Fraud against businesses is on the rise and is increasingly sophisticated. So worried is the government, that it included fraud in its annual crime survey for the first time this year, and its 2017 annual cyber security breaches survey found that a staggering seven in 10 businesses have been the target or victim of fraud. The government has now committed to investing £1.9bn to protect the nation from cyber-attacks and to help make the UK the safest place to live and do business online.
So who is currently at risk and what can be done to prevent it?
Especially at risk are property and construction businesses because they have many different suppliers and significant machinery assets. They are often seen as an easy target and are, the government survey reports, the least likely to seek assistance when facing cyber security threats. But any business of any size could be a target, so awareness and prevention is essential.
On average, businesses lose £20,000 a year to fraud, with some losing millions. Email and telephone fraud is by far and away the most common way to defraud businesses followed by viruses and malware. And it is not just small businesses that are targeted; this year, Richard Branson was targeted by a $5m telephone fraud.
Spear phishing attacks can be very sophisticated and are where fraudsters impersonate members of an organisation. Fraudsters can spend a significant amount of time researching their target before launching the attack.
In this type of attack, typically, an email will arrive into the finance department that looks convincingly as if it has come from the senior management. In the example of the building and construction industry, it asks that a contractor needs paying asap or they will walk off site, or that the company is late paying for a piece of equipment and that payment is needed straightaway and provides new or revised payment details.
So convincing is the email that payment is made without question, and the money is lost, leaving the business with little or no chance of recovering it. It isn’t just this sector that is at risk, businesses in all sectors might be targeted.
Other business sectors frequently targeted include those holding electronic personal data on customers. The new General Data Protection Regulation (GDPR) which will be implemented on 25 May 2018 should mean all businesses are now looking closely at this area of their business operation and preparing for the new rules. To be compliant with the new regulations may also offer greater protection against cyber-crime.
In the meantime, it is the sophisticated simplicity of these attacks that makes them so successful, yet also makes them easy to avoid if the correct measures are in place. A review of a business’ internal processes and education of staff involved in managing the finances is key.
We would recommend that all businesses adopt the following simple measures:
Ensure emails are labelled ‘internal’ or ‘external’. This can easily be done by your email provider or IT company, and whilst not a complete failsafe, it will help flag emails that claim to originate inside a business but actually are external.
Ensure that all significant requests for payment are checked and require a two-stage payment process ideally written into the company’s online banking facility rules.
Simply check with the supplier that payment is indeed needed as claimed. All it takes is a simple phone call.
Never make a payment because of a threat to remove a service or staff at short notice, decisions made in the heat of the moment are often regretted and speaking to the supplier involved will help establish what is correct.
And in the event that all the above fails, consider investment in fraud and cyber-crime insurance.
It is also very common to receive emails claiming to come from your bank, software providers or other parties wanting you to change and update banking details. Do not under any circumstances follow the link provided in any such email – it is likely to take you to a mirror site allowing the fraudsters to capture the information needed to access sensitive or important financial information. The same applies if called. Simply offer to call them back on the number you would usually use, not the one they provide. If someone calls and claims to be from your bank, don’t be afraid to ask them to prove who they are and why they are calling, it will help to buy you extra time.
Staff that are responsible for, or have permissions to authorise payments, need to be regularly reminded and updated on a company’s policies and procedures relating to payments, and those policies and procedures should be regularly reviewed.
In smaller businesses that may be relatively straightforward to implement, but in larger businesses more sophisticated policies that deliberately slow down payment procedures might be needed.
Spear phishing attempts, whilst on the rise, are not the only way businesses are defrauded. It still stands that the weakest point in any company policies and procedures are the people involved. And sadly, most successful fraud attempts still require the assistance (intended or otherwise) of trusted staff.
Tom Wacher is Director of Forensic Accounting at accountants and business advisers Kreston Reeves. He is a Fellow of the Institute of Chartered Accountants in England and Wales and a full practicing member of the Academy of Experts. He can be reached by email: tom.wacher@krestonreeves.com. Visit: www.krestonreeves.com.
For more information on this subject plus the Budget 2017 analysis and other business, tax and commercial financial planning issues, come along to our free seminar, Finance Focus 2017. The event takes place on Tuesday 5th December from 8.00am-10.30am at South Lodge Hotel in Horsham. It will help you focus on the financial health and continued growth and profitability of your business, enabling you to make confident decisions while looking ahead to the future. Book your place at http://www.krestonreeves.com/news-and-events/07/09/2007/finance-focus-2017-sussex