The Ultimate Guide To Online Fraud In The Workplace
1. An introduction to online fraud in the workplace
Using the internet unlocks enormous potential for companies. In fact, it's a necessity for most. But it also exposes them to being targeted by fraudsters from anywhere in the world, and online fraud can happen to any business. Just as quickly as security improvements are made to technological infrastructures, criminals find new ways to get around them. This makes all organisations – no matter their size – vulnerable to online attacks.
Online fraud isn't a victimless crime. Financial losses, damage to reputation and compromised information are just some of the potential effects of online fraud. But it's not only businesses that pay the price of an attack. Often, it is their consumers who feel the full force. In a survey of 2,066 UK adults, Which? found that around six in ten people have been targeted by online scams in the past 12 months. What's more, a clear majority of respondents believed businesses should do more to prevent internet fraud.
Indeed, it's in the interests of companies to protect their assets – including customers – from the damage fraud causes."When we know that even the savviest people can be scammed by fraudsters, it's vital that everything possible is done by businesses to better protect consumers. And where firms haven't done enough to protect their customers, it's entirely right that the responsibility to put things right should be with them," says Which? executive director, Richard Lloyd.
According to the survey, the three most common online scams reported by consumers were:
Phishing emails purporting to be from a bank or payment service (49%)
Phishing messages seeking money for services or help (26%)
Bogus computer support (25%)
Whilst individuals can take steps to improve their online security measures, there's little you can do to save your data from direct attacks on businesses. It's their responsibility to manage online risks to company and customer data.
To help build up your company's resilience to these threats and more, we've put together a complete guide to online fraud. It will help you understand the different types of fraud you could be exposed to, as well as providing top tips for future-proofing your business against the growing number of online risks.
1a. How common is fraud in the workplace? (statistics)
In the UK, fraud and cybercrime is committed every four seconds, according to the Office for National Statistics. And, since fraud practices are likely to follow the money, it stands to reason businesses will always be one of the prime targets for fraudsters.
Over a quarter of businesses have already fallen victim to scams or have experienced attempted scams in the last two years
69% of business leaders and managers admitted they haven't taken any action to protect their business and employees from financial fraud
49% believe it is unlikely to happen to their business
37% of business leaders admitted they have never spoken to employees about fraud, despite the fact that in a quarter (26%) of scam cases an employee was approached directly
The most common targets for fraudsters are senior management and business owners in SMEs (67%) and employees in large companies (40%)
Businesses might see the potential dangers of fraud thanks to exposure in the media, but think they're somehow immune. Little do they know, it is only the biggest instances of fraud that are picked up by reporters. Every year, huge sums are lost by businesses, big and small, as a result of smaller attacks that aren't newsworthy, but are just as damaging.
Common scams include invoice fraud and CEO impersonation. Worryingly, 77% of business leaders admitted they've never heard of this technique. In CEO fraud, scam artists send a spoof email pretending to be someone important asking for confidential information. It's time to get informed.
Key examples of cybercrime
Sony. In 2014, computer hackers forced Sony to shut down its systems when a skull appeared on computer screens along with a message threatening to release data "secrets" if undisclosed demands were not met. The hackers claimed to have accessed private keys, source codes, password files and even their production schedule and notes.
TalkTalk. Customer data was compromised by a breach in 2015. The costs of this could reach between £30m and £35m, the firm's chief executive, Dido Harding, revealed.
Ashley Madison. In August 2015, criminals carried out their threat to publish user records if the parent company of Ashley Madison and dating site Established Men didn't take them down. They first published 9.7GB and then 13GB of data.
1b. The cost of fraud in the UK (statistics)
Our increasing reliance on internet-connected devices isn't without its costs. It's accompanied by the development of cyber risks. In fact, fraud costs the UK economy £193 bn a year, which is more than £6,000 lost per second every day of the year. Of this total, business fraud accounted for £144bn.
Further estimates confirm the damage online breaches can cause. According to PwC, the average cost of the worst breaches at large UK organisations is between £1.4m and £3.14m. For small businesses, it's between £75,000 and £311,000.
1c. What you and your employees should be looking for
The sophistication of some online attacks means they can go unnoticed until it's too late. But the success of other attempts at fraud will depend on an employee making a mistake. With things such as phishing and pop-ups, there are some common warning signs to look out for. Ask yourself the following questions:
Does the email match up? It might look like the email address you usually see – but double check. Is there an extra dash or additional character?
How old is the company's website? Fraudsters often set up websites to make a company appear genuine. But check when the domain name was registered.
Where was the website registered? If a company is not multinational, be wary of domains registrations in foreign countries. Fraudsters could be taking advantage of offshore or privately hosted sites.
Is the English correct? Broken English could be a sign of a scam originating from another country.
Is it urgent? It's easier for a scam to work if it puts you under pressure and asks for information quickly. Take your time to assess.
Does it come up on Google maps? If there is an office building listed, check it out on Google maps and see if it looks legitimate.
Is there a clear online history? Doing just a bit of research can pay off.
You should also get your employees to think about these things. When online fraud occurs, someone has tricked or deceived you to gain a dishonest advantage – be it money, goods, or services. Don't let it happen.
1d. Where to go for further support
As the Metropolitan Police admit, it can be difficult to determine who to make reports to in the instance of fraud. What you should know is the police aren't the only agency with the power to investigate fraud-related offences. In fact, most cases should be reported to Action Fraud.
As the UK's national fraud and financially motivated internet crime reporting centre, Action Fraud take reports of fraud from victims, as well as providing support and advice. If you ever have to report fraud, you'll be issued a crime reference number (quoted in the same way as one issued by police).
All reports received are fed into the National Fraud Intelligence Bureau (NFIB), the body responsible for analysing information from Action Fraud, as well as other sources. The aim is to generate intelligence to pick up on trends and cases which could be linked. As the internet is global and threats are present everywhere, the NFIB can send information to the appropriate police or other law enforcement organisations. This can assist in investigations which may involve enquiries in the UK and overseas.
2. Online fraud: what you need to know
The availability of high speed internet access has improved in recent years, allowing companies and individuals from around the world to connect and work with one another. Globalisation and the internet have been enablers of accelerated progress in places that were once left behind.
But such technology is also inevitably a facilitator of crime, as some countries are still restricted by low levels of regulation and law enforcement capabilities, allowing fraudsters to take advantage. They can launch an attack on your business from anywhere in the world, driven by enhanced communications infrastructure. There's also a feeling they'll get away with it because they're living in foreign countries, where the police will be unable to pursue them.
In fact, the UK is ill-equipped to deal with criminals using the anonymity of the internet. A survey of UK police forces in 2015 found less than one-third of key cybercrime staff had the skills or technology to address the threat. To add to the concern, in comments reported by Computer Weekly, the head of Scotland Yard's fraud team said cybercrime over the previous decade had been rampant because the force wasn't good at investigating it. Businesses around the UK would have taken little comfort from such admissions.
2a. The pros and cons of improved connectivity
The threat of online crime might be ever-present, but it's no reason to miss out on the benefits of improved connectivity. It's simply a matter of increasing vigilance. Consider the following and you'll quickly see it makes sense for businesses to operate online.
Improved connection between employees and customers
Arguably impersonal connections
Global audience and a greater sales reach
Access to many sources of information – including online training
More exposure to negative feedback
The risks of cybercrime
The ability to outsource work
It doesn't take a genius to work out the advantages outweigh the drawbacks. Plus, we've only touched on some of the many benefits of the internet. What's more, most of the cons can be seen in a positive light. With more exposure to feedback and increased competition, businesses have extra motivation to be the best in their industry.
2b. The most common online attacks and how they happen
Nevertheless, being online means being exposed to the threat of cybercrime – including online fraud. A business that works on improving its services, goods and reputation, but ignores the risk of an online scam, is preparing to fail. Companies should take steps to educate themselves about the common risks, as well as keep up-to-date with an ever-developing threat.
i. Malware and ransomware
Have you heard of viruses, worms, Trojans, bots, or spyware? Whether you're familiar with one or all of these terms, it's important to know they're all types of malicious software – or, simply put, malware.
Types of malware include:
Worms. The aim of worms is to transfer themselves to multiple computers. This is done over the internet, as they replicate other programs. You won't even know they're there, as they hide their movements. Worms aren't the most damaging of malware, as they only consume hard space and slow down machines. But one notable attack, Code Red, took down nearly 359,000 websites, so they are not to be underestimated.
Viruses. Like worms, viruses can replicate themselves. But their aim is to damage the computer and its files. Viruses are attached to a host program and can easily move across the internet. They could be connected to songs, videos or any executable file. Download them by mistake and your computer will be infected.
Trojans. Trojans won't delete or damage your files. They've got another purpose. Fraudsters use them to create a gateway for malware or users to enter your system and steal the data. What they do with it then is up to them.
Ransomware. The aim of this type of malware is to alter the normal operation of your computer. When you realise you can't use it properly, the program will start showing you warning messages asking for money to get your device back to normal.
Malicious bots. Bots can be good – like those designed to interact over the internet without the need for human interaction. But criminals can create bots to infect a device and then add a connection with central servers to infect more. Bots can be used to steal passwords (by logging keystrokes), relay spam, launch ransomware attacks and open back doors to infected hosts.
What's it in for the fraudster? Well, they might use malware to attack your systems and software for the following reasons:
Control of a person's computer
To steal confidential data
To take down a computer or an entire network
Sometimes, hackers are simply out to prove your system can be easily breached. But the damage of any downtime or loss of confidential information could have massive consequences for organisations.
23% of people open phishing emails, a report by Verizon into data breach investigations showed. But what is phishing and how is it successful? Any email or website that requests private information from you (account numbers, passwords, or bank details, for example) could be a phishing attempt.
If a fraudster gets this information, you can bet they're going to use it unlawfully. Phishing emails could also be full of malware-laden attachments to steal the information. In those cases, you just need to be tricked into opening them rather than responding to a request. And it's surprisingly easy to fall for. It only takes one employee to make a mistake.
Phishing works because the requests hide themselves as genuine. In fact, they're getting increasingly believable. Fraudsters often spoof a credible-looking email address or website, and aid the deception with a variety of social engineering techniques. These could include:
Phone calls to get the names of key people in the company
Searches on LinkedIn
Checking social media for when leaders are on holiday (making it difficult for the target of the fraud to check the authenticity of the email)
It's also common for online criminals to impersonate directors and senior people in a company. Such CEO fraud is normally an urgent request for a payment transfer or system access. It's always sensible to make independent checks on the validity of any such request.
iii. Social media scams
Phishing also occurs on social media. Whilst this might only seem like a concern for individuals, businesses are increasingly reliant on a social media presence – and this is something which hasn't gone unnoticed by fraudsters. For example, they've been known to target employees using Google+ by sending out fake invites that contain malicious links to malware.
Businesses should also consider their employees might use company property to browse social media, potentially making them vulnerable to scams. Most attempts will use some shocking news to try and get you to click, install or share something. Little do users know, they've just clicked a link which will then infect the device they're using – curiosity killed the cat.
Shortened URLs are a prime example of how easily this works. You'll see them everywhere on Twitter. They might be useful for those just trying to stick under the allocated character limit, but for people with cruel intentions, shortened URLs are an easy way of hiding where people will be directed to. This makes it easier to trick them into clicking something they wouldn't knowingly want to.
Social media scams highlight not only the importance of real-time malware protection software, but the need for companies to have policies on acceptable use for computers, mobile devices, email and internet. Key things it should cover include:
Prohibited activities. The policy should include things employees aren't allowed to do – for example, making unauthorised transactions, posting offensive material or deliberately disabling security packages.
Responsibility for updates. Are IT responsible for checking computers are up-to-date on security packages? Or should individuals regularly check themselves? Make it clear in the policy.
In addition to policy, employees should be given advice and training to manage the risk. But more on that later.
iv. Fake pop ups
If there is one key message you should pass on to your employees, it is to be wary of any unsolicited message that requires you to follow a link somewhere else. Fake pop-ups are a key example of this. They'll try and worry users with things like a scam alert, but clicking on it will only allow malware to be downloaded.
To avoid such dangers, it's best to use a keyboard shortcut (Ctrl-W or Alt-F4 on Microsoft devices) or opening the Task Manager and ending the browser program. If you use a Mac, press Command + Option + Q + Esc to "Force Quit." That way, you avoid clicking on the potentially dangerous pop up.
Key ways fraudsters use fake pop ups to trick users include:
Ads that promise to delete viruses or spyware, protect privacy, improve computer function, remove harmful files, or clean your registry
Alerts about malicious software or illegal pornography on your computer
Invites to download free software for a security scan or to improve your system
Claims your security software is out-of-date and your computer is in immediate danger
Unfamiliar websites that claim to have performed a security scan and prompt you to download new software
Any business that operates online is at risk. Of course, if your company has valuable property, it will be a target. But, according to an ACFE report, small businesses (fewer than 100 employees) tend to be hit by higher average losses when it comes to fraud. They're less likely to be able to absorb the damage of an attack.
Online scams can be random, targeting as many devices, services or users as possible. Or a fraudster might choose to single your organisation out and spend considerable time researching the weaknesses in your systems and processes. They're expert criminals and have no problem exploiting your vulnerabilities.
Whatever the size of company, it's far better to adopt a 'when' rather than an 'if' approach, with the aim to prevent attacks before they can happen.
2d. Top tips on improving your resilience
First up, we recommend taking steps to increase the awareness of cyber-attacks in your company. Informing and educating your employees is a great place to start improving your resilience. To help businesses protect themselves from financial fraud, the Take Five campaign suggests sharing these simple tips across your company:
Never disclose security details, such as your PIN or full password. It's never right to reveal these details.
Don't assume an email request or caller is genuine. People aren't always who they say they are.
Don't be rushed. A supplier or genuine organisation won't mind waiting to give you time to stop and think.
Listen to your instincts. If something feels wrong, then it is usually right to pause and question it.
Stay in control. Have the confidence to refuse unusual requests for information.
There are some tools you can use to make the lives of your employees easier. Sign up to a password manager, for example. That way, they only have to remember one master password and the software will create unique, secure passwords for all their accounts. Other useful tools include:
Early-warning systems. By deploying the right intelligence software, you can detect phishing and malware across emails and digital channels before it progresses any further. You can also set up alerts for things like domain registrations, so you can keep an eye out for anyone trying to trick your customers with malicious, fraudulent content.
Online identity verification. You can use online verification to fight fraud by increasing acceptance rates for new customers and users. For example, businesses can verify mailing addresses to make sure people are genuine.
3. What to do if your business is attacked
As a huge part of good corporate governance, risk management is an important process for all companies. But not every business has the luxury of time to prepare for an attack. Employees need to know how to think on their feet, and what processes need to be followed should the worst happen.
3a. Top tips on detecting a threat
As a business, one of the best things you can do is know where your weaknesses lie. Consult with your colleagues in the following ways to find out where you need to improve resilience:
Workshops and interviews
Comparisons with other organisations
Potential signs of weakness
Poor reporting systems
Lack of internal controls
Poor documentation or knowledge of internal controls
Lack of job segregation and checking of key transactions
Inform the relevant departments and key personnel they're likely to be a target of online fraud and take steps to advise them how they can prevent such an attack. Taking an e-commerce business for example, you'd outline key things employees should look out for, including the following red flags:
When the billing address doesn't match the shipping address
Extremely late-night orders
Shipments to P.O. boxes or international orders
Orders for numerous identical items from first time buyers
Express shipping requested
Using a disconnected telephone number
Several card numbers shipping to same address
Of course, these things don't always mean fraud – but a combination of the above should set alarm bells ringing. Find out what the red flags are for your business and share them widely.
3b. The first steps to take after an attack
Businesses survive online attacks. But it doesn't just happen by chance. Once you know you've fallen victim to online fraud, you need to be proactive and find out as much as you can quickly. We suggest the following six steps:
Go offline, restrict access and change the credentials for all important online accounts and servers. Isolate the situation by taking data offline where possible and minimising the damage.
Start an investigation. Where's your system's weakest link? Without starting an exercise of finger pointing, get everyone involved in finding out where and how the breach occurred. It's likely there was a human element that allowed it to occur, but you don't want to put people off coming forward.
Learn from your mistakes. If you manage to discover where and how the attack occurred, you need learn from it. The potential danger doesn't go away if you've been a target before, so pass on the warning to key staff.
Work with the relevant law enforcement agencies. Give the police or Action Fraud your full support and don't hold any information back. The data stolen from your company could appear for sale on some underground forum the authorities are keeping under surveillance. Although cybercriminals are rarely caught, this could lead them to those who targeted you.
Check your back-ups. Most IT departments will have back-ups for the main servers. Not only does this assure you a fast recovery, but you can look at and compare any changes in the network before and after the attack. Doing so might give you valuable intel about your firewall, the domain name system, and web servers – and how fraudsters hacked them.
Reassess how much you invest in security. It might be tempting to blame the IT department. But how big is your company and how much do you invest in IT? If it's a tiny amount, you might want to reconsider where you place the blame.
With any online attack, you've got to learn your lesson so it doesn't happen again.
3c. The importance of business continuity and disaster recovery plans
Are you proactively managing and minimising threats from online attacks? Do you have a security program in place, engaging all relevant teams? Are you aware of the latest technologies and adapting security measures to integrate new solutions? Even if you answered yes to these questions, you could still be in a bad place should the worst happen.
A business continuity plan (BCP) ensures you can recover and sustain key business operations during and after an attack, with minimal downtime and cost. It's an essential tool for any business, and covers not only online threats but anything that could cause operations to stop. It's best described as a fully-documented agreement between management and key personnel, covering all the steps the organisation (and individuals) should take under emergency conditions.
A key part of the BCP is disaster recovery, outlining the IT-driven processes that focus on the recovery of software, hardware and data, as well as the quick restoration of normal online operations. Any risk management plan should be clearly documented, easily accessible and regularly tested. To ensure yours is the best it can be, reflect on CIMA's cycle and cover all the key areas.
Staff dishonestly could kill your business. A 2016 study by Ponemon Institute, 'Managing Insider Risk through Training and Culture', found that 66% of professionals say employees are the weakest link in efforts to create strong security procedures. In fact, 55% of organisations have experienced a security incident due to a malicious or negligent employee.
But how do you know you could be at risk? There are some tell-tale signs of a culture which could allow dishonest behaviour to manifest amongst employees, including:
Lack of clear management, responsibility, or delegation of duties
Bonus schemes or promotions linked solely to ambitious targets or financial results
Inadequate recruitment processes
A lack of HR support
Lack of financial management expertise and professionalism
Unusually close relationships
Unreasonable pressures to perform or deliver financial results
Employees working unsocial hours unsupervised
Potentially mismanaged redundancies
Lack of control over privileged access
Low salaries for key staff
If a discontent employee chooses to, they can do a lot of harm to your company. As with most fraudulent attempts, the motivation is normally financial. It's not just about keeping employees happy, but rewarding them for a good job.
3e. Advice on future-proofing your business
One of the greatest assets a company has is its employees. But humans make mistakes. An important part of future-proofing your business against growing cybercrime is creating a culture of transparency (where employees feel like they can come forward with errors) and training.
Everyone should champion online security and make decisions about how they work, that takes into account the key risks. But not everyone will do this naturally. You've got to provide them with the tools. To get staff online security training right, we've got the following tips:
Make it personal. Raise the awareness of security issues in a wider context. Don't just mention the risks of negligence at work, but what it could mean if they lack online security at home. You're more likely to get their attention.
Include senior executives in training. Of course, everyone needs to know how to protect themselves online, but getting senior staff to participate in training will show your company's commitment and encourage others to follow suit.
Discuss the rewards and consequences. Make it clear that online fraud has serious consequences for business operations. Discuss what will happen if employees are non-compliant, but also show you're willing to reward everyone when efficient security measures are mastered.
Make it fun. More than anything, training has got to be engaging to get people's interest. Make training interactive and use simulated examples to show exactly what can happen.
Everyone hopes an online attack won't affect their business, but it's those who prepare for the worst who come out the other side with minimal damage (should they be targeted). To ensure you've covered everything, we suggest using the CSEG's (the National Technical Authority for Information Assurance within the UK) nine areas of cyber-security strategy as a checklist for optimal protection:
User education and awareness. Do you have a policy covering acceptable use of all systems, as well as a training programme to heighten staff vigilance?
Mobile working. Does your policy cover data protection and use outside of the office?
User privileges. Do you have a process in place for managing account access that limits privileges?
Secure configuration. Do you have secure patches applied and a process for maintaining them?
Removable media. Does your company control the use of removable media (e.g. CDs and USBs) and scan for malware before use?
Incident management. Do you have the capability to respond to an incident?
Monitoring. Are you actively monitoring networks and logging any unusual activity?
Malware protecting. Do you have anti-malware defences established?
Network security. Does your company have a system in place that guards against attacks, unauthorised access and malicious content?
Fraud doesn't happen on your timetable. But you can schedule in the necessary steps to keep your assets safe, while reaping the rewards of operating your business online.
Managing Director of Smart Pension, Will Wynne, and Anne- Marie O'Leary, editor-in-chief of parenting site, netmums.com, discusses auto enrolment on Sky News and in particular, how it will affect employers who hire home help such as nannies, and don't consider themselves to be employers.