From Black Friday through to Christmas and the New Year sales, fraudsters are having their busiest time of year. According to Action Fraud, 28049 shoppers were conned out of their money last year, and over £15.4 million was lost to fraud over the Christmas period.
Businesses also take a big hit from fraud. The 2017 Annual Fraud Indicator estimated fraud losses to UK businesses at around £190 billion every year, with the private sector hit hardest losing around £140 billion.
An essential part of protecting a business from the threat of fraud is training staff and increasing the awareness within the company. Ideally people will recognise if fraud has occurred or even better, that their awareness and actions have prevented fraud.
The most common technique that fraudsters use to target many people at the same time is to send emails (phishing) and text messages (smishing) or make phone calls (vishing) pretending to be a trusted source such as your bank, a delivery company or even the police. These methods attempt to trick their victims into revealing sensitive information such as bank details, credit card information or passwords. In an email, there will often be a link that you are asked to click on to address an urgent problem. The link or attachment is likely to contain malware.
Phishing, vishing and smishing attacks are the 3 main fraud types that set up many more serious attacks. These include ransomware attacks which are a major threat to all businesses. Ransomware is a type of malware that encrypts files to make them unusable. The files cannot be decrypted without a mathematical key known only by the attacker and this is how an organisation’s data is held to ransom. Making an untraceable bitcoin payment to the attackers may release the files but there is no guarantee.
Bank Transfer fraud (also known as authorised Push Payment fraud) is another serious form of fraud that uses social engineering and one that will be on the rise over the Black Friday/Christmas period. Criminals can intercept business emails and are therefore in the know about upcoming transactions and the movement of large sums of money. When the time is right, they will contact an organisation via phone call or email pretending to be a client or a bank manager and instruct payments to made into a new, different or ‘more secure’ account. Once the member of staff has been tricked and money is transferred into the criminal’s account, it is swiftly moved on elsewhere making recovery of the funds very difficult.
Another threat that is on the rise at this time of year is from the fraudulent insider. Many companies need to take on extra staff quickly to cope with the increased demands of the festive season and scrutiny of new employees may be rushed through or disregarded. This means that dishonest people are able to place themselves within an organisation to carry out crime.
The shortage of products and delivery drivers this year is yet another opportunity for fraudsters operating in the supply chain. Companies may feel pressure to panic buy without completing thorough checks on their suppliers or customers, making them vulnerable to buying counterfeit goods and other scams.
The Counter-Fraud Fundamentals (CFF) certification scheme was developed by a team of counter fraud experts in a collaboration between IASME and Open Banking Implementation Entity.
The scheme identifies the controls an organisation can implement to help address and reduce the risk of fraud. It is an ideal way for any organisation dealing with financial transactions to prove to their customers and supply chain that they take their responsibility to combat fraud seriously and have the fundamentals in place regarding fraud detection, prevention and investigation.
Below are some questions taken from the Counter Fraud Fundamentals self- assessment under the key control of prevention and detection. We link these questions to some key tips to protect your business from fraud this season
Does the company undertake background checks for customers, staff and suppliers? This question deals with the onboarding process and how you verify that someone is who they say they are.
- how to validate the candidate details provided using third party information.
- checking to see if there are any anomalies in the information provided.
- checking if there has been any adverse media or previous fraud by the customer.
- checking that staff or suppliers or anyone associated with them, have not committed fraud before.
Other preventative measures with new staff might include limiting their access to sensitive and confidential documents.
Does the company undertake ongoing due diligence on suppliers’ staff and contractors in order to identify, assess and manage fraud risks? This question would include the robust checking of invoices for fraud and clear processes to avoid mandate fraud and account takeover. In addition to basic fraud training an organisation needs to provide specific training for specialist/privileged staff eg for those dealing with financial transactions.
Does the company have a whistle-blower process for staff to report suspected internal fraud? This question deals with processes to report fraud from within the company and it involves having an email/telephone number for staff to report suspicions about fraud, and a defined and documented follow up process.
Examples might include:
- Someone noticing that a newly appointed colleague keeps going for a break and taking their laptop with them.
- A colleague always hides their work, is unsocial and asks multiple questions about the workings of the company.
Does the company have annual mandatory fraud training for all staff?
Does the company run fraud education and awareness campaigns to help customers, staff and suppliers increase their awareness and knowledge in the fraud area?
Due to the impact that social engineering can have for fraudsters to initiate campaigns, awareness and training about phishing, vishing and smishing is particularly crucial for all staff. Good training on all forms of fraud will heighten staff awareness and improve their ability to deal and respond to fraudulent requests.
Download the full Counter Fraud Fundamentals self-assessment question set for free here.