Insurance 17 February 2017

How to protect your business from cyber fraud 

When a competitor suffers a breach, find out how it happened and make sure you can defend against it

Cyber fraud can cause profound and potentially terminal damage to a growing business with narrow margins. Here, Saskia Johnston, a foreign exchange expert at Sable International, tells readers some steps they can take to protect their business from attack.

If you’re running a small business, cyber fraud might not be your highest priority. New business, HR, account management, investor pitching – these things, and everything else, will occupy much of your time and most of your energy.

But if you think your company is too obscure to be the target of an attack, think again, as 43 percent of all hacking attempts target small businesses, costing substantial amounts of time and money in the process.

Small business security and cyber checks

Fortunately, there are several steps you can take to protect your business from an attack.

Some of these are quite simple. For example, staying informed – regardless of your industry or the size of your business – is sensible, inexpensive, and does a lot to ward off attacks.

When industry bodies talk about cyber fraud and other crimes, listen, and when they don’t, keep an ear to the ground and talk to colleagues anyway. When a competitor suffers a breach, find out how it happened and make sure your team knows to defend against the same kind of breach.

Knowing what’s affecting businesses this month – and what will be affecting them next month – is critical. 

Understanding CEO fraud

Cyber attacks are multifaceted and evolving. By the time this article is published, it’s almost certain that some new variety of intrusion will have been discovered – either by hackers or by their victims.

That’s why vigilance is so important. A company may not be able to protect against everything, but if they pay attention, they can at least make sure it isn’t easy for would-be cyber attackers.

Certain kinds of small business cyber fraud are common. There are variations, but the theme remains largely the same. CEO fraud, for example, usually follows the same pattern.

An email is sent from someone purporting to be the company’s managing director (or a similarly authoritative figure) to another member of staff with instructions to authorise a payment immediately.

Your employee, who sees the urgent request, naturally authorises the payment immediately and without question.

If the hacker has done their homework (read the articles you’ve had published online, stalked your online profiles) it may well sound remarkably like something you’d actually write. But it isn’t you, and the payment isn’t legitimate. It comes from outside your company (or from your own compromised email), and your employee has sent the funds to a fraudster’s dummy account.

Being a bank transfer – and one that will clear virtually instantly – the money will be incredibly hard to retrieve.

So how do you safeguard against it?

It’s a uniquely frustrating situation, but it’s one that’s resolved easily enough with the proper precautions. Setting up dual authorisation can allow you to detect fraud quickly and easily. If you insist that another member of the business must ratify your payment requests, you can ensure that no money changes hands unless it’s supposed to.

If you’re not comfortable like that, you can insist that all employees check with you on an internal messaging platform like Slack or Skype for Business before authorising a transaction.

Understanding invoice fraud 

Invoice fraud is another common variety of cyber attack. Again, it happens very simply. A supplier will email you an invoice with updated bank details – an invoice you’ve been expecting – and you’ll settle accordingly.

Unfortunately, the invoice isn’t legitimate, and nor are the details or the payment. An attacker has compromised the supplier’s account, and you’re placed in the awkward position where you’re responsible for retrieving the funds from the thief and paying the money you still owe.

So how do you safeguard against it?

This is also quite simply resolved. Call your supplier for all changes to bank details. Inform them that any change in bank details will need to be confirmed before payment is authorised.

This is the sensible approach for almost every variety of cyber attack. Sophisticated technology is helpful.

Beefing up your security infrastructure is always worth doing, including refreshing your antivirus protocols. But ultimately, the best way to prevent cyber fraud is to remain vigilant, and to impose the proper checks on your business’ finances.

Saskia Johnston is a foreign exchange expert at Sable International.

HMRC reveals fraudulent email red flags

Sign up to our newsletter to get the latest from Business Advice.