• Criminals don’t stop for Christmas – always stop and think before departing with personal or financial information.
• Businesses and individuals are far more likely to fall victim to fraud than any other crime in the UK.
• The festive season is typically one of the busiest times for a lot of businesses. Fraudsters are aware of this and ready to take advantage.
• The festive season also typically sees a lot of businesses with skeleton staff – again fraudsters know this well.
• Fraudsters can impersonate suppliers, colleagues and even trusted organisations such as the bank or police.
• Many businesses struggle to recover from the severe financial and reputational damage fraud can cause – never be complacent or let your guard down.
• Build a culture that encourages staff to speak up, and make it easy for them to report an incident. 

Criminals are experts at impersonating people, as well as trusted organisations such as your bank or the police. They are always looking for clever and convincing ways to trick you, and they will target businesses all year round, whether it’s the season of goodwill or not.

If your team is winding down to relax for the holidays, or business is ramping up to meet Christmas demand and you’re rushed off your feet, the best way you can protect yourself and your business is to keep up to date with the methods scammers use. 

Stop and think – says national campaign Take Five – because it could protect you and your money. Letting your guard down just once could let a fraudster in.

The majority of cyber attacks on businesses originate from simple phishing emails. Big retail events such as Black Friday, Cyber Monday and the ‘Golden Quarter’ leading up to Christmas, provide opportunities for scammers through things like fake promotional discounts or prizes. 

They’re also likely to target your business on a Friday afternoon because they see potential as pressured employees try to meet deadlines or fulfil transactions. 

If you click on a link in a phishing email, you may have created a pathway for malicious software to start doing its damage to an internal system or device. 

The worst-case scenario is that it can lead to a crippling ransomware attack, meaning it’s holding your business information at ransom. 

Criminals will also target businesses through CEO scams and invoice and mandate scams.

“Never trust anything, even if there’s a believability about it. Even if you receive something you’re almost certain is legitimate, with the correct logos and spellings, don’t click on the link in the email. Fraudsters might have targeted you and directed you to a fake page.”

Businesses should remain vigilant against vishing phone calls. Fraudsters can impersonate banks, police, IT companies, utility companies and others. They typically want three things:

1. Information such as PINS, passwords, one-time passcodes (OTPs) or Quick Response (QR) codes. 
2. Access – such as access to a physical workspace or it could be virtual access to a confidential work system or even a company’s online banking system. To do this, they might try to manipulate the customer into downloading Remote Access Software, so they can control your device. 
3. They want you to perform an action by manipulating you into making a payment. A typical example of this is advising that your accounts have been compromised and you need to send money to a ‘safe’ account. They are very clever and sophisticated and may already know certain information about the company before making the call, such as account or even debit/credit details. You may receive a fake call from your bank reporting suspicious activity or logins, or from your IT support claiming there’s a security threat on your device or wireless network.

“They’re incredibly convincing because they’ve always done their homework. It’s important to remain on guard.”

At this time of year especially, there’s an opportunity for criminals to exploit vulnerabilities. “As we head towards Christmas and people are on annual leave, there may be holes in terms of process – people stepping into roles and duties they don’t normally do. 

“There’s also a lot going on, plans to make, Christmas gifts to buy… The human aspect means we don’t always respond the same way to every single situation, and it just takes that one time for fraudsters to sneak in under the radar.”

This time of year can also put a lot of people under extreme financial pressure and stress which means they can be more vulnerable to fall victim to a fraud and scam. In some situations it can be a catalyst that leads employees into defrauding the company they work for by stealing stock, inventory or possibly creating fictious invoices and paying themselves.

Develop a common-sense mindset where you are in control. The Take Five campaign says:

• Stop: Taking a moment to stop and think before parting with your money or information could keep you safe.

• Challenge: Could it be fake? It’s OK to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.

• Protect: Contact your bank immediately if you think you’ve fallen for a scam and report it to Action Fraud.

If you’ve been asked to do something that you did not request, then you always need to think about the worst-case scenario. 

“You can absolutely take five minutes just to gather your thoughts. ‘What’s the worst that could happen to me if I click on this link, or if I respond to this request for information?’” 

If something doesn’t feel right, use an official source such as your banking app to check it’s legitimate. “It’s human nature to comply or agree, not to appear rude, impolite or say no. And it can happen to anyone at any level.” So, take as long as you need to verify.

• Document your processes; verify requests. 

• Carry out ‘ethical phishing campaigns’, which test staff on their email use within your organisation.

• Give your people context and the bigger picture. This helps employees understand that what they’re doing is not an inconvenience, it’s to keep the organisation safe. 

• Encourage openness, so that staff know they can and should speak up, whether that’s to report a suspicious email, an unusual telephone call or clicking on a dodgy link. The sooner it’s reported, the quicker you can act.

• Make it easy, not daunting, for people to double-check. You should be able to ask a senior colleague whether they really did send that email. 

• Understand the basics of IT security and invest in layers of IT security relevant to your business. 

• Check whether your bank offers access to tools such as cyber-security detection and protection apps for home or business devices.