While we’ve all been distracted about the Covid-19 pandemic, an epidemic of a very different kind has been flourishing.
The level of attempted fraud, targeting both individuals and businesses, has escalated in the last 18 months as we have lived online.
Latest Office for National Statistics figures show that while overall crime shrank by eight per cent last year, attempted fraud increased. This includes a 68% rise in ‘remote banking fraud’ — attempts to target people using online banking. Meanwhile, business complaints service Resolver says reports of fraud are up by a third.
‘Small businesses can find themselves particularly at risk from scams, as criminals target them thinking they may have limited levels of IT support or protection,’ says Michelle Ovens CBE, head and founder of Small Business Britain, which champions small firms. ‘Scams have also become more sophisticated, particularly as we all embrace digital more than ever before, presenting more opportunities for criminals.’
Fraud fears for businesses
While being defrauded can cause loss and upset to the individual, the implications for a business can be even more far-reaching. There may be legal implications if your company allows data from its customers to be compromised and used elsewhere — and the losses can mount up.
Richard Hepburn, operations manager at small business experts Gorilla Accounting, says even common phishing scams can have a huge effect where businesses are involved. ‘Even small businesses deal with paying large sums of money, so the costs of a phishing scam can hit a small firm massively financially, where the funds in the bank have been set aside for paying staff and taxes,’ he says.
Michelle at Small Business Britain says that although the thought of being scammed might be scary, businesses should prepare rather than panic. ‘Small firms must not worry unduly, there are a few simple steps they can take to protect themselves and build confidence. Cyberscams are sadly now part of life for everyone, and all types of businesses need to protect themselves.’
Knowledge is power
The first step, experts agree, is to know the most common types of frauds and scams that target small businesses, so that you can protect against them. Amber Burridge, head of fraud intelligence at fraud protection group Cifas, has listed the five most common types of fraud businesses face, detailed in our panel, below.
These include emails impersonating a chief executive or finance officer, notices of new bank details, and emails that look like they are from government offices, but are not. James Bore, security expert from Bores Security Consultancy, says the biggest example of one of these messages came when a regional director of a company he was working with got an email purporting to be from the chief executive, asking him to transfer £2million to buy property in China.
‘They had spoofed the email of the chief executive and went as far as including the phone details of a “Swiss lawyer” who would talk them through the deal,’ he says. A final phone call from the regional director to the chief executive prevented the fraud.
‘With the mix of secrecy around the industry and the phone call to a supposedly independent party, it was only that last phone call that eventually prevented the transfer from happening,’ says James.
Richard Hepburn of Gorilla Accounting points out: ‘HM Revenue & Customs will never ask for bank details over the phone, so business owners should never pass on any confidential information if they receive a call from someone saying they are from HMRC.’
Fake invoices are also a huge issue. Ray Walsh, online scam expert at cybersecurity firm ProPrivacy, says invoice fraud costs small businesses around £100million a year. ‘The sum being defrauded from small businesses via fake invoices is staggering,’ he says. ‘It is vital that employees who manage business accounts and pay invoices have been trained to double-check all invoices and ensure they are legitimate.’
Training staff to spot fake invoices and know how to deal with them is vital. ‘Calling the number on an invoice to check its legitimacy will not always prevent fraud because it is extremely easy for the scammer to use social engineering to trick the employee into paying,’ Ray explains.
‘These sophisticated scammers use carefully devised scripts to convince employees that an invoice is legitimate and must be paid.’
Vigilance is key for the business owner, says Richard Hepburn. ‘Remain sceptical at all times and take care with all things cyber. The vast majority of scams happen online, so it’s crucial to remain vigilant and to always approach documents, transactions and queries with a level of scepticism.’
Working with your staff
Knowing the signs of fraud yourself is a good start, but when you run a business you need your staff to be on the ball, too. All of them need to be trained to spot fraud and to make good decisions, while it is also important to check your employees’ credentials before you hire.
Robert Brooker, who chairs the London Fraud Forum and is head of fraud and forensic at accountancy and insolvency specialists PKF GM, says: ‘Ensuring that you undertake due diligence, such as background checks for all staff, is essential for fraud prevention.’ Even if you have a small number of staff, he adds, it is best to split some roles to avoid the temptation to commit fraud.
Where the staff is small, one person will often be responsible for managing petty cash, paying invoices and managing payments received from customers. ‘Try to avoid this scenario as it makes you susceptible to fraud without it being noticed, says Robert. ‘Ideally have at least two people managing the process and try to automate it. Employee fraud happens because you provide the opportunity due to a lack of controls.’
If the worst happens
It’s important to act fast if you fall victim to fraud. ‘Report it to Action Fraud,’ advises Amber Burridge, at Cifas. Contact details for this team within the Metropolitan Police will advise you on what to do next.
Ray Walsh at ProPrivacy says you should also contact your bank so that accounts can be frozen, and get legal advice fast. ‘And engage with cybersecurity experts to figure out what data has been affected and what legal compliance repercussions might be involved.’
■ For more info see ico.org.uk
Five common scams
Business email compromise
Senior individuals at a business are impersonated over email. For example, a CEO or finance officer may have their email address spoofed and a fake email is sent to pressure a junior employee to make a payment for a late invoice. The invoice is fake and funds are sent to the fraudster from the business’s account.
An organisation receives an email purporting to be from a legitimate supplier advising of their new bank details for payments to be sent to in future. The change in payment details is made, but the supplier has been impersonated and payment is sent to the fraudster instead.
Government agency scams
False communication is received from someone purporting to be from a government organisation, such as HMRC, demanding payment for customs or due to an error in a tax return. These are scam emails designed to steal money or details.
Fraudsters may send an invoice demanding payment for a missed invoice, often threatening that not paying the bill will impact the organisation’s credit report. These are fake invoices and the goods or services have been neither ordered nor received.
Small businesses may have fewer internal fraud controls to detect dishonesty by employees. Examples of internal fraud may include staff exaggerating timesheets and overtime claims, diverting supplier payments to their own bank account, or stealing cash from registers.
■ Source: CIFAS
How to protect your business from fraudsters
Know your suppliers
‘Always validate new suppliers and double check all requests to change bank details with your original contact, not via an email received, to ensure they are who they say they are,’ says Robert Brooker (above) head of fraud and forensic at accountancy and insolvency firm PKF GM. Chairman of the London Fraud Forum, Robert says that while fraudsters impersonate legitimate suppliers, it is also possible for a seemingly legitimate supplier to be a fraudster.
Educate your staff
‘Identify areas where your business may be vulnerable to fraud and implement processes which will help detect signs of fraud, such as deciding who has the authority to make payments and how they can be made,’ says Amber Burridge (pictured) head of fraud intelligence at Cifas.
‘The key to protecting your small business is to educate your staff on the fraud risks the company faces — especially as roles and responsibilities may be shared when staff are unwell or on annual leave.’
Check your security culture
‘We advocate an open approach to security that encourages people to report suspicions, rather than shouting and screaming at those who have clicked on a link accidentally,’ says Nicola Hartland (above), chief revenue officer at CyberCrowd digital security business. ‘One of our sayings is, “Security should be the servant to the business,”’ she adds.
‘Don’t wait to suffer a cyberattack or scam before making changes,’ says Ray Walsh (above), online scam expert at ProPrivacy. ‘Be proactive. Talk to your employees about the risks and create a fraud response plan, engage in data mapping and improve security for all business assets by working with an MSSP [Managed Security Service Provider].
‘Make sure to prioritise training for all key members of staff and make sure the whole company is aware of the need to protect sensitive business and consumer data.’
Do you have a story to share?
Get in touch by emailing MetroLifestyleTeam@Metro.co.uk.
How to get your Metro newspaper fix
The lifestyle email from Metro.co.uk
Get your need-to-know lifestyle news and features straight to your inbox.