Gavin Cunningham – Forensics Partner
While the threat of fraud is nothing new, the increased automation of business systems and growing take up of online banking has led to a sharp rise in cybercrime.
According to a new report from Cifas, the UK’s leading fraud prevention service, out of 325,000 cases of fraud recorded against businesses in 2016, 88% of identity frauds and 30% of facility takeovers were committed online. This demonstrates the massive opportunity the internet affords to organised and dedicated fraud gangs. Despite this, the majority of UK businesses – 70 per cent – admit to not having any business continuity plan in place to protect them against these crimes. In order to mitigate damage and protect the company’s reputation, it is essential that processes are put in place to respond effectively in the event of a fraudulent attack and, more importantly, to avoid it happening in the first place.
Types of Cybercrime: Fraud
While several different types of online fraud exist, most criminal activity is conducted against businesses for financial gain. ‘Phishing’ frauds involve fraudsters infiltrating email and internet accounting systems, intercepting and changing key data with the aim of tricking a business into transferring money directly to a fraudulent account. Using a circular, false email or malicious link as the ‘bait’, if responded to or clicked on the fraudster can access and extract information from the firm’s business network.
A particularly dangerous variation of this attack, ‘spear-phishing’, involves a fraudster obtaining details about a target business and establishing email contact to request a transfer of funds using seemingly genuine credentials, for example, the identity of a known supplier. Many of these cases begin when a fraudster gains information about a supplier’s emails and makes minor changes to an email address before attempting to receive payments to their own account.
The highly professional and organised nature of many cyberattacks requires organisations to adopt a meticulous approach to checking data and spotting anomalies relating to external payments. In many cases, fraudulent payment requests can be very difficult to identify, with email addresses changed by just one character and invoices sent out to look exactly like real ones from a customer or supplier.
Existing Government guidelines around fraud prevention focus on training staff to be vigilant in spotting potential signs of online criminal activity, and staff can certainly provide businesses with an important first line of defence. As well as being encouraged to examine the email addresses of intended payees closely before transferring funds, it is also important to emphasise the need to be on the look-out for suspicious or unexpected emails. Emails with an address that does not match up to the supposed sender, or with unexpected contents, should not be opened or forwarded on under any circumstances. Doing so could simply spread the problem further.
While engaging workers in the need to remain alert to suspicious correspondence and anomalies is an essential part of the battle against cybercrime, where possible businesses should not leave themselves vulnerable to human error. Firms can introduce an additional layer of security by making use of accounting software, which sends them an ‘alert’ if a supplier’s bank details change, for example. Once an anomaly has been flagged, incorrect invoices and payment details can be amended before any transfer of funds is authorised.
Being alert to cyber attacks
The recent cyberattack affecting the NHS is also a powerful reminder of the need for businesses to get the basics right when it comes to online fraud prevention. The organisation has been criticised for its reliance on outdated computer systems and for failing to perform software updates regularly. Anti-virus software can also offer some protection to machines, however, businesses should be aware that cybercriminals are constantly looking for new ways to override such systems.
In any instance of fraud, the effectiveness of damage limitation is greatly increased where the organisation is able to respond quickly to any suspected criminal activity. However, the immediate nature of online banking in the context of phishing fraud makes this even more critical. The fact that many cases of online fraud are conducted from overseas makes it even more difficult for law enforcement agencies to trace those responsible so those affected can initiate legal proceedings to recover the funds. As soon as firms suspect that something has gone awry after making a payment, immediately informing their bank is a crucial first step, increasing the likelihood of a transaction being frozen. Calling in forensic accounting professionals can also significantly increase the chance of a positive outcome.
In 2016, Prime Minister Theresa May announced a task force comprising key representatives from the Government, law enforcement and the banking sector to crack down on online fraud, which she stated “shames our financial system”. With the authorities currently struggling to protect businesses from these attacks, developing legislation which makes banks more responsible for fraudulent transactions would go a long way towards preventing this type of activity. For example, rather than the onus being on businesses to remain vigilant for signs of suspicious payment requests, banks should be required to perform checks to prevent fraudulent accounts being set up in the first place. Moreover, if a fraud has been identified, businesses should have the right to request detailed information about the passage of payments and the identity of the payee to assist in criminal investigations.
With cyberattacks occurring almost daily, businesses of all sizes cannot afford to ignore the threat posed by online fraud, and whether or not the Prime Minister’s measures will go far enough in protecting organisations against these crimes remains to be seen. As online fraudsters become increasingly organised and sophisticated in their approach, it is essential that businesses keep systems’ security under review and implement a risk-mitigation strategy to minimise disruption and protect their financial assets.