10 ways to keep your business safe from fraud

Feb 14, 2020

Olivia Buckley outlines how small- and medium-sized business can avoid being taken in by fraudsters.

SMEs today are faced with many fraud types from old fashioned cheque fraud to cyber-attacks such as ransomware. Organisations of all sizes are open to attack, but SMEs are often a prime target as their security systems may not be as robust as those of larger organisations. Fraud can significantly damage a business both financially through lost funds, lost revenue, the cost of any legal action and security upgrades, as well as non-financially resulting in a tarnished reputation, loss of trust and low employee morale. Therefore, it is critical to prevent fraud from happening in the first place.

Two types of fraud which are particularly common amongst SMEs include invoice fraud and CEO/executive impersonation fraud and they have been known to catch out even the most prepared businesses.

Invoice Fraud

Using a spoofed email address, the fraudster emails you pretending to be a supplier. The email will mirror an email that you regularly receive from your supplier, including logos and signoffs. The email informs you that they have a new bank account and that all future payments should go to the new account. When you receive the next legitimate invoice from the real supplier you make a payment to the new bank account. Generally, it is only when the reminder to pay the invoice comes in that you realise what has happened. By then the fraudster has their money and it’s too late to recall the payment. 

CEO/ Executive impersonation fraud

CEO fraud is a scam in which fraudsters hack into the legitimate email of a CEO/senior executive and impersonate them sending an email to another employee in the business who deals with payments. They use malware to hack into the email and will monitor how the CEO/senior executive writes their emails, the tone and common phrases they use, and how they sign off an email. The fraudsters take an opportune moment when they know the CEO is out of the office, such as on annual leave, to send the mail telling the employee to pay money to a supplier and providing the account details to do so. In some instances, in might not be a payment request but a request for personal information such as P30s or customer information. 

10 ways to keep your business safe

  • Have a verification process in place before changing saved bank account details of your suppliers or service providers, e.g. verbally verify bank account change requests from suppliers. Ensure employees are fraud aware and understand the controls and procedures in place to prevent fraud.
  • Provide cyber security training for staff which includes awareness around clicking links sent in emails and ensuring systems are password protected.
  • Fraudsters may already have basic information about you or your business in their possession (e.g. name, address, account details). Do not assume the caller is genuine because they have these details.
  • Be wary of payment requests that are unexpected, irregular or require changes to bank account details, whatever the amount involved.
  • Always check your bank statements. If you notice any unusual transactions, report them to your bank.
  • Don’t assume you can trust caller ID. Phone numbers can be spoofed so it looks like a company is calling even if it’s not the real company. Similarly, fraudsters can change an email address to make it look like it comes from somebody you email regularly. Look out for different contact numbers and/or a slight change in the email address. For example, .com instead of .ie top-level domain.
  • Ensure security software is regularly updated and maintained using official and reliable brands. Back-up the system regularly.
  • Always exercise caution when forming new relationships with potential customers. Undertake appropriate due diligence.
  • If in any doubt, do not make a payment unless you have verbally confirmed the payment with your CEO/supplier.
  • Don’t allow yourself to be rushed. Take your time to do the relevant checks.

If you fall victim to a scam or have noticed unusual activity on your account, contact your bank immediately. The sooner the bank can investigate potential losses, hold funds in accounts and place recalls on transfers made in error, the better. Fraudsters withdraw funds as soon as it hits their accounts, so time really is of the essence.  You should also report the incident to law enforcement authorities.

Olivia Buckley is the lead of the FRAUDSmart campaign at Banking & Payments Federation Ireland.