Protecting businesses from cyber-fraud

Businesses need to be constantly alert to risk of fraud

9//Businesses need to be constantly alert to risk of fraud particularly when making regular payments to suppliers. It is helpful to be aware of two of the more common ways that fraudsters are using to target businesses, and what you can do to mitigate exposure to risk.

Business email compromise

This is where either a businesses’ email account is hacked, or an email address is set up that is very similar to the business email (it may include a hypen, number or additional letter making it difficult to spot the difference).

What the fraud looks like.

Fraudsters email your business appearing to be one of your existing suppliers. They send you instructions to pay an invoice to new bank details (to an account under their control).

How the fraud works.

The two common ways for fraudsters do this are:

By hacking your supplier’s business email account and altering any attachments to an email to show different bank account details.

By ‘spoofing’ your supplier’s email address (ie creating one that is so similar it’s hard to spot the difference). By watching the supplier’s activity and their communication style they email you at the usual time you hear from your supplier.

CEO Fraud

Similar to business email compromise, this is where the CEO (or similar senior level) has their email account hacked or spoofed.

Fraudsters will use the knowledge that senior management are in a position of authority to their advantage to pressurise staff to make payments into accounts under their control.  Typically the scenario will be urgent, and the senior individual may be uncontactable.  Fraudsters have been known to look on company websites for details of new employees to email.

Cyber Security in Business

• Raise employee awareness. Make fraud awareness is everybody’s responsibility. Provide training and regular updates; and put clear procedures on reporting any concerns or risks in place.
• Assume nothing. Emails from a known email address may not be genuine.
• Check any changes to payment details by phoning the supplier/business. Use the phone number on the website, or that you have used previously, do not call the number associated with the instruction and this too may have been changed by the fraudster.
• Carefully check the email address for minor discrepancies. (eg a hypen, number or additional letter).

Tips on maintaining good data hygiene in a business

• Install robust anti-virus software
• Keep systems and applications updated. Updates often include fixes for any vulnerabilities.
• Have a secure password management policy and make sure everyone knows it.
• Using a Virtual Private Network (VPN) can protect you and your employees over, particularly when on public Wi-Fi
• Enable Two Factor Authentication (2FA) this is usually a secure code sent by SMS or an authentication app.
• Never open unexpected file attachments or click on links. If in doubt don’t.
• Back up data regularly and store separately. It’s also wise to scan data backups for malware as ransomware can be dormant on a network before being executed.
• Have a recovery plan in place ready to put into action should you fall victim to an attack. This should be regularly tested.

For further information on prevention or for advice on reporting a cyber attack, please go to https://www.actionfraud.police.uk/contact-us

Related content

• RUNNING YOUR BUSINESS
• ARTICLES