Online fraud in the workplace is what happens when you or your employees are targeted by criminals who use the internet or email to commit a crime. Just as quickly as your security might be improving, criminals may find new ways to get around it. People do make mistakes, too. So all organisations – of every size – are vulnerable to online attacks.
Online fraud isn't a victimless crime. Financial losses, damage to reputation and compromised information are just some of the potential effects of online fraud. But it's not only businesses that pay the price of an attack. Often, it is their consumers and employees who feel the impact most. Three online scams are often reported by consumers:
Individuals can improve their awareness, but it's your responsibility to manage the online risks to your company and customer data. To help build up your resilience, this guide to beat online fraud should help. It will help you to identify the different types of fraud and provide ideas for future-proofing your business against online risks.
The UK government's 2019 Cyber Security report shows that cybercrime is committed regularly. As fraud practices are likely to follow the money, it stands to reason businesses will always be one of the prime targets for fraudsters.
Businesses might see the potential dangers of fraud thanks to exposure in the media, but think they're somehow immune. Little do they know, it is only the biggest instances of fraud that are picked up by reporters. Every year, huge sums are lost as a result of smaller attacks that aren't newsworthy, but are just as damaging.
Common scams include invoice fraud and CEO impersonation. Worryingly, 77% of business leaders admitted they've never heard of this technique. In CEO fraud, scam artists send a spoof email pretending to be someone important asking for confidential information. It's time to get informed.
Our increasing reliance on internet-connected devices isn't without its costs. It's accompanied by the development of cyber risks. In fact, fraud costs the UK economy over £193 bn a year, which is more than £6,000 lost per second every day of the year. Of this total, business fraud accounted for £144bn.
Estimates confirm the damage online breaches can cause. According to PwC, the average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m. For small businesses, it's between £75,000 and £311,000.
Some online attacks go unnoticed until it's too late. But the success of a fraud depends on an employee making a mistake. With things such as phishing and pop-ups, there are common warning signs. Ask yourself - and get your employees to ask themselves - these questions:
The availability of high speed internet access has improved in recent years. Companies and individuals from around the world can connect and work with one another. Globalisation and the internet have been enablers of accelerated progress in places that were once left behind. But such technology is also inevitably a facilitator of crime, as some countries are restricted by low levels of regulation and law enforcement capabilities.
Fraudsters can take advantage of these circumstances. They can launch an attack on your business from anywhere in the world, driven by enhanced communications infrastructure. There's also a feeling they'll get away with it because they're living in foreign countries, where the police will be unable to pursue them. The truth is, many countries are ill-equipped to deal with criminals using the anonymity of the internet.
Being online means being exposed to the threat of cybercrime and online fraud. A business that works on improving its services, goods and reputation but ignores the risk of an online scam is preparing to fail. Companies should take steps to educate themselves about the common risks, as well as keep up-to-date with an ever-developing threat.
Have you heard of viruses, worms, Trojans, bots, or spyware? Whether you're familiar with one or all of these terms, it's important to know they're all types of malicious software – or, simply put, malware. Types of malware include:
Fraudsters might use malware to attack your systems and software for the following reasons:
Sometimes, hackers are simply out to prove your system can be easily breached. But the damage of any downtime or loss of confidential information could have massive consequences for organisations.
A report by Verizon into data breach investigations showed that 23% of people open phishing emails. But what is phishing and how is it successful? Any email or website that requests private information from you (account numbers, passwords, or bank details, for example) could be a phishing attempt.
If a fraudster gets this information, you can bet they're going to use it unlawfully. Phishing emails could be full of malware-laden attachments to steal the information. In those cases, you just need to be tricked into opening them rather than responding to a request. It's surprisingly easy to fall for. It only takes one employee to make a mistake.
Phishing works because the requests hide themselves as genuine. In fact, they're getting increasingly believable. Fraudsters often spoof a credible-looking email address or website, and aid the deception with a variety of social engineering techniques. These could include:
Knowing what to look for is important. Attacks could hide themselves in many ways, such as:
It's also common for online criminals to impersonate directors and senior people in a company. Such CEO fraud is normally an urgent request for a payment transfer or system access. It's always sensible to make independent checks on the validity of any such request.
Phishing also occurs on social media. Whilst this might only seem like a concern for individuals, businesses are increasingly reliant on a social media presence – and this is something which hasn't gone unnoticed by fraudsters. For example, they've been known to target employees using Google+ by sending out fake invites that contain malicious links to malware.
Businesses should also consider their employees might use company property to browse social media, potentially making them vulnerable to scams. Most attempts will use some shocking news to try and get you to click, install or share something. Little do users know, they've just clicked a link which will then infect the device they're using – curiosity killed the cat.
Shortened URLs are a prime example of how easily this works. You'll see them everywhere on Twitter. They might be useful for those just trying to stick under the allocated character limit, but for people with cruel intentions, shortened URLs are an easy way of hiding where people will be directed to. This makes it easier to trick them into clicking something they wouldn't knowingly want to.
Social media scams highlight not only the importance of real-time malware protection software, but the need for companies to have policies on acceptable use for computers, mobile devices, email and internet. Key things it should cover include:
In addition to policy, employees should be given advice and training to manage the risk. But more on that later.
If there is one key message you should pass on to your employees, it is to be wary of any unsolicited message that requires you to follow a link somewhere else. Fake pop-ups are a key example of this. They'll try and worry users with things like a scam alert, but clicking on it will only allow malware to be downloaded.
To avoid such dangers, it's best to use a keyboard shortcut (Ctrl-W or Alt-F4 on Microsoft devices) or opening the Task Manager and ending the browser program. If you use a Mac, press Command + Option + Q + Esc to "Force Quit." That way, you avoid clicking on the potentially dangerous pop up.
Key ways fraudsters use fake pop ups to trick users include:
Any business that operates online is at risk. If your company has valuable property, it will be a target. But, according to an ACFE report, small businesses (fewer than 100 employees) tend to be hit by higher average losses when it comes to fraud. They're less likely to be able to absorb the damage of an attack.
Online scams can be random, targeting as many devices, services or users as possible. Or a fraudster might choose to single your organisation out and spend considerable time researching the weaknesses in your systems and processes. They're expert criminals and have no problem exploiting your vulnerabilities. Whatever the size of company, it's far better to adopt a 'when' rather than an 'if' approach, with the aim to prevent attacks before they can happen.
We recommend taking steps to increase the awareness of cyber attacks in your company. Informing and educating your employees is a great place to start improving your resilience. To help businesses protect themselves from financial fraud, we suggest sharing these simple tips across your company:
There are tools that can help your employees. Sign up to a password manager. That way, they only have to remember one master password. The software will create unique, secure passwords for all their accounts. Other tools include:
Risk management is an important process for all companies. But not every business has the luxury of time to prepare for a cyber attack. Employees need to know how to think on their feet, and what processes need to be followed should the worst happen. As a business, one of the best things you can do is know where your weaknesses lie. Consult with your colleagues to find out where you need to improve resilience:
Tell relevant departments and key personnel they're likely to be a target of online fraud and take steps to advise them on risk mitigation. In an e-commerce business for example, you'd outline key things employees should look out for:
Of course, these things don't always mean fraud but a combination of the above should set alarm bells ringing. Find out what the red flags are for your business and share them widely.
Businesses survive online attacks. But it doesn't just happen by chance. Once you know you've fallen victim to online fraud, you need to be proactive and find out as much as you can quickly. We suggest the following six steps:
Are you proactively managing and minimising threats from online attacks? Do you have a security program in place, engaging all relevant teams? Are you aware of the latest technologies and security measures? Even if you answered yes to these questions, you could still be in a bad place should the worst happen.
A business continuity plan (BCP) ensures you can recover and sustain key business operations during and after an attack, with minimal downtime and cost. It's an essential tool. It covers online threats and anything that could cause operations to stop. It's best described as a fully-documented agreement between management and key personnel, covering all the steps the organisation (and individuals) should take under emergency conditions.
A key part of the BCP is disaster recovery, outlining the IT-driven processes that focus on the recovery of software, hardware and data, as well as the quick restoration of normal online operations. Any risk management plan should be clearly documented, easily accessible and regularly tested. To ensure yours is the best it can be, reflect on CIMA's cycle and cover all the key areas.
Staff dishonestly can kill a business. A 2016 study by Ponemon Institute, 'Managing Insider Risk through Training and Culture', found that 66% of professionals say employees are the weakest link in their work to create strong security procedures. In fact, 55% of organisations have experienced a security incident due to a malicious or negligent employee. But how do you know you could be at risk? There are some tell-tale signs of a culture that could allow dishonest behaviour to manifest amongst employees, including:
If a discontent employee chooses to, they can do a lot of harm to your company. As with most fraudulent attempts, the motivation is normally financial. It's not just about keeping employees happy, but rewarding them for a good job.
One of the greatest assets a company has is its employees. But humans make mistakes. An important part of future-proofing your business against growing cybercrime is creating a culture of transparency (where employees feel like they can come forward with errors) and training.
Everyone should champion online security and make decisions about how they work, that takes into account the key risks. But not everyone will do this naturally. You've got to provide them with the tools. To get staff online security training right, we've got the following tips:
The government provides a 10 step plan that organisations can use to help protect themselves in cyberspace. The 10 steps to cyber security was originally published in 2012 and is now used by a majority of the FTSE350. Get to know the 10 step in detail, and familiarise yourself with the advice that will help you to build a resilience plan.
The Metropolitan Police admits that it can be difficult to decide where to make reports in the instance of fraud. What you should know is the police aren't the only agency with the power to investigate fraud-related offences. In fact, most cases should be reported to Action Fraud.
As the UK's national fraud and financially motivated internet crime reporting centre, Action Fraud take reports of fraud from victims, as well as providing support and advice. If you ever have to report fraud, you'll be issued a crime reference number (quoted in the same way as one issued by police).
All reports received are fed into the National Fraud Intelligence Bureau (NFIB), the body responsible for analysing information from Action Fraud, as well as other sources. The aim is to generate intelligence to pick up on trends and cases which could be linked. As the internet is global and threats are present everywhere, the NFIB can send information to the appropriate police or other law enforcement organisations. This can assist in investigations which may involve enquiries in the UK and overseas.