14 March 2017
Cyber-criminals target small businesses
Innovative, creative, and fast-paced SMEs are probably too busy driving growth and developing interesting products to care much about the nebulous threat of cyber-crime. After all, we all think bad things only happen to other people. But cyber-crime specifically targeting SMEs is on the rise. Digital hackers have their eyes firmly focused on SMEs, with nearly 74 per cent of small businesses reporting a security breach according to the latest Government Security Breaches Survey.
Barclaycard research found 48 percent of small businesses had been hit by at least one cyber-attack in a year, while 10 percent suffered from repeat incidents. And when fraud happens to a small business, it hits hard. Money taken from accounts payable could have been invested in research and development, employing a new specialist staff member, or market expansion. In addition, if fraud is reported to the press, then investors could be spooked, endangering crucial funding. Fraud can also lead to a loss of confidence in the company by employees, who may ask the question: How, and who, let this happen?
The best way to avoid SME fraud is by learning what the potential blackspots are.
Some of the more common crimes are invoice fraud, mandate fraud, or CEO fraud, and a study by Accura, the insights arm of VocaLink, found that under 25s are most at risk, with 90 per cent of fraud attempts targeting young people being successful.
But it’s not just young people who need to be cautious. With more businesses using mobile phone banking than ever before (10 percent increase year on year according to the BBA), vigilance when doing transactions with just a finger-swipe is crucial. A lack of employee training, specialised defences and prioritised attention is a serious temptation to cybercriminals. Government website Cyberware, is a useful resource which highlights potential pitfalls SMEs might encounter, and how they can be avoided.
So what are the biggest threats facing small businesses, and how can they best protect themselves?
Dan Sloshberg, cyber resilience expert at Mimecast, an email management company, explains how SMEs fail to spot having been targeted, smaller companies don’t have robust backup strategies in place to protect and recover from a breach. “Impersonation threats in particular, also known as CEO fraud, are on the rise. Attackers use social engineering designed to trick employees into transferring money to fraudulent bank accounts or divulging personal or sensitive information that can be sold on the black market. Targeted phishing attacks, known as spear-phishing are also on the up, duping employees into revealing login details to avoid traditional security technology, penetrate networks and steal critical data.”
According to research by Tungsten Network, typical scams included embedding viruses in attachments (malware); unknown invoices attached to an email or sent by post (phishing); false changes to bank details; and sending duplicate invoices. Sloshberg says: “Some simple checks, such as ensuring emails from seemingly trusted internal contacts actually have the company’s correct domain in the email address, hovering over links to see the real destination before clicking, and not opening attachments in unsolicited mail.”
Invoice fraud is another huge threat to SMEs. Examples of invoice fraud include embedding viruses in invoice attachments, unknown invoices attached to an email, that are then acted upon by the accounts team, duplicate invoices, or sending an invoice under a regular client's name, but using false bank details.
Reducing invoice fraud is important, as it is the most common type of crime experienced by SMEs. A move to e-invoicing between suppliers via a central hub would be a strong, preventative move for SMEs. Suppliers on a hub must go through an onboarding process which significantly deters potential criminals.
Dean McGlone, sales director at V1 document management, recommends that strict controls are set up when a new supplier is established. “Technology can now automatically validate bank details that appear on an invoice against those held for a supplier in the financial system, while any discrepancies can be flagged for review. Doing this manually would take a very long time.” He adds that if there’s no purchase order number, the invoice simply won’t be paid.
Accura has launched an analytics system called Invoice Payment Profiling. The system raises awareness of fraudulent invoices and payments before the money is transferred to the supplier. The software is intelligent and secure: it searches for errors in the invoice and weeds out any anomalies.
In addition to smart and trusted software, increasing a physical barrier against fraud is also a good idea. When processing invoices, even if using intelligent systems, separating responsibility in the accounts office will help to reduce invoice fraud.
Dr Ron Hale, a security expert at ISACA, said: “In accounts payable, one person should review and approve invoices, while another would execute payment. When duties are separated, it can be hard for one person to commit fraud.” He also recommends ensuring you know who you are paying, especially as most fraud includes payments to fictitious accounts, or to approve accounts where the bank details have been changed. “Controls should be in place to ensure payments are only made to authorised companies.”
To increase awareness of invoice scams, Pauline Smith, head of Action Fraud, explains the importance of making employees aware of what invoice scams are, and how to recognise them. “Incidents of invoice fraud are underreported and therefore it is difficult to know the true scale of this fraud type. However what we do know is that this type of fraud prevails across all types of business and no one type of industry is immune.” Invoice fraud must be reported. Not reporting it could put your business in danger, and others who may be targeted by the same criminal.
Ensuring SMEs are properly insured is one way the industry is tackling fraud. Allied Insurance Services has launched a new Cyber and Data protection insurance package for SME's. It recognises that cybercrime can cost SMEs on average £310,000 per attack, and recommends that, in addition to using computer securing software and regular IT system updates, SMEs should ensure they are insured in the event of an attack.
It may sound like common sense, but even things like regularly updating complex passwords that include words and symbols can be an essential barrier to crime. Additionally, installing anti-virus software, should weed out bugs.
The future of SME fraud depends on how quickly tech can keep up with reality. With more advanced invoice processing techniques, it’s easier for small businesses to invest in software that highlights false PO numbers or fraudulent bank accounts.
Keeping employees up to date with what to look out can go a huge way towards reducing cybercrime, while installing firewalls creates obstacles for hacking. What we know for certain is if cybercrime against SMEs continues to rise as quickly as it’s doing now, SMEs need to take all the precautions they can now.