Cyber Fraud – Protecting your business against the current threats

Cyber Fraud – Protecting your business against the current threats

Cybersecurity can often be a last thought for many businesses. You will need to ensure that your company has good cyber hygiene to keep you safe from fraudsters and attackers. It is recommended that you raise awareness of fraud within your company in order to prevent a cyber fraud attack succeeding.

Introduction

The internet has transformed the way businesses work. Many companies have taken advantage of computers in order to improve the effectiveness of their operations and create a convenient interface for their customers. Despite these advantages there is an increased risk of cyber fraud attacks to all companies. It has been acknowledged that around 327 new threats are identified every minute.

Cyber fraud attacks can result in major financial losses while data breaches can damage a customers’ trust in a company. Individuals have been given increased anonymity as internet and email-based transactions have become normal practice in businesses. Under the circumstances, information can easily be used as a way to earn money by selling it online which can have a severe impact on a business’ reputation.

As a result fraud has been increasingly difficult to investigate due to the victims, beneficiaries and fraudsters possibly being located in many different countries. Due to these concerns businesses must now look to prevent fraud rather than hope to cure its consequences.

We hope to outline some of the key cyber fraud threats that your business may face and offer guidance on how to can mitigate those risks.

Social Engineering

Whilst cyber fraud can be seen as difficult to combat, it is important to remember that most cyber fraud attacks rely on human interactions. It is widely known that the easiest way to breach a company’s defences is to target the individuals within the company and not the systems.

Social engineering is one method used within cyber fraud in order to trick individuals into breaking normal security procedures set in place by a company. This can be obtained with the victims giving up sensitive information such as bank login details or allowing software to be installed on their device. In some cases the individuals can also be tricked into carrying out a fraudulent payment themselves.

In these cases, fraudsters often have an in-depth knowledge of the company and they are able to build trust with the victim(s). For example, they have be aware of regular payments and when they are due or the structure of the teams within the company.

The most common forms of social engineering are:

  • Invoice fraud
  • Phishing
  • Vishing
  • Smishing

Invoice Fraud

This type of fraud invoices a fraudster posing as someone else to notify that payment details have been changed. They will then provide alternative payment details and they are often aware of the relationships between the company and their suppliers allowing them to know when regular payments are due.

The fraudster could be claiming to be from a genuine supplier or an individual at your company. Once funds are transferred recovering money is extremely difficult. Fraud may only be discovered when the legitimate supplier queries non-payments.

Fraudulent letters and emails sent to companies are usually well written and are not easy to spot. Malicious attackers can impersonate genuine email addresses or other companies or individuals as a result, you could be receiving an email that would appear to be a genuine authorisation of a payment request that is actually coming from a fraudster.

Key tips to protect against invoice fraud

  • Ensure invoices are checked carefully in case they are counterfeit
  • Always check with suppliers using contact details from your files to confirm any changes before proceeding
  • Check email address endings do not vary from how it should end e.g. using .org instead of .com
  • Conduct audits on all your accounts
  • Set-up dual control procedures for any changes in payment information
  • Put in place procedures to check that invoices are matched with purchase order, this will flag any rogue invoices

Phishing

This type of fraud poses as a genuine source which sends emails or letters that aim to trick victims into providing sensitive information or transferring money into the fraudsters account(s). The emails will usually contain a link to a website which will ask for your financial information. Emails may also contain a form to fill in and return to the sender.

In some cases, emails are designed to hide malware via an attachment or link which once opened will allow the fraudster to gain access to your computer.

If you are unsure of the contents of an email received from Animo then it would be advisable to contact us to ensure the authenticity.

Vishing (Voice Phishing)

This type of fraud is where fraudsters persuade victims to hand over personal details or transfer money over the telephone. They will convince the victims to reveal sensitive company information. The most common types of calls will have the fraudster pretending to be from your bank so that they can ask you to reveal confidential information.

In these cases it is likely that they will claim that your account has been compromised. They will usually already have your name, address, phone number, bank details and any kind of information you would expect a genuine caller to have. The fraudster will make you believe that your money is in danger and that you have to act quickly in order to avoid any further issues. This will often lead individuals to act without thinking.

The fraudsters can also use a technique called “phone spoofing” whereby the phone number appears as if its coming from somewhere else so when you pick up you already believe the caller as the number is convincing. In those cases where the individuals are unsure the fraudsters can hold the telephone line so if they ask you to hang up and call them back you can get be put straight through to the fraudsters.

This will allow them to continue their impersonation. In order to avoid this you should use a different phone to call back on and wait a few minutes before making the call. You can also call someone else before calling back the number which should stop the fraudsters from holding the line. If you do not have this option then you should always call your bank back using a number from an official website and not the one that have been provided by the caller.

Smishing (SMS Phishing)

This type of fraud is where a mobile phone can be targeted by fraudsters in an attempt to gain personal data. The messages aim to trick the victims into thinking they are texting their bank and the fraudsters will try to convince individuals to reveal sensitive financial information or transfer money into other accounts.

A smishing message will usually instruct you to either go to a website or make a phone call to a specified number. The fraudsters will try to gain your trust and generally imply that you need to urgently take action to either avoid an issue or take advantage of an offer.

Once you visit these websites on your phone it is likely that the smishing messages will cause an internet-connected device such as a mobile phone or tablet to be infected with malware.

As with vishing the contact details can be spoofed so it seems like the texts are coming from a legitimate source.

Key tips to protect against phishing, vishing and smishing

  • Never provide confidential information via email, phone or text to unknown or suspicious sources
  • If you receive an email with a link to an unknown site avoid clicking it. Take a look at the email and keep an eye out for misspellings, suspicious sub-domains and any @ sign If it looks fishy, it probably is! It is also important to never open attachments from senders you are unsure of
  • If you do click on a link sent via email keep an eye out for any automatic downlo This could be malware
  • On websites where they require you to input sensitive information ensure that the website address begins with “https” as this will show that the website is secure. Also, you should ensure that there is a padlock symbol in the URL address bar as this shows that the connection is secure
  • Never assume a caller is genuine if they know information about you or your company
  • Be cautious of callers who attempt to gain information from you – ‘I want to check a payment you made today’, rather than, ‘I want to check a payment for £5,000 you made today in favour of XYZ Limited’. The former could be a fraudster trying to obtain information to use against you
  • A bank will usually ask you for some information but will never ask for a passport or PIN. You should also familiarise yourself with what your bank will and will not ask you if they wish to verify payments
  • If you are suspicious at any time during a call you should terminate the call

Malware

Malware, short for malicious software, is any software used to disrupt computer or mobile operations, gather sensitive information, gain access to private computer systems or display unwanted advertising. The term malware includes Trojan horses, rootkits, spyware, keyloggers, ransomware and more. Malware will usually be installed into your computer through clicking a link in an email, opening an attachment to an email or downloading software from a malicious source.

Trojans and Rootkits

These types of threat seek to conceal attacks on computers. Trojans are piece of software pretending to be benign applications. Individuals will down them believe they are a useful piece of software and instead end up with a malware infected computer. They act as back doors to the computer, granting a fraudster remote access. Once the fraudster has access to your device through the Trojan they can gain access to your personal details by taking screenshots or capturing keystrokes.

When logging into your online banking the fraudster will delay you with an unexpected screen which will ask you to repeatedly input data. While delayed the fraudster will be setting up another payment elsewhere which the victim could then authorise by inputting their PIN.

Rootkits are a masking technique for malware and although they do not contain damaging software they are used to conceal malware which could allow it to go unnoticed by antivirus detection and removal programmes.

In order to avoid these types of malware antivirus products are now starting to include effective rootkit removal tools and help defend against Trojans. You can also help by ensuring you have firewalls installed and be cautious of “pop-ups”.

Spyware and keyloggers

These types of threat are used in malicious attacks like identity theft and social engineering. The threats are designed to steal money from computer users, businesses and banks. Spyware aims to gather information about an individual without their knowledge such as passports, banking credentials and cred card details.

A keylogger is a type of software that has the capability to record any keystroke you make to a log file which is usually encrypted. A keylogger can then record instant messages, email and any information you type at any time using your keyboard. The log file that has then be created by the keylogger can be sent to a specified fraudster.

In order to avoid these types of malware anti-spyware tools are can be installed which run in the background in order to detect if any of these types of malware are on your computer or device.

Ransomware

This enables a fraudster to gain control of your system in order to encrypt your files and hold the data hostage. The ransomware will demand a fee to unlock the files.

There are two types of ransomware, encrypting ransomware and locker ransomware. Encrypting ransomware is designed to block system files and demand payment to provide the victim with the key to decrypt the blocker content. Locker ransomware locks the victim out of the operating system of a computer which makes it impossible to access. In this case the files are not encrypted but the fraudsters still ask for ransom to unlock the infected computer.

Key tips to protect against malware

Device security

  • Keep your security software updated on your devices and install the latest updated for your internet browser and operating system
  • Run regular security and anti-virus checks on your devices
  • When downloading software and files only download them from reliable sources
  • Keep your files backed up on a separate network
  • In the event your computer is infected, disconnect from the network immediately and seek professional assistance

Online banking

  • Never enter your PIN to proceed with a download and never re-enter your PIN at login whilst making a payment
  • If you use a smart card for payments, never leave it in the reader connected to your device
  • Where possible, use dual approval for making transactions in order to allow two devices to authorise a payment
  • Never remake payments to alternative accounts details if asked to do so

Network attacks

Workforces are now becoming more mobile. Employees no longer work on a single trusted network which make security more difficult. Emails are usually the main communication of method for most businesses, however, many of them do not realise how insecure there communications could be. It is important to ensure that all sensitive information is sent over encrypted networks. There are various types of network attack but all require exploitation of an unsecured network.

Man-in-the-middle attack

This is an attack where an individual secretly relays and possibly alters communication between two parties who believe they are directly communicating with each other. The attacker will then be able to steal sensitive information such as passwords, banking details or data.

One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the fraudster. The fraudster will be able to intercept all relevant messages passing between the two victims and inject new ones.

A man-in-the-middle attack can only succeed when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate end.

Distributed Denial of Service Attack

A Distributed Denial of Service Attack (DDoS attack) is where multiple compromised systems (often infected with a Trojan) are used to target a single system causing a DDoS attack. This will cause a website to become overwhelmed and crash. Victims of this type of attack consist of both the end targeted system and all systems maliciously used and controlled by the hacker. This network of infected computers is usually known as a botnet and can spread malware through websites and emails. Once distributed the malware will allow a hacker to launch an attack without an individual’s knowledge.

Key tips to protect against network attacks

  • Use a Virtual Private Network (VPN) for remote access. These add privacy and security to public networks and protect sensitive data
  • Avoid any unknown public Wi-Fi sources and only use trusted and secure connections
  • Use intrusion-detection system (IDS) to provide some protection against valid protocols being used against you in an attack

Conclusion

Cybersecurity can often be a last thought for many businesses. You will need to ensure that your company has good cyber hygiene to keep you safe from fraudsters and attackers. It is recommended that you raise awareness of fraud within your company in order to prevent a cyber fraud attack succeeding.

Contact Animo Associates for further advise on Cyber security

Data Privacy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This form collects your data for our records and marketing purposes. For more information on how we use, protect and manage your submitted data, please read our privacy policy.

I consent to you collecting the information provided in this form