With cyber criminals increasingly impersonating executives, suppliers and employees to try and defraud small business owners by email, Tony Anscombe, from AVG Business, explains how to avoid falling for their tricks.
In the UK, Cifas – a not-for-profit organisation helping protect businesses, charities, public bodies and individuals from financial crime – say this type of email fraud is on the rise, especially for small business: 749 small firm owners reported falling victim to such scams to Action Fraud between January and June in 2015 alone. In comparison there were 603 in the whole of 2014 and 739 in 2013.
Small businesses are prime targets
Simon Dukes, the chief executive of Cifas, said: “Fraudsters often take advantage of organisations with less resources and less staff leaving small businesses more vulnerable to fraud. We know greater awareness is a powerful tool in fraud prevention and we urge small businesses to stay alert and to ensure their employees are aware of invoice fraud too.”
However, any business using email to discuss and execute payments, even if only in part, is at risk. This is why a strict payment verification process is needed and robust IT security measures must be in place. Business owners transferring money regularly or working with foreign partners are prime targets because they might be less likely to think any request to transfer money is out of the ordinary.
If wiring £10,000 to a supplier overseas is how you normally do business, an email purporting to be from them asking for a similar amount in reference to what looks like an authentic invoice might not raise an eyebrow.
Head of Action Fraud, Pauline Smith, said: “It is important that employees are made aware of invoice scams and are ready to recognise the signs of fraud. Incidents of invoice fraud are underreported and therefore it is difficult to know the true scale of this fraud type, however what we do know is that this type of fraud prevails across all types of business and no one type of industry is immune. Those organisations that are worried they may fallen victim to fraudsters should always report to Action Fraud.”
From a payment processing and awareness perspective, the FBI suggests:
(1) Verify any changes to your vendors’ payment locations and confirming any requests for transfer of funds
(2) Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked
(3) Be careful when posting financial and personnel information to social media and company websites
(4) Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly
(5) Consider financial security procedures that include a two-step verification process for wire transfer payments
(6) Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com
(7) If possible, register all Internet domains that are slightly different than the actual company domain
(8) Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes
From a security perspective, do the following:
(9) Have active and up to date anti-malware products on endpoints and servers
(10) Make sure this protection covers all connected devices, including bring your own device (BYOD)
(11) Deploy anti-phishing technology to detect spear phishing attacks that may be designed to socially engineer someone’s credentials
(12) Review and manage your inventory to understand what devices and software they are running. If there are published vulnerabilities that could be used to launch malware for a BEC attack, knowing what is where makes patching and updating each device or system much quicker and simpler
Tony Anscombe is a senior security evangelist for AVG Business, a worldwide provider of security solutions.
Still not convinced that phishing scams are worth worrying about? Read about the fake email that cost a company $737,000.
Sign up to our newsletter to get the latest from Business Advice.