Opportunists have always looked for the weak link, that chink in the armour that can be exploited. The pandemic has provided many opportunities for cyber criminals to take advantage.
Falling victim to a cyber fraud attack can have devastating outcomes on a business and can result in major financial losses. Data breaches severely damage trust and impact reputation, which is hard to regain.
Our report, Keeping the engine running, tackles post-lockdown financial resilience for small and medium-sized enterprises (SMEs), and protecting against cyber crime is a key element.
As the engine room of the Scottish economy, SMEs must be vigilant when working remotely because fraudsters may try to exploit vulnerabilities in processes that support staff offsite. In the haste to migrate entire companies from offices to homes earlier this year, weaknesses may have been exposed.
With advice from the UK and Scottish Governments to remain working from home where possible, home offices are here to stay for the time being.
Now is the time to invest in infrastructure. Virtual private networks (VPN) are key as they ensure an encrypted connection between a device and a network, preventing unauthorised access and safeguarding sensitive information.
With many employees using personal devices for work, businesses must ensure their workforce is keeping software up to date, are only using secure Wi-Fi connections and are running anti-malware and anti-virus software.
There are various Covid-19 related scams and malware campaigns in circulation. These can encourage people to part with sensitive banking and personal information or download malicious files onto their devices. It is crucial SMEs ensure all appropriate safeguards are in place. For example, businesses should work with experienced external partners to quickly, safely and securely digitise manual processes, including automating the monitoring and movement of cash positions.
This will ensure a clear picture of finances at all times. Business leaders should also ensure there are enhanced controls in place for any manual payments being made as this will help to mitigate fraud risk.
Most cyber fraud attacks depend heavily on human interaction. In order to breach an organisation’s defences, its easiest target is its people, not its systems. Ensuring the workforce is clued up to the various techniques scammers deploy is key. SMEs must ensure they have reinforced cyber safety policies with staff, and these have been understood.
One common tactic deployed is an urgent or unusual payment request, including for example, changes to a beneficiary’s details. Requests of this nature must always be checked over the phone before being processed because scammers are becoming increasingly sophisticated over email.
Often fraudsters will put pressure on an individual to act quickly; this sense of urgency can lead to misjudgement and mistakes. It is vital staff are aware of such scams so they know to take a moment to pause and reflect before reacting.
On a related topic, businesses must ensure their workforce stays alert to payment scams and fake emails, particularly CEO impersonation and invoice fraud. CEO impersonation, or business email compromise, uses social engineering to manipulate staff members into divulging confidential information. Cyber criminals pretend to be the CEO to persuade staff to make a payment.
This request is often made via email to the accounts department, requesting an urgent payment to a supplier or partner. Often the message will urge that the transaction be confidential to discourage further verification. Employees should be encouraged to flag up something like this over the phone, to verify authenticity and avoid falling into a trap.
Invoice fraud involves a cyber-criminal notifying a business that supplier payment details have changed, providing alternative details to defraud the company. Often, they are aware of relationships between companies and their suppliers and may even know when these payments are due. The process of changing banking details of suppliers should always be treated with extreme caution. In some cases, it is advisable to remove testimonials from websites or social media so that it is harder to identify potential suppliers that criminals could impersonate.
Be mindful of emails, texts, calls or letters claiming to be from, or containing links to the following: Centres for Disease Control & Prevention, Global Heath Centre, and the World Health Organisation (not an exhaustive list). Given economic pressures and concerns about the virus, fraudsters are leveraging coronavirus for email campaigns which include, for example, a link to an app which tracks the virus using an interactive map, information about business working conditions or policies, mortgage repayment holidays or rent relief and tax refunds from gov.uk. These are just some of the topics being used to exploit an unsuspecting victim.
It has been a tough year for businesses. Many are reviewing operations, staffing levels, and building costs to help secure their future. Barclays’ corporate banking team works closely with SMEs to help them navigate and adapt to the ever-changing external environment.
SMEs must be savvier than ever to protect themselves against potential threats in both the online and offline world. To avoid Covid-related crime SMEs should be educating employees, ensuring systems are robust, keeping technology updated, and automating manual processes.
Jamie Grant is head of corporate banking for Barclays in Scotland