Spotlight

Phishing for funds

Aug 01, 2018
As small businesses are more likely to be victims of fraud than larger ones, this article explains how SMEs can keep themselves safe.

Emerging technology and improved connectivity have helped small- and medium-sized entities (SMEs) take advantage of new business opportunities, but they have also presented fresh opportunities for fraudsters. While most financial fraudsters still use telephone and email to commit the crime, the frauds themselves are increasingly sophisticated.

SMEs are faced with many fraud types, from old-fashioned cheque fraud to cyberattacks such as ransomware. Organisations of all sizes are open to attack, but SMEs are often targeted as their security systems may not be as robust as those of larger organisations. Keeping security systems and devices protected with official and reliable software and backups can assist greatly in keeping fraudsters out of your business. It is also important to be aware that your firm may be at risk of indirect fraud if a fraudster compromises a supplier’s system and sends you fraudulent emails from their accounts in an effort to defraud you.

Fraud can significantly damage your business both financially (e.g. lost funds, lost revenue, and the cost of any legal action or security upgrades) and non-financial (e.g. a tarnished reputation, loss of trust and low employee morale). It is therefore critical that firms work to prevent fraud from happening in the first instance.

So, what is the most common fraud affecting Irish business today? The answer is email fraud. While this might not seem very new or particularly high-tech, the sophistication comes in how the fraudster builds your trust and gets you to take an action that is not in the best interest of your company. Two particularly common types of fraud are known as CEO or executive impersonation fraud and invoice fraud. Both have caught out even the most prepared businesses.

CEO or executive impersonation fraud

In the case of CEO fraud, the legitimate email of a CEO or senior executive is hacked and malware is then deployed to monitor how the individual writes his or her emails – the tone, common phrases used and how they sign off.

Fraudsters generally strike when they know the CEO is out of the office – when on annual leave, for example – at which point they will send an email instructing a colleague with responsibility for payments to pay a supplier while providing the necessary bank account details. If undetected, the funds will then be lodged to the fraudster’s bank account by an unassuming employee. Business owners and advisers should note that it might not be a payment request in some instances, rather a request for personal information such as a P30 or customer information.

Invoice fraud

Meanwhile, invoice fraud is on the rise in Ireland. Using a spoofed email address, the fraudster presents himself or herself a supplier. The email will mirror an email you regularly receive from your usual supplier, including logos and signoffs, and will inform you that the ‘supplier’ has a new bank account with instructions for all future payments to be lodged to the new bank account.

When you receive the next legitimate invoice from the real supplier, your firm will process the payment to the new bank account. Generally, it is only when a reminder to pay an invoice comes in that you realise what has happened. By then, the fraudster has their money and it is too late to recall the payment.

Protecting your business

As the old saying goes, prevention is better than cure. Implementing controls and procedures to prevent fraud does not have to be a costly task; in fact, low-cost measures can prevent most frauds from happening.

Simple procedures such as verifying new payment details verbally can prevent fraud from happening in the first instance. Firms are advised to require dual sign-off on large, if not all, payments. Not only does this minimise the risk of payments going to fraudsters’ accounts, it also reduces the risk of fraudsters being able to hack into your online banking account as two sets of log-in details are required.

In terms of software security and anti-virus software, only use well-known providers and do your research. Never install security software by clicking on advertisement links on the internet. A low-cost way to create backups is to use cloud technology; this does not involve the purchase of expensive hardware and is easily accessed should an attack take place.

Finally, staff training is critical. Ensure that employees are aware of potential threats, know how to use systems properly and are provided with refreshers in protocols and procedures. This will all help prevent fraudulent attacks on your company or client companies.

FraudSMART, a new fraud awareness initiative developed by Banking & Payments Federation Ireland (BPFI) in conjunction with the banking sector, also aims to help businesses and consumers recognise and prevent fraud. Here are its top tips to help you keep your business safe:

Be informed

  • Ensure employees are fraud-aware and understand the controls and procedures in place to prevent fraud;
  • Have a verification process in place before changing bank account details for existing suppliers or service providers (e.g. verbally verify bank account change requests with individual suppliers);
  • Provide cybersecurity training for staff and include routine warnings about clicking on links in emails and ensuring that systems are password protected; and
  • Do not assume that you can trust caller ID. Phone numbers can be forged to make it appear as though a particular company is calling but that may not be the case.

Be alert

  • Do not fall for the fraudster’s trick of sending an email from a senior person in your organisation when they are out of the office. Also, do not reply to the email as the fraudster is on the other end;
  • Fraudsters can change an email address to make it look as though it comes from someone you email regularly. Look out for different contact numbers and/or a slight change in the email address;
  • Fraudsters may already have basic information about you or your business. Do not assume that the caller is genuine simply because they have these details;
  • Be wary of unexpected or irregular payment requests, or requests that require changes to bank account details – irrespective of the amount involved; and
  • Always check your bank statements. If you notice any unusual transactions, report them to your bank immediately.

Be secure

  • Ensure that your firm’s security software is regularly updated and maintained using official and reliable software, and that your data is regularly backed up;
  • Always exercise caution when forming new relationships with potential customers and undertake appropriate due diligence;
  • If in any doubt, do not make a payment unless you have verbally confirmed with your CEO and supplier that the details are correct; and
  • Do not allow yourself to be rushed. Take your time and conduct the relevant checks.

Conclusion

If you fall victim to a scam or have noticed unusual activity in your bank account, contact your bank immediately. The sooner the bank can investigate potential losses, hold funds in accounts and place recalls on transfers made in error, the better. Fraudsters move fast. They withdraw funds as soon as it hits their accounts, so time really is of the essence. You should also report the incident to your local Garda station.
For more information on fraud prevention in business, visit www.fraudsmart.ie where you can also sign up for fraud alerts.

Niamh Davenport is Fraud Awareness Manager at Banking & Payments Federation Ireland.