is access the dark web via a Tor network, the best first step to avoiding the risks associated is to block all Tor traffic. This comes with its own set of challenges, though, since Tor uses SSL connections over web ports; these can be used any available or open port to access the dark web.

Layer network security using a proxy and VPN together

Once Tor traffic is blocked, take things one step further by layering your company’s network security using a proxy and a VPN. The two working as one provides businesses with a multi-layered approach needed for strong cybersecurity protection.

For example, a proxy server can protect from malicious websites, while a VPN protects from suspicious intruders, giving your company’s network 360-degree protection and complete network control.

Monitor if your employees are using the dark web

Regardless of how many employees or contractors you have, it’s in your best interest to monitor how they use the internet, and make sure they’re not using your company's internet servers to access the dark web.

If you haven’t figured it out by now, an employee using the dark web poses a massive risk to your company! For example, let’s say they purchase a database of user credentials or other types of illegal material using your company’s server. An employee using your network for illegal activity could implicate you as the business owner by association.

What if a disgruntled employee posts sensitive data on the dark web and sells it for their own benefit? Just because your company isn’t involved with the illegal behavior doesn’t mean you are in the clear; you may be on the hook during litigation.

There’s also the chance of an employee downloading seemingly harmless files from the dark web that end up being infected with malware or ransomware. If this happens, your company may have to foot the bill for recovering data after falling victim to theft or a virus.

There are targeted dark web scanners such as HashCast that specialize in detecting leaks of employee business information on the dark web. 

The possibilities here are endless, and often expensive. That’s why it’s crucial you always monitor your employees by blocking Tor traffic, and using a proxy and VPN.

Set strict password protocols to avoid the risks

When it comes to your business accounts, choosing a weak password could put your data and digital security at risk. It’s imperative that every single company password be unique, especially when you consider that hackers can break a weak password in just a few tries. And if your business uses the same password for multiple accounts, the risks get even steeper.

A lot of stolen data found on the dark web comes from hacked business accounts. Hackers take advantage of the fact that people use the same password across numerous accounts. So, if a hacker purchases data on the dark web that contains just one password to one of your business accounts, this could give them access to more information if this password is used more than once.

This can be avoided with strict password protocols for all employees—and even clients and customers. Some elements of a strong password to keep in mind include the following:

●     Make sure passwords contain numbers, letters, and special characters.

●     Avoid including your name, birthday, or any other information that can be guessed.

●     Set up two-factor or multi-factor authentication software.

●     Change passwords every few months, but never repeat or share passwords.

●     Consider using a password manager to handle and keep track of passwords.

Various services will help you with password retention, including Dashlane and LastPass, and both of those services have plans for personal and company use. Remember, there’s no such thing as a password that’s too strong.

Apply data encryption

Sensitive data of all shapes and sizes need to be protected. A good way to do that is through encryption, which helps safeguard sensitive data your company may store, transmit, or use by converting this data into unreadable and unusable forms. Encryption will help your company securely store and share data, including customer information and banking numbers, while keeping integrity and confidentiality intact.

For example, an email containing information with sensitive customer information will look like a series of random numbers, characters, and letters, making it impossible to be hacked and keeping it off the dark web.

Another example is QuickBooks®, which uses 128-bit TLS encryption for all customer data, and all copies of daily backup data are encrypted with 256-bit AES encryption.

Companies often turn to encryption software to ensure that even if their data falls into the wrong hands, the encryption levels make this information impossible to be read—which keeps it off the dark web.

Train employees on how to avoid phishing scams

Phishing scams are used by hackers to steal company data, and sell it on the dark web. User data is obtained through fraudulent communications targeted directly at people—like your employees. This is usually done through emails that are disguised as legitimate ones that trick your employees into revealing sensitive information and company data. Popular types of phishing include spear phishing, clone phishing, and whale phishing.

Basically, the goal of a hacker who is using a phishing scam is for them to trick your employees into giving them the information they want so that they can sell it on the dark web. These hackers trick recipients into opening malicious links within the body of the email, resulting in malware or ransomware infections.

This method is more common than you think, so be sure to train your employees on avoiding and knowing the warning signs of a phishing scam. Some warning signs include the following:

●     A link within an email that includes a subdomain or a URL that is spelled incorrectly.

●     The message possesses a sense of urgency or fear, so the employee feels as if they have to act fast.

●     It's sent from a Gmail or Yahoo email account, instead of a corporate or business email account.

●     The email message is written poorly with spelling and grammar errors.

●     The email isn't addressed to your employees and instead may only start out with “Hello,”.

A common example of a phishing scam is when a hacker pretends to be the company's CEO, founder, or senior leadership team member. They will then demand urgent attention to a report or an attachment within the email. If your employees don’t know any better, they may quickly react to this type of email out of fear or a sense of responsibility toward the company and its leadership.

And then just like that … your company’s data is on the dark web.

Have a disaster recovery plan

Your business needs to have a disaster recovery plan if it falls victim to hackers. A disaster recovery plan (DRP) is a recorded policy, process, or procedure created by your business. It is designed to assist in administering a recovery process in response to a disaster and protecting an IT infrastructure.

The purpose of this plan is to explain how an organization will react before, during, and after a disaster so that everyone involved knows the actions that need to take place. In addition to hacking or a data breach, this can also include everything from equipment failure to a natural disaster.

Every business and situation will be unique, so there’s no one-size-fits-all to a DSR. It’s always a good idea to create a plan based on the following concepts:

●     How to prevent a loss of data, including having proper backups in place, and the right physical equipment on hand, like generators and surge protectors.

●     How to detect new and potential threats.

●     How to correct a situation if it were to occur, such as potentially securing the right insurance policies and brainstorming what has been learned as a result of the incident.

In the case of protecting your data against the dark web, the DRP can include training employees to aggregate data and manipulate it properly, having the right software and hardware, and scanning the dark web for company information on a regular basis.

Now is the time to shed light on the dark web

It’s important for small business owners to accept that the dark web is a threat to their company and customer data. Knowing what the dark web is and how to safeguard your business from hackers is the first step to making sure sensitive information doesn’t fall into the wrong hands. And while most of us will never visit the dark web, this doesn’t mean your private company data won’t end up there.

Since everyone’s data is vulnerable, business owners need to get familiar with the risks associated with potential exposure.


Recommended for you

Mail icon
Get the latest to your inbox
No Thanks

Get the latest to your inbox

Relevant resources to help start, run, and grow your business.

By clicking “Submit,” you agree to permit Intuit to contact you regarding QuickBooks and have read and acknowledge our Privacy Statement.

Thanks for subscribing.

Fresh business resources are headed your way!

Looking for something else?

QuickBooks

From big jobs to small tasks, we've got your business covered.

Firm of the Future

Topical articles and news from top pros and Intuit product experts.

QuickBooks Support

Get help with QuickBooks. Find articles, video tutorials, and more.