Small businesses are waking up to the reality of cybercrime. Increasingly reliant of new communications and information technology, SMEs have to pay attention to protecting their online capital just as they would their goods and premises. Yet despite the action taken to stop cybercrime, online criminal activity persists with scammers evolving new ways of conning people and businesses out of their hard-earned money.
Did you know that fraudsters can make any number appear on your phone handset or that they can join the text message thread of a legitimate person or company?
SME staff being targeted
One growing cyber scam is personalised attacks which target financial employees in businesses. University of Leeds researchers interviewed police officers from UK cybercrime units and reported that cybercriminals are researching, “specific people who handle finances in a company and sending them an email that pretends to be from another employee. The email will fabricate a story that encourages the recipient to open an attachment, normally a Word or Excel document containing malicious code.”
These kinds of attacks are called “spear phishing” or “big game hunting”. They differ from powerful botnets which are used to send out millions of malicious emails to random victims in the hope of installing ransomware on the computers and servers of their unsuspecting victims.
According to researchers, cybercriminals actually prefer to target staff in small and medium-sized companies avoiding larger firms which are likely to have more advanced cybersecurity. An added reason is that bigger organisations are more likely to attract media attention if caught which leads to more police interest with the risk of disrupting their whole criminal operation.
Four more ways your staff may be targeted for cybercrime:
1. Invoice Fraud – Criminals may contact finance staff either by phone or email, posing as regular suppliers and, then request bank details to be changed. These scammers then receive your businesses’ payments into that fraudulent new account before anyone realises what has happened. Criminals may have obtained details of your client and supplier relationships through data theft where that stolen has been purchased by them or which they may themselves have stolen. They can even tell you about previous invoice and payment details to make it look more convincing.
● Action Fraud report they received 5,225 reports of compromised email & social media accounts between Apr to Sept 2018.
● Police say that between Oct 2017 and Sep 2018, mandate fraud victims lost £160m – it is one of the most reported frauds in the UK.
More than 1 in 4 businesses in the UK are unaware of the risks posed by invoice fraud, according to the banking trade body, UK Finance. The BBC reported on the survey across 1,500 UK firms which found that:
despite such scams costing firms almost £93m in 2018, 55% of sole traders were aware of the threat of invoice fraud, compared with 68% of small businesses and 84% of large businesses.
2. Caller ID spoof – criminals pretending to be someone else can now fool victims in even cleverer ways. They use caller ID spoofing to fool you – this is where criminals make the telephone network indicate a false originating number to fool the recipient into believing the call is genuine. Current technology allows this to done quite easily. Criminals may call pretending to be an existing client or supplier who has recently changed their bank details. They use hacked information about existing direct debits, recent payments etc. to convince you and then fraudulently receive money from your business.
3. Tax scam – April, May and June are popular months for tax scams because people will have just filed their tax returns in April and HMRC processes their rebates in the following couple of months. The Caller ID spoof has become an increasingly frequent method used in tax scams and one on which Ofcom are focusing on clamping down. In 2018, HMRC revealed:
● nearly 250,000 reports of phishing, which HMRC says is around 2,500 scams a day
● in the 12 months to February 2019, HMRC got 73,382 reports of suspicious HMRC phone calls.
4. CEO Fraud – this is where a criminal impersonates the chief executive officer, or other senior position, of the business concerned, and convinces the member of staff to make an urgent payment to the scammer’s account. The criminal will have fraudulently accessed the company’s email system or use spoofing software to emulate a genuine email for the CEO. While this was the least common type of Authorised Push Payment (APP) Fraud a total of £14.8 million was nevertheless lost in 2018 through this scam.
How SMEs can guard against cybercrime scams?
Under pressure in small businesses, cyberattacks are often purposefully targeted to busy finance staff.
● Check Emails – look out for grammar errors and the subject line for anything suspicious. Scammers often make errors which give themselves away. Check the ‘From’ address carefully, scammers often use unfamiliar address.
● Check rebate methods – for example the HMRC do not refund to cards, only by cheque or direct to bank account so there’s no need to give out your card details.
● Verify invoices – don’t automatically pay invoices or click on links, especially if they are digitally-accessed but verify the details using details you have on file. Don’t dispose of any financial paperwork without shredding it first.
● Follow procedures – ensure staff follow documented internal processes for requesting and authorising all payments and be suspicious of any request to make a payment outside of the firm’s standard processes.
● Call them back – Don’t be afraid to say you will call them back, using existing information or contact details which you have looked up yourself.
● Check bank statements – ensure someone checks bank statements regularly and notifies the bank immeidtaley if there are queries.
The Take Five campaign against financial fraud advises taking the following precautions if someone contacts you asking for a supplier’s bank account details to be changed:
● always verify with that supplier separately on the phone or in person, using the contact details you have on file.
● if you are making a payment to an account for the first time, transfer a small sum first and then check that all is in order before paying the remainder.
● check with the company -using known contact details – to check that the payment has been received and that the account details are correct.
If you discover the worst has happened then contact your bank immediately to rectify the information and see how they can help you recover your money.
It’s also essential that all businesses, large or small, install adequate protection. This not only reduces data theft risks but could protect your business from data breaches and the strong penalties you could suffer under the General Data Protection Regulations.