Top tips to prevent SME fraud

By Dimitrie Dorgan, below, Global Head of Fraud & Risk Management, Stenn

When considering fraud from a business perspective, it is important to assess the breadth of use cases available to fraudsters. As businesses globally continue to move toward a digital-first approach, significant challenges accompany the opportunities on offer. According to the World Economic Forum, revenue estimates from illegal activity sit at between 2-5% of global GDP, at around $2 trillion USD.

Many small and medium sized enterprises, much like individuals, think that they are the exception to the rule, adopting a reactionary approach to fraud. The reality is that any business, no matter how small or large, across any geography, can be the victim of financial scams and fraud. SMEs are particularly vulnerable to scams as fraudsters take advantage of small teams, immature procedures, insufficient investment in security training and personnel, and stretched resources.

Here are my top tips for fraud prevention in your business:

Get your own house in order first 

It is critical that SMEs know their business intimately, especially if they don’t have a fraud or security function in-house. This goes further than simply knowing how and where your business operates; you should have an intimate understanding of your business inside out, from employees, products and services, threats or weaknesses, to the target market, existing customer base and external suppliers.

Fraudsters are able to use technology and human insight to piece together profiles of companies and employees to establish trust or develop it over time. With technology improvements, these profiles are more advanced than ever before, and often difficult to spot, especially if you are in a rush. If weaknesses exist within your business, for example an under trained recent joiner, scammers are likely to target them.

It is also crucial that employees have a good understanding of the legal and regulatory environment in which their company operates as well as the current threat landscape. Fraudsters will take advantage of any weaknesses, for example as new legislation comes into force, a scammer is more likely to be able to convince you that there is a need to adhere to a new regulation in order to “sell” you a service or gain access to your servers. We have seen this happen many times over during the lockdowns when fraudsters contacted individuals and convinced them to share critical information or provide access to their devices under the guise of public health or government officials.

Take extra care against cyber attacks 

It is easy to think of scammers as individual opportunists looking to make some quick cash, and there is a misconception that scams end when an invoice is paid, or money is transferred. However, as data becomes more of a commodity, professional fraudsters with a little imagination and technical know-how have updated tactics, opting to infiltrate servers, watching employee movements and holding them “hostage”, often demanding hefty sums to restore access or functionality. As the past examples of the Colonial Pipeline ransomware attack or the WannaCry malware that crippled the NHS point out, critical infrastructure systems underpinned by legacy technology without constant security updates/patches will be the first targets.

Therefore, it is imperative that everyone in your business is aware of how scammers target employees and their technology. From requests to pay fabricated invoices to corrupted file uploads, phishing emails and phone calls are techniques constantly evolving and developing with technology. Consequently, we would always advise employees that, if in doubt, they should double-check any suspicious links, communications or behaviours.

The reality is however that most mature businesses, whether large or small, will have to deal with the effects of a cyber attack at some stage. So, the first thing to do is to make sure any sensitive financial or personnel data is well guarded with two-factor authentication, only a select set of users can access critical data and that all of your systems, applications, and servers are backed  up and patched regularly with the latest security updates.

Strategy and internal communications 

It is easy for employees to misunderstand the impact that business-focused scams can have on their lives. If hackers get into servers and access personnel data, there is a real risk that they could go on to hack personal accounts, using information gathered for subsequent, more convincing phishing attacks.

Consequently, employees need to understand the risks associated with scams and that losses don’t only affect business revenue. A successful attack has the potential to tie up funds in ransoms, attract regulatory fines or destroy public trust in a company or a service. Any one of these outcomes alone can make the difference for a SME. Whether this is communicated via training sessions or internal communications strategies, labouring the point that fraud can affect more than just the person who is targeted could just save your business.

The risks for any company are wide ranging when it comes to fraud and scams, but the knock-on effects for SMEs in particular can be catastrophic. The importance of having robust due diligence processes, choosing competent business partners and ensuring all lines of the business are protected is paramount to the security of your business and employees.

Dimitrie Dorgan is Global Head of Fraud & Risk Management at London-Headquartered Stenn, a leading digital marketplace, enabling growth for SMEs, globally.