Protect your SME from the growing threat of cyber fraud

As more and more sophisticated scams emerge, it’s vital that businesses meet the challenge of protecting their assets. Here, we examine seven common threats, and offer some simple steps that will help protect your business against them.

More than £750m was lost to fraud in the first half of 2021 alone – an increase of 30% on the same period in 2020, according to the report. Only the complex security systems employed by NatWest and other banking organisations prevented a further £736m from being stolen as well.

“Fraud is a huge problem,” says Andy May, fraud awareness analyst at the bank. “When it comes to fraud against businesses, it’s not a case of if this happens to my business, it’s when. You may have processes in place, or cyber security to reduce the risk, but nothing is 100% guaranteed. Fraudsters will find their way around them.”

Business owners must therefore stay up to date with the current threats and make sure everyone in their organisation is aware of the risks.

The coronavirus impact

The Covid-19 pandemic has only exacerbated the problem, with many thieves exploiting the vulnerabilities of employees working from home – often on personal devices that are less protected by the security offered by a company’s firewalls and other security systems.

And remote employees, often distracted by other factors at home, also lack in-person contact with colleagues to confirm email requests and payment orders, so are much more susceptible to digital scams.

Andy says: “The biggest impact that Covid-19 brought, in terms of businesses, is the changing of working patterns. You have so many people that are no longer having a face-to-face dialogue with, perhaps, other members of their finance team.

“When you’re working in a remote environment, it’s a completely different dynamic. Emails from people within your organisation requesting payment have become much more common, which gives fraudsters more opportunities to exploit those kinds of things.

“And with all the different types of distraction at home, it’s easy for employees to miss something that, in the office, they would have spotted.”

The level of fraud in the UK is such that it is now a national security threat. There must be a co-ordinated approach across every sector if this is to be tackled effectively.

Katy Worobec, managing director, economic crime, UK Finance

Confidential information is now routinely exchanged by email, which is largely an insecure platform, cautions Andy. He advises businesses to use encrypted email and virtual private networks (VPNs) to help guard against the risk of interception or malware attacks.

So, what are the main fraud risks business owners should look out for?

Fraud: key threats for SMEs

1. Invoice redirection

This is by far the biggest financial fraud risk facing businesses in the UK, according to Andy. Fraudsters will send a fake email, seemingly from a known contractor or supplier, advising that their bank details have changed. The unsuspecting victim then sends funds to this ‘new’ account, which is actually controlled by the fraudster. Companies should therefore ensure that any requests like this to change bank details are independently verified, using a known phone number or email address for a known staff member at the company requesting the change. There should also be strict processes in place internally around changing bank account details for any supplier or contractor.

2. Bogus boss/CEO fraud

These are fraudulent emails which appear to come from senior figures, such as the CEO or finance director within your business, requesting an urgent payment to be made. Because there is little to differentiate the fake emails from genuine ones, it’s easy for unsuspecting employees to follow the directions from someone seemingly senior to them. Communicating the potential for such attacks to employees, and having a documented process for payment authorisations, are key steps in helping to avoid bogus boss threats.

3. Digital banking fraud

Fraudsters may try to access your digital banking website by directing you to a lookalike site, which may be identical to your internet banking log-in page, and then log your keystrokes. By harvesting your confidential information, such as username and password, they may be able to access your accounts. To combat this threat, always double-check the URL of a website before typing in any sensitive information, and ensure that you check before following a link to an internet banking site.

4. Investment fraud

Investment scams involve criminals attempting to convince you to invest in a scheme, shares or commodities which either don’t exist or aren’t worth the money being charged for them. These scams are becoming increasingly sophisticated and common, and can take a variety of forms, with the fraudsters impersonating a private bank or investment firm. They might call victims or use social media sites and bogus ‘influencers’ to entice them to make fake investments in gold, property or cryptocurrency schemes.

5. Social engineering

Social engineering, in which people are groomed and manipulated into divulging personal or financial details or transferring money, continued to be the key driver of both unauthorised and authorised fraud losses in the first half of 2021. Criminals used scam phone calls, text messages and emails, as well as fake websites and social media posts, to trick people into handing over personal details and passwords. This information is then used to target victims and persuade them to make payments to the fraudster.

6. Ransomware attacks

Ransomware is a form of malicious software that gives criminals the ability to lock a computer from a remote location – then display a pop-up window informing the owner that it will not be unlocked until a sum of money is paid.

To protect your SME from this type of cyber threat, ensure your staff know never to click on links or attachments in suspicious emails or text messages. You should also only visit websites you know to be safe, and make sure you have updated antivirus software installed on your computers and servers.

7. Overpayments scam

This is where a fraudster overpays for goods or services using a cheque or draft, then requests an urgent refund, saying an accounting mistake was made. The company pays the refund by electronic payment in order to satisfy the request. However, the cheque or draft is later returned unpaid because it is fraudulent, leaving the receiving company out of pocket. To avoid this happening, companies should be suspicious of a new customer making an unusually large order, or a buyer who makes an overpayment with a cheque or draft, and then asks for a refund by electronic transfer.

As well as these threats, the UK Finance report points to several other issues, including debit and credit card fraud, telephone banking fraud and advance fee scams. In particular, authorised push payment (APP) thefts – where the customer is tricked into authorising a payment to an account controlled by a criminal – are showing a startling increase, according to the report.

Losses from this type of scam amounted to £355 million between January and June 2021, an increase of 71% over the same period in 2020. This surpassed the amount stolen via card fraud (£260 million) for the first time.

Katy Worobec, Managing Director of Economic Crime, at UK Finance, said: “The level of fraud in the UK is such that it is now a national security threat. The banking sector cannot solve this on its own – there must be a co-ordinated approach adopted across every sector if this is to be tackled effectively.

“But while we wait for legislation, the problem of fraud is here, now, and growing, as our latest figures show. So, we will continue to work with government, regulators and other sectors, who must all play their part in tackling this truly national problem.”

Raising anti-fraud awareness

International Fraud Awareness Week, or Fraud Week, seeks to highlight the global issue of fraud and encourage business owners and employees to take steps to combat the issue, by promoting anti-fraud awareness and education.

Organisations and individuals are encouraged to register as official supporters and to host training opportunities, distribute anti-fraud information or otherwise promote anti-fraud activities during the week, which runs this year from 14 – 20 November.

If you suspect that you or your business has become a victim of fraud, it’s important that you contact your bank immediately, as well as reporting the incident to the Action Fraud helpline.

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top