Showcasing the Best of Welsh Business

DEFAULT GROUP

thinkbroadband.com Provides a Warning to Welsh Businesses on the Top Scams Likely to Target Their Organisation

A - Home Page B - Original Content
SHARE
,

Welsh businesses are under increasing attack from scams and cyber-attacks that cause financial loss and disruption to their supply chain, warns thinkbroadband.com, the UK’s leading broadband news and analysis site, who have issued a warning to businesses to take action to minimise the risk.

According to thinkbroadband, one of the most popular and easily perpetrated scams is the ‘CEO Fraud’. Named after CEOs, but can be linked to any “important” person in the business, a simple request asks an employee to source gift cards for example, and send the CEO photos of the codes. The request may come from a ‘personal’ e-mail address (probably a fake one) or a new phone number and the sender will make excuses why they ‘can’t talk right now’, or the CEO’s legitimate e-mail account may have been compromised.

Typically, for a larger organisation, a similar example is an email chain which contains extensive forwarded emails being sent to finance asking them to make a large payment, due to a sensitive ‘acquisition’ the business is undertaking. The emails will make excuses on why this needs to bypass the normal payment/approval process. Thinkbroadband stress that any text in a forwarded email can be easily made up or edited and shouldn’t be relied upon.

Reinforcing the severity of this type of attack, according to Barclays, *forty per cent of CEO fraudulent attacks are targeted at SMEs, and in 2021 they were made aware of 461 CEO fraud cases totalling losses of just under £13million.

‘Fake invoices’ are another favoured tactic of fraudsters, aimed at companies and accounts payable teams. This occurs when fraudsters send a false invoice or bill to a company, requesting payment for goods or services. The invoice may claim that the payment is overdue or threaten negative consequences for non-payment, such as affecting the company's credit rating.

A business may receive the emails from e-mail addresses very similar to a legitimate company, but with a one letter change to the domain name.

Similar to this fraudulent behaviour is the ‘Supply Chain Hack or Change of Bank Details for Supplier / Employee’ which targets accounts payable and HR teams; Scammers intercept an email, change the bank details on the invoice and send it on for payment.

For example, HR receives an employee email asking them to change their bank account details to their new account. The e-mail may have genuine information (obtained through public sources such as LinkedIn or hacked) but the new account doesn’t belong to the employee (or isn’t controlled by them).

Alternatively, a supplier sends a company an e-mail with new bank details on their letterhead. A business replies, checks the email address is genuine (it is), changes the bank details and makes the next payment. Only when a supplier contacts the company asking why the payment is late is it then realised that the supplier’s email account has been hacked, and in fact the funds were sent to a scammer.

Lastly, thinkbroadband.com is warning business about the ‘Internet Keyword’ scam. Often from ‘registrars’ in China, a business will receive an email telling them that someone else (a name they don’t recognise) is trying to register a domain name similar to theirs, or an ‘Internet Keyword’. They ask the business to get in touch if they have not authorised them, no doubt wanting the business to pay to reserve these.

An example of this type of scam is the “Business Register” Scam that has targeted thousands of businesses across the globe for over a decade. This worked by an email (or letter/fax) inviting businesses to list their organisation in what appears to be an official EU register “free of charge”. Registration was simple; recipients needed to send back a completed form with their details. However, behind the ill-defined fine print hid the real intent of a multi-year contract that the business had inadvertently signed up to for a fee of hundreds of euros annually.

However, Sebastien Lahtinen, co-founder of thinkbroadband.com is advising businesses on what steps to take to combat the ever-increasing threat from scammers.

He says:

“Whilst the threat from scammers may be getting more sophisticated and convincing, businesses can take simple steps to nullify the threat being posed, both mentally in how their staff think about scams and technically, by employing certain practices.

“Focus on the pattern, not the specific examples; It is important to recognise that any scam is usually a variation and combination of different scams, stitched together in a different way to target different people. Some may be highly personalised to the target. By understanding the common elements that are present in most scams, a business can be better prepared to detect and prevent them.

“It is also important not to be pressured; scammers will try to get businesses to do something urgently, ask employees to keep the matter confidential, and use names of staff designed to generate an immediate response. Remember, however genuine requests sound, an employer should never be afraid of being challenged.

“Cyber-security training and teaching staff about cyber-security and social engineering with real world examples should be a key part of any induction and annual refresher training for all staff. Scammers and hackers often get one piece of information from one person, and something else from another, and use these to succeed in making money illicitly. And always be aware of changing bank details; any request should be thoroughly checked and a simple call to a supplier can negate this scam.

“From a technical point of view, it is good practice to keep track of data breaches by subscribing to haveibeenpwned.com for your email address, or if you manage a domain name, for all email addresses on that domain. This will notify you if your email address is found in data breaches and never use the same passwords. IT departments can pre-warn users whose details may have been compromised.

“I would also advise introducing two-factor Authentication on all services from your personal Google account to any work resources. This limits the damage someone can cause by long term access. It is also a requirement for any companies that pursue CyberEssentials Certification, which is a National Cyber Security Centre (ncsc.gov.uk) supported initiative to improve your business’ protection and processes. Lastly, install anti-virus/anti-malware tools on all your computers.”

*CEO Fraud | Barclays Corporate

.

 

Business News Wales