Small businesses are prime targetsSimon Dukes, the chief executive of Cifas, said: ?Fraudsters often take advantage of organisations with less resources and less staff leaving small businesses more vulnerable to fraud. We know greater awareness is a powerful tool in fraud prevention and we urge small businesses to stay alert and to ensure their employees are aware of invoice fraud too.? However, any business using email to discuss and execute payments, even if only in part, is at risk. This is why a strict payment verification process is needed and robust IT security measures must be in place. Business owners transferring money regularly or working with foreign partners are prime targets because they might be less likely to think any request to transfer money is out of the ordinary. If wiring ?10,000 to a supplier overseas is how you normally do business, an email purporting to be from them asking for a similar amount in reference to what looks like an authentic invoice might not raise an eyebrow. Head of Action Fraud, Pauline Smith, said: ?It is important that employees are made aware of invoice scams and are ready to recognise the signs of fraud. Incidents of invoice fraud are underreported and therefore it is difficult to know the true scale of this fraud type, however what we do know is that this type of fraud prevails across all types of business and no one type of industry is immune. Those organisations that are worried they may fallen victim to fraudsters should always report to Action Fraud.?
?From a payment processing and awareness perspective, the FBI suggests:(1) Verify any changes to your vendors? payment locations and confirming any requests for transfer of funds (2) Be wary of free, web-based e-mail accounts, which are more susceptible to being hacked (3) Be careful when posting financial and personnel information to social media and company websites (4) Regarding wire transfer payments, be suspicious of requests for secrecy or pressure to take action quickly (5) Consider financial security procedures that include a two-step verification process for wire transfer payments (6) Create intrusion detection system rules that flag emails with extensions that are similar to company email but not exactly the same. For example, .co instead of .com (7) If possible, register all Internet domains that are slightly different than the actual company domain (8) Know the habits of your customers, including the reason, detail, and amount of payments. Beware of any significant changes From a security perspective, do the following: (9) Have active and up to date anti-malware products on endpoints and servers (10) Make sure this protection covers all connected devices, including bring your own device (BYOD) (11) Deploy anti-phishing technology to detect spear phishing attacks that may be designed to socially engineer someone?s credentials (12) Review and manage your inventory to understand what devices and software they are running. If there are published vulnerabilities that could be used to launch malware for a BEC attack, knowing what is where makes patching and updating each device or system much quicker and simpler Tony Anscombe is a senior security evangelist for AVG Business, a worldwide provider of security solutions. Still not convinced that phishing scams are worth worrying about? Read about the fake email that cost a company $737,000.
Sign up to our newsletter to get the latest from Business Advice.