It’s not all ‘Nigerian princes’ who need someone to help them out with a deposit these days, internet fraudsters and hackers represent a big, albeit illegal, business area in 2018. With one in four SMEs having fallen victim to fraud. In this blog we’ll introduce you to some of the latest threats and show you how to avoid your business’ money falling into the wrong hands.
The average cost of a fraudulent attack on an SME is £35,000, according to studies. Most cyber attacks can be avoided, however, so let’s look at some of the most common fraud tactics hitting UK businesses at the moment.
Beware Of Public Internet Hotspots
It’s amazing how much a hacker can get done on one unsecured wifi connection. Don’t login to your bank account while you’re using a wifi connection you can’t be certain is safe. Beware, too, of the use of social media channels. Take a look at this video to see how easy it is for a hacker to pick up on your personal details in a seemingly harmless environment.
Phishing
Phishing is all too common these days, and most people know what to look out for, but criminals are coming up with more and more sophisticated ways to trick you. A typical phishing attack comes in the form of an email from an email address that looks to be genuine. It could be something like [email protected], it could also be very well presented to include the company’s branding. It may contain details about your business account that seem like they couldn’t be found by anyone who doesn’t work for your bank. Many of these emails now contain a link, which when clicked will divert you to a convincing copy of your bank’s login page requesting you login, at which point those important details are harvested. Some of the links may also contain malware that will sit on your computer and harvest important login details and confidential financial information.
Vishing
Vishing is essentially ‘voice phishing’. Telephone fraud has doubled in the last 12 months. It’s all too easy for criminals to get their hands on enough vital data to convince someone that they are calling from the business’ bank. Often in these scams the caller will inform you that your business account has been put on hold due to suspicious activity. They’ll then ask you for a few details to verify you are authorised to manage the account. Often there’s such panic and urgency created that the person receiving the call will feel flustered and before you know it, you’ve given away a vital piece of information allowing the criminal to login to your bank account. Even worse, sometimes they ask for a test payment that will be refunded immediately as evidence that you’re authorised on your account. Obviously the payment does not get returned.
Smishing
A newer way for criminals to try to gain access to your account is ‘Smishing’, essentially, ‘SMS phishing’. You may receive a text message claiming to be from the bank, but it’s actually from a hacker. If there is a link in the text message, clicking on it could result in malware being added to your phone which can scrape login details if you ever login to your email or bank account via your smartphone. Similarly, clicking the link could take you to a very convincing copy of your bank’s website and ask you to login with the vital information the criminal requires to access your business bank account.
Invoice Redirection
This one has been particularly successful, and it’s often the simplest schemes that catch us out, as we’re all looking for the suspicious email or the call from a blocked number. The invoice redirection scam is far simpler. You will receive a letter, usually from a supplier or service you subscribe to stating that they have updated their bank details. The letter contains a new account name, number and sort code and asks you to redirect your usual payments to the new account. The letters will arrive fully branded and may be impossible to distinguish from a genuine letter head. But once you’ve updated your direct debit details, your business has paid the criminal and will still need to pay the genuine invoice.
So how do you avoid your business becoming one of the 23 per cent that will be victims of cyber crime over the next 12 months? Here are some measures you can put in place right away.
1) Do not be rushed or pressured whenever money is involved
Your bank will never pressure you to act immediately. If you’re unsure whether the call is legitimate, the email is genuine or the login page is correct, just don’t do it. Take 5 mins to assess the evidence: check the caller ID, check them email address, say you’ll get in touch tomorrow. There should never be a rush when it comes to your business finances.
2) Educate your team
Inform your whole team about the potential threats, everyone should be aware no matter their job title. If they can pick up a phone they may inadvertently pass on vital details to a cyber criminal without even knowing it.
3) Update passwords regularly
‘Password123’ might be easy for everyone in the team to remember, but it’s like leaving the front door open to cyber criminals. Make sure your passwords are strong (upper case, lower case, special characters) and change them monthly. Consider using something like 1Password which can help increase your password security, especially if you have a big team who often need to login to accounts on behalf of your business.
4) Work on the cloud
Improve your data security by using a virtual desktop or cloud based desktop service, that way no work or important information actually happens on your local machine. Especially important if staff members use laptops that are taken out of the office on a regular basis.
5) Subscribe to the best antivirus and malware solutions
This one seems obvious, and you probably have appropriate protection software, but make sure you’re up to date and fully protected by reviewing the various software options regularly and upgrading to the best on the market.
6) Trusteer Rapport
Download a free copy of Trusteer Rapport which secures your computer every time you are logged into your internet banking account.
7) Get in touch directly
If there is a genuine reason for you to have to discuss your business bank account with your bank, hang up the phone / don’t click on the email / don’t respond to the request at all. Take your time and use genuine channels, such as calling the banks official home number or contacting them online once you’ve logged into your account.
© 2019 Warr & Co Chartered Accountants. Warr & Co Chartered Accountants is a member of The Institute of Chartered Accountants in England & Wales (ICAEW). Whilst the information detailed here is updated regularly to ensure it remains factually correct, it does not in any way constitute specific advice and no responsibility shall be accepted for any actions taken directly as a consequence of reading it. If you would like to discuss any of the points raised and / or engage our services in providing advice specific to your personal circumstances, please feel free to contact any one of the partners on 0161 477 6789 or contact us via our website forms. Warr & Co Chartered Accountants are registered to carry our audit work in the UK, our audit registration number is C002961684, for more information please visit www.auditregister.org.uk.