UK SME’s remain a key target for cyber scammers. Over £50million was lost to the two most common cyber frauds in just 6 months of 2018 with over 3,000 reported cases and an average loss of nearly £20,000.
These figures, from the Vocalink 2019 Business Fraud Report, show that criminals continue to evolve their scams to ever more sophisticated fraud techniques. Alarmingly, the report also highlights that many businesses are still vulnerable to these cyber-attacks due to a lack of awareness or prioritisation of prevention.
Common Payment Frauds
1. CEO fraud
Cybercriminals impersonate senior managers to trick other employees into making unauthorised payments or releasing sensitive information. Typically, this will be an email that appears to be from the CEO / MD instructing an urgent payment to be made to a new supplier. As well as the bank account details for the payment, usually there will be some additional story about why it is urgent, such as it is needed to secure a big discount. Via the use of social engineering criminals can time these emails to coincide with the CEO / MD being out of the office.
2. Invoice redirection and mandate fraud
Cybercriminals pose as a regular supplier to the company and make a formal request to the finance team to change the bank account details for future payments. The criminals can have enough information regarding the true supplier relationship to be very convincing. The fraud is often discovered only when the genuine supplier chases for non-payment of their invoices.
3. Business Email Compromise
Similar in approach to CEO fraud and Invoice Redirection, this variant stems from a cybercriminal hacking into a business email system allowing them to monitor email conversations and determine the most effective fraud technique to apply.
Four Steps to Protect your Business
1. Raise awareness
In the same way that (hopefully) no-one still falls for the “Nigerian finance minister looking to deposit millions into your bank account” scam, the latest frauds can usually be prevented if the techniques are understood throughout your business. Ensure all staff, and particularly your finance team, are trained about the risks, implications, and how to spot the signs. The Action Fraud website is a good place to get free information and advice.
2. Authenticate payment requests
Verify any email/telephone requests for payments before they are made. Ideally by a second trusted contact, such as a co-director.
3. Introduce internal checks
Ensure that all requests for changes to supplier’s bank details are validated by calling a known contact at the supplier for verification.
Encourage all staff to refer any suspect emails/communications to a colleague for double-checking.
4. Maintain IT Security
Your IT systems need to be sufficient to protect against cyber risks, and to minimise the impact on the business of any attack that gets through. Anti-virus software, data access security, and data back-ups are all essential.
Your own part-time Finance Director will have practical experience of implementing the internal systems and processes necessary to minimise cyber risk, including the correct set-up of banking systems, and the potential to insure against cyber risks. Contact Michael Cartwright for your own FinanceHead.