By Gavin Cunningham, forensic services partner at accountancy firm, Menzies LLP
Fraud is one of the biggest risks facing SMEs, and with online systems forming the backbone of almost every organisation, the opportunity for fraud is always increasing. Fraud attempts against SMEs may now comprise a hybrid of long established methods, coupled with the immediate, global access provided by the internet and unsolicited emails.
Fraudsters actively seek opportunities to steal money from businesses in any way they can. They are looking for signs of weakness to exploit for their own personal gain. Global internet-based communications and systems have provided more opportunity for fraud than at any point in history. Fraudsters may now be highly organised and operate from foreign jurisdictions with ease, or they may exist in local communities using specific knowledge and connections, against which companies of virtually any size are ill equipped to cope.
There are many ways in which fraud attempts are made, but they centre on using a business’ existing practices and turning them to their advantage, often through the supply of goods, services, or people. For example, in a sophisticated fraud, a rogue employee may be placed inside an organisation and working with an external fraud party, the rogue employee might order a product that is substandard or accept overpriced goods. In a worst-case scenario, they may acquire access to banking and finance systems and enable illicit payments. Therefore maintaining effective accounting and banking practices and controls in an organisation remains essential.
If a business is exposed to fraud, it is not easy to recoup the losses and, even if legal action is successful, it could take years to get the money back. For this reason, a prevention strategy is the best defence against this type of criminal activity. While the biggest risk area now is likely to be through exploitation of weaknesses in IT, it should not be forgotten that human intervention and error is the likely route to access IT shortcomings. A holistic approach that reviews systems and runs risk management over all areas of business is vital to be properly armed against fraud, rather than simply leaving this to IT management which may allow other key business functions to become complacent. Communicating freely and without blame within senior management about system weakness and any fraud attempts and sharing responsibility across a company are key to improving defences.
- Keep online systems up to date
The first step to protecting businesses against internet-based fraud attempts is to make sure that all online systems are updated and adequately protected, using professional help if necessary. Fraud is becoming more difficult to prevent and reliance on the internet has seen exponential growth in cyber fraud attempts. Protecting owned cyber environments and making sure that all technology is running the most up-to-date security and operating software is vital. This may help to protect the business against ransomware attacks, which infiltrate business systems to make them inoperable until the inevitable ransom demand is met by the business owner, or the online system is rebuilt.
- Make sure staff are trained in the risks of fraud and know what to look for
In large organisations that employ hundreds or thousands of people, all it takes is for one person to click on a phishing link for the whole company to be compromised. Companies with high revenue levels are also more likely to be targeted by fraudsters, so thorough fraud prevention training and education is recommended for all staff.
A key area of training is to ensure that staff know how to spot a potential fraudulent email, as basic as looking for missing letters or other minor irregularities that might indicate that the sender is not who they appear to be. Fraud attempts are becoming more organised and sophisticated, and sometimes fraudsters will pretend to be a company’s existing supplier, which can make spotting the threat more difficult. The fraudulent supplier may be contacting the business through a different email address or requesting money using new banking details, so employees need to be alert to these possibilities.
- Check and check again
If a suspicious email is received, it is important to be vigilant and check the details carefully to avoid responding or interacting with the fraudster in any way. Fraudsters, including those engaged in ransomware attacks, will do their best to make emails look as if they are from an authentic email address, often using just minor spelling alterations, perhaps a “1” for a “l”, or a “0” for an “O”. For employees clicking through their inbox quickly, these can easily be missed. If something doesn’t look right, checking details against existing information (if applicable), or via another route, is the best way to determine if a communication is authentic.
- Save or copy key documents and information to a secure offline environment
In today’s digital world, it is virtually impossible to conduct business without using online systems to manage core functions, such as payroll and ecommerce. Unfortunately, this reliance on online systems can put key information at risk if malware gets into a system. In such an event, it can be highly challenging to restore systems and, in some cases, they may never be the same again. Whilst investing in a mirrored back-up system can be effective, this is a costly exercise, and there is still a risk that the same fraud could happen again. Resetting systems to a point before the attack does not automatically solve the problem either; malware can covertly attach itself to data and remain in the system unless it is actively negated.
One way of mitigating against malware attacks is to save key documents, such as legal title documents; core banking information and customers’ and employees’ financial information to an offline location, so they can’t be stolen or compromised and can be restored to a clean system. Obtaining professional and specialist IT security advice may be a sensible step if it cannot be done inhouse.
- Trust your instinct
When business owners suspect they are a fraud victim, it can be hard to believe it could happen to them, or that an employee or long-term business supplier or customer could seek to undermine the business in such a way. Consequently, it sometimes can take months before a business owner seeks professional advice, by which time it is often too late to avoid mounting fraud losses. If business owners suspect that a fraud has happened, it is crucial that they act on their suspicions and seek expert advice as soon as possible. The longer they allow the situation to continue, the less likely they are to be able to recoup their losses.
A key thing to remember is that fraudsters attack businesses to make money and they are good at what they do. They don’t care about the impact that their actions might have on the business or its employees. Taking preventative action by updating systems and ensuring staff are well trained to spot fraudulent activity will provide some protection, but if the worst happens, and the business is exposed to fraud, knowing what to do to limit damage and protect stakeholders’ interests is vital.