As the pandemic continues to play out and impacts the UK economy far more significantly than we ever expected, many fall on hard times; pushing some to commit a crime they would not typically have done.
Unfortunately, the main reason for the increase in fraud on UK businesses is the large number of individuals who will use change and uncertain times to exploit people and organisations.
Fraud is more prevalent around key dates and holidays. Fraudsters are more likely to attack when they think the individual or business will be most open; busy bank holidays, busy seasonal periods or simply Friday afternoons when people try to leave the office. Currently, nothing is very normal, businesses are trading at reduced capacity, staff are on and off furlough, and many are completing different roles than they would have previously; all these factors open businesses up to fraud.
There are two main ways to categorise fraud types, authorised and unauthorised. Authorised is where the fraudster tricks the individual into authorising a release of funds into an account controlled by the fraudster. Unauthorised is where funds are taken from an individual or company without their permission and, often, their knowledge.
The first line of defence is knowledge; this article goes some way to explore the most common types of fraud that UK businesses are subjected to.
What are the most common types? And how can you protect yourself, your employees and your business?
Authorised fraud types
We can stop many of these types of fraud with training, process and consideration.
Invoice redirection fraud
This fraud is committed by a fraudster impersonating a company’s supplier, reporting to have amended their bank account details, and asking that all further payments are sent to a new fraudulent account. The account details are that of an account opened fraudulently, the business is often only made aware once the real supplier contacts them requesting payment.
The fraudulent request can be received in many forms; email, phone call or letter. The fraudster will often have done their research and found the named company is a genuine supplier, what they supply, and an individual’s name at the company. They will often make the request via email with a spoof email address or via letter on headed paper.
- Educate all staff; letters are often sent to staff not in the finance team, hoping that the letter is left on someone’s desk in the finance team to amend without question,
- Have dual authorisation activated on online banking. That way when a payee’s details are amended, it requires a sign off from another member of staff who can question the validity,
- Implement a process to always complete a call back to a known member of staff at the supplier, making sure not to use a number from the fraudulent email/ letter but one from a readily available source (internet) or preferably a known regular contact number,
- Using technology to automate invoice receipt and processing can be an easy way to prevent this fraud. The systems flag inconsistencies in invoices received which can prevent payments from being made to new account details without prior authorisation,
- The supplier needs to be confirmed as a genuine supplier for the scam to work, so keep invoices safe, out of sight and internet security up to date.
Bogus Boss/ Director/ CEO fraud
This fraud is a regular occurrence, which often preys on the more junior members of the team. There are two reasons fraudsters may use this type of fraud; firstly to get a member of staff to click on a link so that malware may be installed on their system, secondly to request payment be sent to a fraudulent account.
The fraud is committed by impersonating a director/ manager / authoritative figure within a firm; easily found on most websites. The fraudster emails a member of staff, most commonly requesting a payment be made to an account. The email is often sent in an urgent nature confirming the payment needs to be made quickly and for reasons such as; it is for a new client win, the boss is stuck somewhere, or there will be recompense for the individual’s colleagues if not made quickly. This urgency is designed to make people think quickly and not clearly.
The email will often come from a spoof email very much like the directors; these are easily guessed or again found on the website. The fraudster will have often intercepted emails from the director and will mimic the email wording and tone so as not to alert the individual.
- Educate all staff, not just the finance team. Emails are often received to random email addresses within the firm. Some will unwittingly forward the email to the finance department; if this comes from another director, it carries even further weight. It also covers instances where staff are covering sickness, mat/paternity leave and secondments,
- Have two-stage authorisation set up on online banking so that another member of staff is required to authorise all payments before release,
- Have policies and procedures; if the company has a stance that no payment request will be accepted via email or telephone, then when one is, they can politely decline and tell it is a fraudulent request,
- Contact your bank as soon as you are made aware funds have been sent. The banks have a duty of care to work together to stop and recover funds for individuals that are subject to fraud.
All businesses put trust into their staff to do the right thing by the company; if owners don’t, they restrict their opportunities and often get bogged down in tasks they could delegate.
Most individuals are not calculated fraudsters, but some are opportunistic. It is often easy to hide your fraudulent ways if you are the only person working, or with authority, in your department. Internal fraud, fraud committed by the company’s staff, can be the hardest to spot and the most devastating. It often leaves the feeling of betrayal for the businesses owner and the feeling of guilt for the remaining staff due to not spotting the issue. There are too many ways of committing fraud, but there are some key characteristics to watch out for.
- Educating all staff that it is not always the colleagues they would expect to commit fraud that do. They should keep an eye out for:
• Changes in their colleague’s behaviour; seeming quiet or secretive,
• A change in a colleague’s personal circumstances, which may cause them to require cash or feel desperate,
• Changes in their colleague’s buying patterns or them living a lifestyle you would deem to be outside of their means,
• Changes in their colleague’s pastimes, i.e. gambling, drinking or drugs.
- Make sure that not only one person has access to sensitive data or access to monies, and that dual authentication as a minimum is implemented,
- Make sure that both security and monitoring are in place. Employing a suitable IT consultancy can be a worthwhile investment,
- Create a culture where staff can ask for support and guidance when they have life events that may require work support; this may be the difference between them reaching out and them stealing from you.
- Also, create an environment where staff can speak up about their colleagues in an anonymous fashion.
Where a fraudster impersonates a professional body such as a bank, the police, IT security firm or a utility provider and dupes the employee into transferring cash, entering sensitive information or downloading malicious software.
This type of scam can be devastating for the individual involved. The fraudsters are often very good at what they do, will pick their timing impeccably, often meaning the company only realises once it is too late.
A common approach is the fraudsters call confirming that the companies systems are at risk of attack, and they need to move funds to a safe account. They will often call from a supposed known number and have done their research to know which organisation to call from (bank details and accountant details are usually easily found at companies house) and contact the correct employee to deal with the issue.
- Make sure that dual authorisation is set up for all outward payments, meaning another colleague will need to question the reason and sign off the payment,
- Educate staff, often just taking some time to consider their situation, will make them think something doesn’t feel right. Making staff aware impersonation scams are a thing is the first step; the second step is to empower them to challenge if they feel something is not right. Empower your team to request the caller calls a director or hangs up and calls the company back on a number, and to an individual, they know.
Unauthorised fraud types
Malware, ‘malicious software,’ is the term given to any software designed to harm or exploit. Fraudsters will aim to gain access to your system via many different methods, but the two main ways are:
- Phishing emails/ texts – emails with an embedded link or attachment that contains a virus.
- Using an external drive, like a USB stick. These can be plugged in, and unknowingly to the member of staff, contain a virus. Fraudsters are innovative in their approach and have been known to drop USB sticks next to a director’s car; a supportive colleague picks it up on their way into work, plugs in the device to confirm it is the directors and infects the computer system. But it can be as simple as a member of staff plugging in their personal device that doesn’t have the same security level as your internal system.
Malware comes in many forms (see ransomware below), but it is always embedded in the system to cause harm or exploit. Malware can provide false screens, mirror websites and many other things. The fraudster may not act straight away, and some malware will lay dormant in the computer system for some time. Unwittingly the staff member continues about their standard processes while the fraudster can watch and read everything they do. This is particularly dangerous if the staff member has bank access and sole authorisation to amend payees or send payments.
Fraudsters can gather all the login information required to access online banking, create a new payee with their fraudulent account details and send themselves money. If the individual that has been compromised, only has the ability to amend payee details, then the fraudster may lay and wait for the day before the company’s monthly payment run, amend all the payee details to theirs and when the payments are made the business is unaware until their suppliers make contact requesting payment.
- Implement good quality IT security, and restrict the ability to download software to only those who need it,
- Create a culture that asks staff to think twice before they take action and consider risk,
- Educate and test staff; some organisations send test emails with links imbedded to educate staff on how easy it can be to open the business up to attack.
A type of malware particularly devastating for businesses. The ransomware is delivered into a system in any of the ways noted above; it then sets about freezing the system or locking the files/ data held on it. The company/ individual is then contacted requesting a ransom; usually, money, to release the system/ data. Ransomware, being a type of malware can spread through a company’s system and, with the reliance on technology to run most businesses these days, make many inoperable.
The fraudster can often take some time to make contact, so the business starts to feel the true impact. The sums requested as ransom can be significant as well as the loss of income throughout the process.
- Back up all files and data to a remote server so that systems can be wiped, cleaned and reloaded,
- Insure against the risks; insurance companies will have negotiators that will deal with the fraudsters on your behalf, hoping to gain a better deal,
- Make sure firewalls and procedures are robust, preventing the malware breach.
With all these types of frauds education, robust systems and processes and an open culture can reduce the risk. Educate staff to be vigilant and suspect all transactions until confirmed genuine. The police and banks are backing the Take 5 Campaign, suggesting that taking time to think before taking action can help you clarify your situation.
Fraudsters are very good at what they do. Prevention is the best method of protection, but quality insurance can be the difference between a company surviving an attack and continuing to trade after.
Care for individuals
Outside of the business community, it is important to consider the vulnerable when thinking about fraud. As technology and security continue to improve, fraudsters are turning to scams and deception to dupe people into handing over their cash. Educating family and friends is the easiest way to limit the impact.
Frauds to make more vulnerable family members aware of:
A fraudster calls pretending to be from an investment company, often with an investment too good to be true. The individual is tricked into sending monies, they think will be invested, to the fraudster. Often only when the investment is due to mature or the welcome pack the individual was expecting doesn’t arrive do they realise what has happened.
Online purchasing fraud
Often through an online auction or from an unknown seller or website, goods are purchased which never arrive. Always ensure purchases are made from reputable sources and paid for in a way which provides protection against such frauds.
As above, the individual is called by someone pretending to be from a professional organisation, i.e. a bank or the police and suggests their money is at risk and they should move it immediately. The individual then transfers funds to the fraudsters account and is told to leave it there until they make contact again.
Romance/ friendship fraud
Individuals are befriended by fraudsters who build romantic relationships or friendships over an extended period. Once the bond is strong, they request cash support, this can be to live and get by, or it can be as extravagant as they are stuck in a foreign prison and require bail money, or are flying over to see them and need money for flights. These types of frauds are not uncommon and can be devastating for families that see life savings disappear.
This article was produced by Matt Hector, Business Development Manager at Price Bailey. To contact Matt about any of the points raised in this article, please get in touch using the form below.
We always recommend that you seek advice from a suitably qualified adviser before taking any action. The information in this article only serves as a guide and no responsibility for loss occasioned by any person acting or refraining from action as a result of this material can be accepted by the authors or the firm.