How to protect your business against cyber-fraud
The internet revolution has improved the speed and efficiency of business operations, but these opportunities also bring an increased risk of cyber-fraud
Falling victim to cyber-fraud can result in major financial losses. Fraudsters can easily monetise stolen information by selling it on online, and the impact of this on businesses’ reputations can be severe. Individuals have been given increased anonymity as internet and email-based transactions have become the norm in business. Fraud may cover many different jurisdictions, with victims, beneficiaries and fraudsters potentially located in different countries. This makes it difficult to investigate fraud and, crucially, very hard to recover funds.
For this reason, businesses must aim to prevent fraud, rather than hope to cure its consequences.
The threat of cyber-fraud can seem difficult to combat, as the software used by fraudsters can be extremely complex. However, it is important to remember that most cyber-fraud attacks depend heavily on human interaction – 50 per cent of the worst security beaches were caused by inadvertent human error in 2015.
Social engineering is the method by which fraudsters aim to trick people into breaking normal security procedures. Fraudsters are usually looking for the victim to give up sensitive information, such as bank log-in details, or for them to enable malicious software to be installed onto their device. They may also trick the victim into carrying out a fraudulent payment themselves.
Fraudsters in social engineering cases often have thorough knowledge of the company to enable them to build trust with the victim. They may be aware of regular payments that are due, or of the structure of teams within your company, enabling them to impersonate internal employees. The most common forms of social engineering for business customers are invoice fraud, “phishing”, “vishing” and “smishing”.
Invoice fraud involves a fraudster posing as someone else to notify you that supplier’s payment details have changed. They provide alternative payment details in order to defraud you. The fraudster could be claiming to be from your company’s genuine supplier, or even a member of your own company. Funds are often quickly transferred so recovering money can be extremely difficult.
Phishing via letter or email, vishing (vocal phishing) and smishing (SMS phishing) involve a fraudster posing as a legitimate source, communicating with one of your employees in order to trick them into divulging sensitive financial information or transferring money into other accounts. The communication may contain a link to a fake website which will request that you enter financial information.
Alternatively, they may convince a member of staff to reveal sensitive company information over the phone. Most commonly, fraudsters make an unsolicited call pretending to be from your bank, so they can ask you to reveal confidential information.
How to protect your business
Raising awareness within your company, especially among staff who authorise payments, will help to prevent cyber-fraud. Follow these simple steps:
- Check notifications and invoices received carefully to see if the document looks like a counterfeit
- Check that the email address the message comes from does not look odd
- Call suppliers using the contact details you have on file to confirm changes before effecting them
- Never enter any personal or security information on a site accessed through a link in an email
- Never open attachments from unfamiliar senders
- Be cautious of callers who attempt to gain information – if in doubt, terminate the call and ring back to verify the contact using their usual, saved contact number
- Ensure that there is an https and padlock sign in the address bar of sites that sensitive information
- Remember that the bank will never ask for your full password or PIN, provide you with details to make a payment, or request that you grant them access to your systems or PC.
Find out more about cyber fraud