Reducing your exposure to Business Crime
13 January 2017
Business Crime is growing in popularity and is cunning, smart and very convincing. It is being spurred on by the very technology that is supposed to help businesses improve performance.
Incidents of crime can have a significant financial impact on the company and they could be easily avoided by putting in place some simple procedures. Here are a couple of real life examples where fraudsters targeted our clients:
A CEO’s email account was hacked and his style of writing studied. The hacker sent an email from the CEO’s Outlook to the Finance Controller requesting that £64,000 be transferred as a deposit to a new supplier with whom the CEO had just struck a fantastic deal. The email was convincing, except for one word “Thanks”. The CEO never signed off emails with this word and this caused the Finance Controller to be suspicious.
Staff training is extremely valuable in reducing the likelihood of criminals being successful. Your staff should be trained to check emails carefully to ensure the language used and other details including the email address appear bona fide.
An Accounts Department received a call from their Chairman. He was put through to a new and relatively junior employee. The voice on the phone was quite abrupt and when the Chairman introduced himself, the employee was excited but nervous at the same time. It was a convincing impression and the employee was asked to transfer £89,000 to a ‘new subsidiary’ account. The next day, when the fraud was discovered, it was too late - the transaction could not be reversed.
Many frauds could be avoided by implementing some simple procedures around transferring money. For example, requiring a second person to authorise the transfer or a phone call to check the request is genuine.
Technology is criminals' helping hand
‘Social Engineering’ involves criminals using technology and trickery to exploit our human nature. Attacks are growing in sophistication and frequency and can include:
o Impersonation/pretexting: sounding like a person of authority, or a fellow employee, IT representative, or vendor that is trying to gather confidential / sensitive information
o Phishing/spamming/spearphishing: sending emails that contain malware software designed to compromise computer systems or capture personal and private credentials.
o IVR/Phone phishing (AKA ‘vishing’): replicating a legitimate sounding message that appears to come from a bank or other financial institution directing the recipient to “verify” confidential information.
o Trash cover/forensic recovery: collecting information from discarded computer equipment and company documents that were not securely disposed.
o Quid pro quo (“give and take”): random calls offering a gift in exchange for a specific action or piece of information
o Tailgating/direct access: an employee is followed entering their company premises
o Diversion theft: misdirecting a vehicle and arranging for a package to be taken to another location to steal vital data such as account numbers, phone and client contact lists, but also other property such as keys, access cards.
Fraudsters change their strategies to keep up with technology so how can a business keep up with them?
The best defence against fraud for any organisation is awareness through corporate culture, education and training. Although Business Crime insurance products are here to help, prevention should be the first port of call.
If you would like further information or guidance on how to manage risk, including the availability of specialised insurance products, please contact Lynsey, our Cyber and Crime Practice leader, on [email protected]