How to beat online fraud at work

Fraud in the workplace, what it looks like and how to prevent it

What is online fraud in the workplace?

Online fraud in the workplace is what happens when you or your employees are targeted by criminals who use the internet or email to commit a crime. Just as quickly as your security might be improving, criminals may find new ways to get around it. People do make mistakes, too. So all organisations – of every size – are vulnerable to online attacks.

Online fraud isn't a victimless crime. Financial losses, damage to reputation and compromised information are just some of the potential effects of online fraud. But it's not only businesses that pay the price of an attack. Often, it is their consumers and employees who feel the impact most. Three online scams are often reported by consumers:

• phishing emails purporting to be from a bank or payment service
• phishing messages asking for money for services or help  
• bogus computer support  

Individuals can improve their awareness, but it's your responsibility to manage the online risks to your company and customer data. To help build up your resilience, this guide to beat online fraud should help. It will help you to identify the different types of fraud and provide ideas for future-proofing your business against online risks.

How common is fraud in the workplace?

The UK government's 2019 Cyber Security report shows that cybercrime is committed regularly. As fraud practices are likely to follow the money, it stands to reason businesses will always be one of the prime targets for fraudsters.

• 32% of businesses identified breaches or attacks in 2019
• On average, £4,180 / £9,470 is the annual cost to a business / charity that lost data after breaches
• Phishing attacks were identified by 80% of these businesses and 81% of these charities
• Others impersonating a firm in emails or online accounted for 28% of businesses / 20% of charities losses
• Viruses, malware and ransomware attacks accounted for 27% of these businesses / 18% of charities losses.

Businesses might see the potential dangers of fraud thanks to exposure in the media, but think they're somehow immune. Little do they know, it is only the biggest instances of fraud that are picked up by reporters. Every year, huge sums are lost as a result of smaller attacks that aren't newsworthy, but are just as damaging.

Common scams include invoice fraud and CEO impersonation. Worryingly, 77% of business leaders admitted they've never heard of this technique. In CEO fraud, scam artists send a spoof email pretending to be someone important asking for confidential information. It's time to get informed.

Our increasing reliance on internet-connected devices isn't without its costs. It's accompanied by the development of cyber risks. In fact, fraud costs the UK economy over £193 bn a year, which is more than £6,000 lost per second every day of the year. Of this total, business fraud accounted for £144bn.

Estimates confirm the damage online breaches can cause. According to PwC, the average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m. For small businesses, it's between £75,000 and £311,000.

The signs of online fraud in the workplace

Some online attacks go unnoticed until it's too late. But the success of a fraud depends on an employee making a mistake. With things such as phishing and pop-ups, there are common warning signs. Ask yourself - and get your employees to ask themselves - these questions:

• Does the email match up? It might look like the email address you usually see – but double check. Is there an extra dash or additional character?
• How old is the company's website? Fraudsters often set up websites to make a company appear genuine. But check when the domain name was registered.
• Where was the website registered? If a company is not multinational, be wary of domains registrations in foreign countries. Fraudsters could be taking advantage of offshore or privately hosted sites.
• Is the English correct? Broken English could be a sign of a scam originating from another country.
• Is it urgent? It's easier for a scam to work if it puts you under pressure and asks for information quickly. Take your time to assess.
• Does it come up on Google maps? If there is an office building listed, check it out on Google maps and see if it looks legitimate.
• Is there a clear online history? Doing just a bit of research can pay off.

Online fraud is a problem that's not going away

The availability of high speed internet access has improved in recent years. Companies and individuals from around the world can connect and work with one another. Globalisation and the internet have been enablers of accelerated progress in places that were once left behind. But such technology is also inevitably a facilitator of crime, as some countries are restricted by low levels of regulation and law enforcement capabilities.

Fraudsters can take advantage of these circumstances. They can launch an attack on your business from anywhere in the world, driven by enhanced communications infrastructure. There's also a feeling they'll get away with it because they're living in foreign countries, where the police will be unable to pursue them. The truth is, many countries are ill-equipped to deal with criminals using the anonymity of the internet.  

The most common online attacks and how they happen

Being online means being exposed to the threat of cybercrime and online fraud. A business that works on improving its services, goods and reputation but ignores the risk of an online scam is preparing to fail. Companies should take steps to educate themselves about the common risks, as well as keep up-to-date with an ever-developing threat.

i. Malware and ransomware

Have you heard of viruses, worms, Trojans, bots, or spyware? Whether you're familiar with one or all of these terms, it's important to know they're all types of malicious software – or, simply put, malware. Types of malware include:

• Worms. The aim of worms is to transfer themselves to multiple computers. This is done over the internet, as they replicate other programs. You won't even know they're there, as they hide their movements. Worms aren't the most damaging of malware, as they only consume hard space and slow down machines. But one notable attack, Code Red, took down nearly 359,000 websites, so they are not to be underestimated.
• Viruses. Like worms, viruses can replicate themselves. But their aim is to damage the computer and its files. Viruses are attached to a host program and can easily move across the internet. They could be connected to songs, videos or any executable file. Download them by mistake and your computer will be infected.
• Trojans. Trojans won't delete or damage your files. They've got another purpose. Fraudsters use them to create a gateway for malware or users to enter your system and steal the data. What they do with it then is up to them.
• Ransomware. The aim of this type of malware is to alter the normal operation of your computer. When you realise you can't use it properly, the program will start showing you warning messages asking for money to get your device back to normal.
• Malicious bots. Bots can be good – like those designed to interact over the internet without the need for human interaction. But criminals can create bots to infect a device and then add a connection with central servers to infect more. Bots can be used to steal passwords (by logging keystrokes), relay spam, launch ransomware attacks and open back doors to infected hosts.

Fraudsters might use malware to attack your systems and software for the following reasons:

• control of a person's computer
• financial benefits
• to steal confidential data
• to take down a computer or an entire network

Sometimes, hackers are simply out to prove your system can be easily breached. But the damage of any downtime or loss of confidential information could have massive consequences for organisations.

ii. Phishing

A report by Verizon into data breach investigations showed that 23% of people open phishing emails. But what is phishing and how is it successful? Any email or website that requests private information from you (account numbers, passwords, or bank details, for example) could be a phishing attempt.

If a fraudster gets this information, you can bet they're going to use it unlawfully. Phishing emails could be full of malware-laden attachments to steal the information. In those cases, you just need to be tricked into opening them rather than responding to a request. It's surprisingly easy to fall for. It only takes one employee to make a mistake.

Phishing works because the requests hide themselves as genuine. In fact, they're getting increasingly believable. Fraudsters often spoof a credible-looking email address or website, and aid the deception with a variety of social engineering techniques. These could include:

• Searches on LinkedIn
• Phone calls to get the names of key people in the company
• Checking social media for leaders on holiday (making it hard for the target to check the authenticity of the email)
  

Knowing what to look for is important. Attacks could hide themselves in many ways, such as:

• Phone provider account details
• iTunes invoices
• Tax refunds
• Tesco vouchers
• Apple ID confirmation
• Accident injury claims
• Suspended bank and credit card accounts
• Early upgrades on key systems

It's also common for online criminals to impersonate directors and senior people in a company. Such CEO fraud is normally an urgent request for a payment transfer or system access. It's always sensible to make independent checks on the validity of any such request.

iii. Social media scams

Phishing also occurs on social media. Whilst this might only seem like a concern for individuals, businesses are increasingly reliant on a social media presence – and this is something which hasn't gone unnoticed by fraudsters. For example, they've been known to target employees using Google+ by sending out fake invites that contain malicious links to malware.

Businesses should also consider their employees might use company property to browse social media, potentially making them vulnerable to scams. Most attempts will use some shocking news to try and get you to click, install or share something. Little do users know, they've just clicked a link which will then infect the device they're using – curiosity killed the cat.

Shortened URLs are a prime example of how easily this works. You'll see them everywhere on Twitter. They might be useful for those just trying to stick under the allocated character limit, but for people with cruel intentions, shortened URLs are an easy way of hiding where people will be directed to. This makes it easier to trick them into clicking something they wouldn't knowingly want to.

Social media scams highlight not only the importance of real-time malware protection software, but the need for companies to have policies on acceptable use for computers, mobile devices, email and internet. Key things it should cover include:

• Prohibited activities. The policy should include things employees aren't allowed to do – for example, making unauthorised transactions, posting offensive material or deliberately disabling security packages.
• Responsibility for updates. Are IT responsible for checking computers are up-to-date on security packages? Or should individuals regularly check themselves? Make it clear in the policy.

In addition to policy, employees should be given advice and training to manage the risk. But more on that later.

iv. Fake pop ups

If there is one key message you should pass on to your employees, it is to be wary of any unsolicited message that requires you to follow a link somewhere else. Fake pop-ups are a key example of this. They'll try and worry users with things like a scam alert, but clicking on it will only allow malware to be downloaded.

To avoid such dangers, it's best to use a keyboard shortcut (Ctrl-W or Alt-F4 on Microsoft devices) or opening the Task Manager and ending the browser program. If you use a Mac, press Command + Option + Q + Esc to "Force Quit." That way, you avoid clicking on the potentially dangerous pop up.

Key ways fraudsters use fake pop ups to trick users include:

• ads that promise to delete viruses or spyware, protect privacy, improve computer function, remove harmful files, or clean your registry
• alerts about malicious software or illegal pornography on your computer
• invites to download free software for a security scan or to improve your system
• claims your security software is out-of-date and your computer is in immediate danger
• unfamiliar websites that claim to have performed a security scan and prompt you to download new software

Which types of businesses are at risk?

Any business that operates online is at risk. If your company has valuable property, it will be a target. But, according to an ACFE report, small businesses (fewer than 100 employees) tend to be hit by higher average losses when it comes to fraud. They're less likely to be able to absorb the damage of an attack.

Online scams can be random, targeting as many devices, services or users as possible. Or a fraudster might choose to single your organisation out and spend considerable time researching the weaknesses in your systems and processes. They're expert criminals and have no problem exploiting your vulnerabilities. Whatever the size of company, it's far better to adopt a 'when' rather than an 'if' approach, with the aim to prevent attacks before they can happen.

Top tips on improving your company's resilience

We recommend taking steps to increase the awareness of cyber attacks in your company. Informing and educating your employees is a great place to start improving your resilience. To help businesses protect themselves from financial fraud, we suggest sharing these simple tips across your company:

1. Never disclose security details, such as your PIN or full password. It's never right to reveal these details.
2. Don't assume an email request or caller is genuine. People aren't always who they say they are.
3. Don't be rushed. A supplier or genuine organisation won't mind waiting to give you time to stop and think.
4. Listen to your instincts. If something feels wrong, then it is usually right to pause and question it.
5. Stay in control. Have the confidence to refuse unusual requests for information.

There are tools that can help your employees. Sign up to a password manager. That way, they only have to remember one master password. The software will create unique, secure passwords for all their accounts. Other tools include:

• Early-warning systems. With the right intelligence software, you can detect phishing and malware across emails and digital channels before it progresses any further. You can set up alerts for things like domain registrations, so you can keep an eye out for anyone trying to trick your customers with malicious, fraudulent content.
• Online identity verification. You can use online verification to fight fraud by increasing acceptance rates for new customers and users. For example, businesses can verify mailing addresses to make sure people are genuine.

What to do if your business is attacked

Risk management is an important process for all companies. But not every business has the luxury of time to prepare for a cyber attack. Employees need to know how to think on their feet, and what processes need to be followed should the worst happen. As a business, one of the best things you can do is know where your weaknesses lie. Consult with your colleagues to find out where you need to improve resilience:

• Workshops and interviews
• Brainstorming
• Employee questionnaires
• Process mapping
• Comparisons with other organisations

Tell relevant departments and key personnel they're likely to be a target of online fraud and take steps to advise them on risk mitigation. In an e-commerce business for example, you'd outline key things employees should look out for:

• When a billing address doesn't match the shipping address
• Extremely late-night orders
• Shipments to P.O. boxes or international orders
• Orders for numerous identical items from first time buyers
• Express shipping requested
• Using a disconnected telephone number
• Several card numbers shipping to same address

Of course, these things don't always mean fraud but a combination of the above should set alarm bells ringing. Find out what the red flags are for your business and share them widely.

What to do if your business is being digitally attacked

Businesses survive online attacks. But it doesn't just happen by chance. Once you know you've fallen victim to online fraud, you need to be proactive and find out as much as you can quickly. We suggest the following six steps:

1. Go offline, restrict access and change the credentials for all important online accounts and servers. Isolate the situation by taking data offline where possible and minimising the damage.
2. Start an investigation. Where's your system's weakest link? Without starting an exercise of finger pointing, get everyone involved in finding out where and how the breach occurred. It's likely there was a human element that allowed it to occur, but you don't want to put people off coming forward.
3. Learn from your mistakes. If you manage to discover where and how the attack occurred, you need learn from it. The potential danger doesn't go away if you've been a target before, so pass on the warning to key staff.
4. Work with the relevant law enforcement agencies. Give the police or Action Fraud your full support and don't hold any information back. The data stolen from your company could appear for sale on some underground forum the authorities are keeping under surveillance. Although cybercriminals are rarely caught, this could lead them to those who targeted you.
5. Check your back-ups. Most IT departments will have back-ups for the main servers. Not only does this assure you a fast recovery, but you can look at and compare any changes in the network before and after the attack. Doing so might give you valuable intel about your firewall, the domain name system, and web servers – and how fraudsters hacked them.
6. Reassess how much you invest in security. It might be tempting to blame the IT department. But how big is your company and how much do you invest in IT? If it's a tiny amount, you might want to reconsider where you place the blame. With any online attack, you've got to learn your lesson so it doesn't happen again.

Staying on top of business continuity and disaster recovery plans

Are you proactively managing and minimising threats from online attacks? Do you have a security program in place, engaging all relevant teams? Are you aware of the latest technologies and security measures? Even if you answered yes to these questions, you could still be in a bad place should the worst happen.

A business continuity plan (BCP) ensures you can recover and sustain key business operations during and after an attack, with minimal downtime and cost. It's an essential tool. It covers online threats and anything that could cause operations to stop. It's best described as a fully-documented agreement between management and key personnel, covering all the steps the organisation (and individuals) should take under emergency conditions.

A key part of the BCP is disaster recovery, outlining the IT-driven processes that focus on the recovery of software, hardware and data, as well as the quick restoration of normal online operations. Any risk management plan should be clearly documented, easily accessible and regularly tested. To ensure yours is the best it can be, reflect on CIMA's cycle and cover all the key areas.

Mitigating the impact of staff negligence and dishonesty

Staff dishonestly can kill a business. A 2016 study by Ponemon Institute, 'Managing Insider Risk through Training and Culture', found that 66% of professionals say employees are the weakest link in their work to create strong security procedures. In fact, 55% of organisations have experienced a security incident due to a malicious or negligent employee. But how do you know you could be at risk? There are some tell-tale signs of a culture that could allow dishonest behaviour to manifest amongst employees, including:

1. Lack of clear management, responsibility, or delegation of duties
2. Bonus schemes or promotions linked solely to ambitious targets or financial results
3. Inadequate recruitment processes
4. A lack of HR support
5. Lack of financial management expertise and professionalism
6. Unusually close relationships
7. Unreasonable pressures to perform or deliver financial results
8. Employees working unsocial hours unsupervised
9. Potentially mismanaged redundancies
10. Lack of control over privileged access
11. Low salaries for key staff

If a discontent employee chooses to, they can do a lot of harm to your company. As with most fraudulent attempts, the motivation is normally financial. It's not just about keeping employees happy, but rewarding them for a good job.

Advice on future-proofing your business

One of the greatest assets a company has is its employees. But humans make mistakes. An important part of future-proofing your business against growing cybercrime is creating a culture of transparency (where employees feel like they can come forward with errors) and training.

Everyone should champion online security and make decisions about how they work, that takes into account the key risks. But not everyone will do this naturally. You've got to provide them with the tools. To get staff online security training right, we've got the following tips:

1. Make it personal. Raise the awareness of security issues in a wider context. Don't just mention the risks of negligence at work, but what it could mean if they lack online security at home. You're more likely to get their attention.
2. Include senior executives in training. Of course, everyone needs to know how to protect themselves online, but getting senior staff to participate in training will show your company's commitment and encourage others to follow suit.
3. Discuss the rewards and consequences. Make it clear that online fraud has serious consequences for business operations. Discuss what will happen if employees are non-compliant, but also show you're willing to reward everyone when efficient security measures are mastered.
4. Make it fun. More than anything, training has got to be engaging to get people's interest. Make training interactive and use simulated examples to show exactly what can happen.

Where to go for further support

The government provides a 10 step plan that organisations can use to help protect themselves in cyberspace. The 10 steps to cyber security was originally published in 2012 and is now used by a majority of the FTSE350. Get to know the 10 step in detail, and familiarise yourself with the advice that will help you to build a resilience plan.

https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps

The Metropolitan Police admits that it can be difficult to decide where to make reports in the instance of fraud. What you should know is the police aren't the only agency with the power to investigate fraud-related offences. In fact, most cases should be reported to Action Fraud.

As the UK's national fraud and financially motivated internet crime reporting centre, Action Fraud take reports of fraud from victims, as well as providing support and advice. If you ever have to report fraud, you'll be issued a crime reference number (quoted in the same way as one issued by police).

All reports received are fed into the National Fraud Intelligence Bureau (NFIB), the body responsible for analysing information from Action Fraud, as well as other sources. The aim is to generate intelligence to pick up on trends and cases which could be linked. As the internet is global and threats are present everywhere, the NFIB can send information to the appropriate police or other law enforcement organisations. This can assist in investigations which may involve enquiries in the UK and overseas.

‍

Useful links

UK Government: Cyber security guidance for business

‍NCSC: 10 Steps To Cyber SecurityAction Fraud

‍CIMA – Fraud risk management: A guide to good practice‍

Avoiding Fraud: A Guide For Businesses‍

‍A merchant's guide to online fraud protection