Posted 23rd September 2015 | By ExtraMile

Most articles, news items, television programmes etc. about online fraud focus exclusively on consumer phishing fraud – making sure people are well aware that they haven't won a lottery they didn't buy a ticket for and that it's extraordinarily unlikely that you will be picked to assist transferring large sums of inheritance money out of war-torn countries. What they don't tend to address is the increase of phishing scams and other online fraud tricks that are targeting businesses, small and large.

We tend to think that most businesses risks of fraud are internal, with many businesses having systems that don't allow any money transfer, payment or other method of obtaining significant sums of money without the approval of 2 or more members of staff – often this isn't enough but at least businesses are attempting to target the problem. With online fraud it seems businesses frequently rely on people using their judgement or 'common sense' – which isn't really any protection at all.

The problem with using common sense is that it makes the assumption that we all have shared the same experiences and have the same knowledge. What seems common sense to me, for example "don't open any document ending in .exe if you don't know what it is" might not be common sense to someone who only uses the computer for their accounts system and spots a document titled 'Invoice-1136.exe' on the desktop. That person looks at their accounts system, see's that invoice 1136 is from years ago and wonders what it's doing on the desktop – opens it up and just like that a key-logger is installed on the machine.

So here are my top 5 tips to stop phishing in your workplace.

Tip 1: Keep up to date!

One basic phishing scam is to send fraudulent invoices with fake file extensions that when opened will install viruses and other software that will look to transfer any financial information to a 3rd party so that they can exploit it.

Make sure you install any security updates for your operating system, ensure you have a valid Anti-Virus and if possible ensure it includes anti-phishing as part of the package. Also make sure everyone in your business knows how to distinguish this sort of scam (see Tip 4)

Tip 2: Always verify

One of the most common fraud attempts is the simple 'invoice' scam. By sending via email a fraudulent invoice with their payment details at the bottom the scammer hopes that it will be paid without anybody questioning who the payment is for or what they do. The smarter scammers will look at websites or other public information to see if they can identify any suppliers, then get in touch asking to update payment details or just sending an invoice from that supplier with altered payment details – this method is known as spear phishing as it's more targeted.

Make sure you double check any amendment to payment details by calling the client back to confirm – on a different line if possible (a common scam is for the scammer not to hang up after calling you – so you end up speaking to them or an accomplice) . If you can speak to someone different to the person who got in touch to inform you.

Tip 3: Introduce approval processes for outgoings

Whaling is another phishing scam, so called because it aims for one big target with a big payout rather than multiple targets. In a recent report an example was given of £30m being lost by one company through a relatively simple 'spoofed address' mail purporting to be from the CEO, who was out of the office at the time, asking for a rushed payment to a supplier.

Setting up approval processes to ensure that all outgoings are counter-signed or approved by a person of seniority in the business in the business is generally standard practice. Making it so that they are staged that are based on total value is a useful step to ensuring you don't get bogged down looking for approval from all senior managers for a small expenses payment.

Tip 4: Train your team on how to spot phishing mails.

With Phishing being the most prevalent online fraud scam, and the one that gets the most attention you'd hope that everyone would be getting to grips with spotting them easily. A recent quiz from McAfee testing the ability of respondents to correctly identify phishing and non-phishing emails saw only 3% of people get all answers correct. Around 80% of people failed to identify at least one phishing attempt (the other 17% identified a legitimate email as a phishing attempt). You can take the quiz here.

Even if it's something simple like how to view the real URL of a link on their email it's a tool that can be used to identify a significant number of phishing attempts. Essentially you're trying to get people to question everything. There are the standards like 'the bank will never email asking you for a password' that you can rely on but what if your bank emails asking you to login and change the password. It could be legitimate but it could be a scam – does everyone in your business know not to follow the link in the email or open any attachment? Do they know how to check if the password change is required?

Tip 5: Regularly audit your expenditure

If you've followed all of the tips above hopefully your business is now a little better prepared to deal with potential online fraud. That's great but it doesn't mean you're not going to be a victim of it – fraud techniques may change, you may have a new starter who isn't trained properly or a phishing scam may just hit at the wrong time when someone's guard is down. The only thing you can do to reduce the impact of any breach is to monitor your systems for any irregularities to ensure you catch it early.

Potentially this can be a daunting task that doesn't necessarily prevent a fraudulent transaction. What it does ensure is that you catch any chance of repeated fraudulent transactions sooner rather than later – a significant proportion of online fraudulent activity is based on the 'little and often' principle, precisely because they are less likely to be scrutinised. It doesn't need to be heavy handed, perhaps if you have a lot of purchases you can do random spot checks on invoicing. You could even task other team members not responsible for purchasing to audit every so often. All you need to do is make sure there is some system for regular and meticulous checks and encourage anyone (employees, clients, suppliers etc.) to alert you to any unusual or suspicious transactions or interactions.

These are 5 simple tips to help – they aren't going to prevent all online fraud attempts but they will help keep people prepared and teach them to look at things a little more analytically when dealing with private details or financial transactions online.

Written by Ean Faragher Operations Director at ExtraMile Communications  

At ExtraMile we try to take an hour out each week to look around us at what others do and to gain inspiration and to admire people's creativity. Each post in this series is one staff member's take on the world of web, design and things online. We hope you enjoy it.


About ExtraMile

A digital marketing agency with international capabilities