It always comes as a shock. Although cyber crime affects almost half of all the medium-to-large businesses in the UK, the first time your accounts department or your business is hit by hackers often comes as a rude shock. However, there’s no good excuse for a business that loses money or information to cyber criminals that are using known hacking or fraud techniques and there’s definitely more than one reason for businesses in the UK to be prepared for cyber attacks.
Accounts departments are often the top targets for cyber criminals. Successful hacking, social engineering or payment-fraud related attacks on accounts departments can be disastrous for the entire business. Not only can such an attack lead to the loss of money and sensitive information, but it can also tarnish the image of the business and damage its relationship with vendors and clients.
Smart accounts departments can mitigate the risks of cyber crime and fraud
Here how accounts department can stop being the Achilles heel of the business and get ready to administer a kick in the heads of hackers and fraudsters.
1) Social engineering
Social engineering refers to email, phone call or another form of communication that pushes the recipient to share passwords, bank information or other sensitive data, or click on malicious links. Through a successful attack, the hacker can often get access to information that can be further used for stealing money or defrauding the business.
- Secure your computing devices and set your spam filters to ‘High’
- Don’t share personal information on social media sites like Facebook or LinkedIn
- Don’t download a file from an email unless you personally know a sender and are expecting a file from them
- If you receive an email from a foreign lottery or sweepstakes, money from an unknown relative, or requests to transfer funds from a foreign country for a share of the money, it is guaranteed to be a scam – ignore and report such emails
- Spammers send messages that create a sense of urgency to push you into taking quick and rash decisions – always take careful and considered actions
- Messages that ask for your personal financial information or passwords are always a part of some scam – delete and report such emails
- Always be alert when you receive unsolicited messages – if the email looks like it is from a company you deal with, use a search engine to go to their real website and find their official contact information
2) Phishing threat
Phishing is the practice of sending emails that seem to come from a reputed source, with the intention of manipulating the recipient to reveal sensitive information. For example, someone from the accounts team may receive an email from a fraudster, masquerading as an authorised person or entity, instructing urgent transfer of funds to a particular account or demanding sensitive information like login credentials or accounts details. Often, spoofing techniques or similar-looking emails or numbers can be used to trick the recipients. Read an article outlining the common email scams for a deeper understanding of the topic.
- Set up a gateway email filter to stop spam and fraud emails
- Ensure that your IT department performs regular VAPT (Vulnerability Assessment and Penetration Testing) and Patch Management
- Develop an internal protocol that excludes urgent money transfer requests from one person and ensure all staff are aware of this
- Document payment related procedures and train employees so they know what to do and who to refer to.
- If the message has an ".exe," ".scr," "zip" or ".bat" file attached, consider that a red flag and don't open it.
- Train staff to identify and deal with phishing attempts (for more details, please download our Fraud Prevention Checklist) add a link
3) Threats arising from document forgery, change requests and dummy invoices
The fraudster poses as a regular supplier and sends dummy invoices with details resembling the normal business invoices but with different bank details. He/she may also send a request for change of bank details via email or send a document on a letterhead requesting such changes. Sophisticated hackers may use phishing or social engineering techniques to gain sensitive information needed for launching this activity.
- Set up and follow a rigorous internal process for invoice authorisation
- Build rigorous internal processes and set up a process that restricts modification at user level in a supplier’s basic details like bank sort code and account number, address, contact details and email address
- Before making any changes to the existing sources, authenticate the request for change
- Confirm any change in supplier details with the supplier on the phone or by direct email – not by replying to the request
- Set up secured sources for receiving documents for processing
- Choose a software that offers effective fraud prevention controls for recording transactions and ensure that its security features are up-to-date
- Review and supervise process vulnerabilities and take measures to plug any loopholes that you discover
4) Malware threat
Malware is a malicious program and it can take different forms: viruses, worms, Trojan horses, ransomware and spyware. WannaCry, the ransomware that disrupted activities of the NHS recently, is an example of malware. The Information Security team is responsible for setting up protections against the malware, but accounts staff that is trained in detecting and avoiding malware can help blunt even sophisticated and innovative attacks.
- Don’t open attachments or click on hyperlinks on social media unless you are 100% sure of the sender
- Immediately contact your IT team in case you are hit by a ransomware and get your backup restored
- Always keep a backup of all your data
- Ensure all PCs and systems are protected by high-quality antivirus and anti-spyware software and run frequent scans.
To learn more about how accounts departments can guard against cyber crime and fraud, please attend our webinar by clicking the button below.