Cyber Fraud – How To Not Be a Victim
The 2019 Financial Cost of Fraud report estimates that the cost of fraud to the UK is between £130bn - £190bn a year. 85% of reported fraud is cyber enabled. (Action Fraud UK).
Cyber fraud is a threat to almost every organisation, and lockdown restrictions have made it even harder for some organisations to verify the identity of people they are interacting with.
What are threats we are seeing?
- Social Engineering – an attack through human interaction. For example, the attacker uses freely available information to trick the victim into thinking they are a legitimate contact.
- Invoice Fraud – an attack in which the fraudster notifies your company that supplier details have changed and provides you with alternative payment details.
- CEO Scam – an attack in which the fraudster impersonates a senior leader to request that an urgent payment is made. Usually, the fraudster gains access to an individual’s email account and waits until they are on leave before asking for payments to be made.
- Phishing – an attack in which the attackers send an email which contains a link to a fake website, asking the victim to insert their account details, or links and attachments which contain malware, such as ransomware.
How to mitigate against the risk posed by the threats above:
- Put in place verification controls for making payments or sharing information. Only use verified contact details to contact suppliers. Perform additional verification checks before changing payment details.
- Ensure your staff feel enabled to challenge requests from senior leaders to circumvent process, provide them a way to escalate requests they don’t feel comfortable with. Encourage staff to use their judgement and stop and take time to assess the request.
- If staff are concerned they have been the victim of an attack, ensure they feel supported in notifying you of their concerns.
- Put technical controls in place to reduce the number of phishing emails staff receive and mitigate against malware attacks.
- Regularly train staff about the type of threats the organisation faces and conduct phishing exercises.
- Be aware of the volume and type of information that is available online about your company.
- Have plans in place to respond quickly to potential fraud or malware, test these regularly.
While anyone can be a victim, taking the steps outlined above will help you protect your organisation.
If you think your company has been a victim of fraud or would like help to review your companies cyber security policy then please contact email@example.com or your usual Azets contact