We've talked in the past about the technology you can use to reduce the risk of cyber crime affecting your business. In every blog post that has been published we've maintained that technology can’t stop every cyber crime, and that staff education is a key role in prevention.
And we don't just mean the person who looks after your IT, but every member of your team who could potentially fall victim to social engineering or phishing.
Phishing or social engineering is a method used by criminals to trick you into giving them your hard earned money. It relies on human error rather than manipulating technology, although there is often technology involved, such as false email addresses.
Why is the accounts department a target?
The accounts or finance department are regularly targeted by fraudsters as they are the members of staff closest to the money that enters and leaves the business. Every member of the team could be targeted, from the Chief Financial Officer to your payroll administrator.
As phishing often includes fraudulent documents with payment requests, these tend to end up with the accounts team, even if they were initially sent to someone else in the business. Marketing, Operations, even IT staff can fall victim to email spoofing, which is why user education is so important.
A review of over 32,000 malicious attachments found that they could be categorised using finance-related keywords, such as invoice or purchase order.
Purchase Order & Invoice Fraud
You can see from the statistics above that over 12,000 of the analysed malicious attachments contained the keywords purchase order or invoice. Social engineering tricks people into making payments to fraudsters by removing doubt and suspicion.
An example: An accountant for a pub was tricked into paying over £1400 to a fraudster posing as a food supplier. They masked the email to make it look like it was coming from the supplier’s domain, and created an identical invoice to those the supplier used. The products that the invoice supposedly covered were products that the pub ordered regularly. The only difference was that the fraudster swapped the suppliers’ bank details for their own. In small and medium businesses, these fraudulent transactions could be the difference between making a profit or a loss that week.
The disconnect that sometimes occurs between the accounts department and other areas of the business can also make social engineering less likely to be spotted before it’s too late. Without a consistent tracking process it can be easy to pay an invoice that isn’t legitimate.
For example, a fake invoice for design work is sent straight to accounts and there is no check in place, so the money is paid to the fraudster. Without any checks, how does the sales order processor know the work wasn't done, for all they know it could have been approved by the marketing department. Using purchase orders or double-authorisation for payments can help to mitigate the risk of this happening.
When a member of the C-suite or management team is targeted, it is known as whaling. Whaling is time consuming for the fraudsters, and so they try to maximise their return with a big payout. The target will be well researched, and the fraudsters will invest time and money in developing an alias and designing near-identical documentation to the person or institution they are claiming to be.
An example: A Chief Financial Officer was tricked into divulging security information relating to their business’ bank accounts to a fraudster claiming to be from their bank. The criminal claimed that fraudulent transactions were being made, and by tricking the CFO into divulging the security information they were able to take £50,000 from the business’ accounts.
It is hard to get the money back
Proving that you have been the victim of social engineering or phishing fraud does not necessarily mean that you will be able to get the money back. It may be that your bank simply won’t refund the payment as they view your actions to be negligent, or it is too late to get the money back.
Banks have different internal policies around refunding fraudulent payments. Most of the big banks will look for clear evidence that you haven’t acted in anyway negligent which led to the loss of money. In the example of the pub above, the bank refused to refund the money as the accountant hadn’t made any attempts to check with the supplier why the bank details had changed and if they were correct. The Financial Services Authority will order a bank to make a refund if they themselves have been negligent in allowing a payment to go through. For example, a payment to an account that had already been flagged as suspicious, or not safeguarding their customers through timely information.
Sometimes it is simply too late to get the money back, if the fraudster clears the funds from their account before the scam is reported or the bank hasn't had time to conduct an investigation before the money is withdrawn.
There are some examples of successful and unsuccessful attempts at getting a refund on the Financial Ombudsman website. http://www.financial-ombudsman.org.uk/publications/ombudsman-news/135/135-case-studies-about-scams.html
Every member of staff should be educated about the risk of email scams, phishing and social engineering. Fraudsters can access your money with a few questions over the telephone or a simple spoofed email. Technology can’t always stop this type of crime, so it is vital that employees are able to defend the business against cyber fraud through awareness.
Date published: 04/04/2018