This article covers some of the main risks to businesses and individuals and provides some of the key, easier to implement, preventative measures. For further information, the Action Fraud website is a library of support for businesses and individuals and allows you to report a fraud both as a victim and witness.
Unfortunately, the main reason for the increase in fraud on UK businesses is the large number of individuals who will use change and uncertain times to exploit people and organisations.
Fraud is more prevalent around key dates and holidays. Fraudsters are more likely to attack when they think the individual or business will be most open; busy bank holidays, busy seasonal periods or simply Friday afternoons when people try to leave the office. Currently, nothing is very normal, businesses are trading at reduced capacity, staff are on and off furlough, and many are completing different roles than they would have previously; all these factors open businesses up to fraud.
There are two main ways to categorise fraud types, authorised and unauthorised. Authorised is where the fraudster tricks the individual into authorising a release of funds into an account controlled by the fraudster. Unauthorised is where funds are taken from an individual or company without their permission and, often, their knowledge.
The first line of defence is knowledge; this article goes some way to explore the most common types of fraud that UK businesses are subjected to.
What are the most common types? And how can you protect yourself, your employees and your business?
We can stop many of these types of fraud with training, process and consideration.
This fraud is committed by a fraudster impersonating a company’s supplier, reporting to have amended their bank account details, and asking that all further payments are sent to a new fraudulent account. The account details are that of an account opened fraudulently, the business is often only made aware once the real supplier contacts them requesting payment.
The fraudulent request can be received in many forms; email, phone call or letter. The fraudster will often have done their research and found the named company is a genuine supplier, what they supply, and an individual’s name at the company. They will often make the request via email with a spoof email address or via letter on headed paper.
This fraud is a regular occurrence, which often preys on the more junior members of the team. There are two reasons fraudsters may use this type of fraud; firstly to get a member of staff to click on a link so that malware may be installed on their system, secondly to request payment be sent to a fraudulent account.
The fraud is committed by impersonating a director/ manager / authoritative figure within a firm; easily found on most websites. The fraudster emails a member of staff, most commonly requesting a payment be made to an account. The email is often sent in an urgent nature confirming the payment needs to be made quickly and for reasons such as; it is for a new client win, the boss is stuck somewhere, or there will be recompense for the individual’s colleagues if not made quickly. This urgency is designed to make people think quickly and not clearly.
The email will often come from a spoof email very much like the directors; these are easily guessed or again found on the website. The fraudster will have often intercepted emails from the director and will mimic the email wording and tone so as not to alert the individual.
All businesses put trust into their staff to do the right thing by the company; if owners don’t, they restrict their opportunities and often get bogged down in tasks they could delegate.
Most individuals are not calculated fraudsters, but some are opportunistic. It is often easy to hide your fraudulent ways if you are the only person working, or with authority, in your department. Internal fraud, fraud committed by the company’s staff, can be the hardest to spot and the most devastating. It often leaves the feeling of betrayal for the businesses owner and the feeling of guilt for the remaining staff due to not spotting the issue. There are too many ways of committing fraud, but there are some key characteristics to watch out for.
Where a fraudster impersonates a professional body such as a bank, the police, IT security firm or a utility provider and dupes the employee into transferring cash, entering sensitive information or downloading malicious software.
This type of scam can be devastating for the individual involved. The fraudsters are often very good at what they do, will pick their timing impeccably, often meaning the company only realises once it is too late.
A common approach is the fraudsters call confirming that the companies systems are at risk of attack, and they need to move funds to a safe account. They will often call from a supposed known number and have done their research to know which organisation to call from (bank details and accountant details are usually easily found at companies house) and contact the correct employee to deal with the issue.
Malware, ‘malicious software,’ is the term given to any software designed to harm or exploit. Fraudsters will aim to gain access to your system via many different methods, but the two main ways are:
Malware comes in many forms (see ransomware below), but it is always embedded in the system to cause harm or exploit. Malware can provide false screens, mirror websites and many other things. The fraudster may not act straight away, and some malware will lay dormant in the computer system for some time. Unwittingly the staff member continues about their standard processes while the fraudster can watch and read everything they do. This is particularly dangerous if the staff member has bank access and sole authorisation to amend payees or send payments.
Fraudsters can gather all the login information required to access online banking, create a new payee with their fraudulent account details and send themselves money. If the individual that has been compromised, only has the ability to amend payee details, then the fraudster may lay and wait for the day before the company’s monthly payment run, amend all the payee details to theirs and when the payments are made the business is unaware until their suppliers make contact requesting payment.
A type of malware particularly devastating for businesses. The ransomware is delivered into a system in any of the ways noted above; it then sets about freezing the system or locking the files/ data held on it. The company/ individual is then contacted requesting a ransom; usually, money, to release the system/ data. Ransomware, being a type of malware can spread through a company’s system and, with the reliance on technology to run most businesses these days, make many inoperable.
The fraudster can often take some time to make contact, so the business starts to feel the true impact. The sums requested as ransom can be significant as well as the loss of income throughout the process.
With all these types of frauds education, robust systems and processes and an open culture can reduce the risk. Educate staff to be vigilant and suspect all transactions until confirmed genuine. The police and banks are backing the Take 5 Campaign, suggesting that taking time to think before taking action can help you clarify your situation.
Fraudsters are very good at what they do. Prevention is the best method of protection, but quality insurance can be the difference between a company surviving an attack and continuing to trade after.
Outside of the business community, it is important to consider the vulnerable when thinking about fraud. As technology and security continue to improve, fraudsters are turning to scams and deception to dupe people into handing over their cash. Educating family and friends is the easiest way to limit the impact.
Frauds to make more vulnerable family members aware of:
A fraudster calls pretending to be from an investment company, often with an investment too good to be true. The individual is tricked into sending monies, they think will be invested, to the fraudster. Often only when the investment is due to mature or the welcome pack the individual was expecting doesn’t arrive do they realise what has happened.
Often through an online auction or from an unknown seller or website, goods are purchased which never arrive. Always ensure purchases are made from reputable sources and paid for in a way which provides protection against such frauds.
As above, the individual is called by someone pretending to be from a professional organisation, i.e. a bank or the police and suggests their money is at risk and they should move it immediately. The individual then transfers funds to the fraudsters account and is told to leave it there until they make contact again.
Individuals are befriended by fraudsters who build romantic relationships or friendships over an extended period. Once the bond is strong, they request cash support, this can be to live and get by, or it can be as extravagant as they are stuck in a foreign prison and require bail money, or are flying over to see them and need money for flights. These types of frauds are not uncommon and can be devastating for families that see life savings disappear.
This article was produced by Matt Hector, Business Development Manager at Price Bailey. To contact Matt about any of the points raised in this article, please get in touch using the form below.
We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firm.
You can view this original Price Bailey article here