Most SME leaders are well aware that fraud is a huge problem for UK businesses. Action Fraud says it received 37,541 reports of attacks on organisations in 2020 alone, with losses totalling almost £575m.

Cyber attacks on internal networks play a major part in this. But many company leaders may not realise that it’s the scamming of unwitting staff that most often leads to problems.

Social engineering, where criminals use psychological manipulation to dupe people into handing over sensitive company information or authorising dubious payments, plays an intrinsic role in 98% of all fraud cases, according to one estimate.

“It will have played a part in the defrauding of pretty much any SME we encounter,” adds Andy May, a fraud awareness analyst at the bank.

Playing on “panic mode”

Criminals often rely on broad-brush emails, text messages or phone calls to trick victims into revealing sensitive information. They’ll use a major news or cultural event that’s on everyone’s minds to create a request for a bogus charitable donation or an offer of insightful information. But the web links supplied in the message will lead to fake sites that ask for personal information that can then be used to steal an identity or bank account details, or to install malware or ransomware on a computer network.

“We’ve seen a lot of messages purporting to be from a ‘GOV.UK’ website offering things like details of lockdown rules,” says May. “The Covid-19 situation is changing all the time for businesses, and fraudsters know they want constant updates.”

Similarly, since the first lockdown commenced in March 2020, HMRC has detected 275 coronavirus-related financial scams, often promising businesses fictional new grants if they input their details.

Meanwhile, as the UK entered its second lockdown in November 2020, Action Fraud reported that the phenomenon of “clone firm” investment firm scams – where fraudsters use the details of genuine companies to set up fake firms that look like the real thing – had led to losses of £78m last year.

“These might target firms who have a high level of cash on account but aren’t currently earning interest on it,” says May. “Sometimes they offer the opportunity to invest in [fake] firms with strong links to the Far East that are supposedly doing relatively well post-Brexit.”

Exploiting the everyday

What is common to many of these scams is that they use social engineering to play on a victim’s desire to do something positive for themselves or for their business. Fraudsters stress that action needs to be taken urgently – an investment opportunity is limited to a few respondents, perhaps — to give their victims little time to question whether they are doing the right thing.

Scammers are also aware that remote workers, perhaps juggling their job with childcare and unable to ask colleagues on the next desk for a second opinion, may be more likely to let dubious requests slip through.

Sometimes criminals attach scams to a fairly mundane task in an employee’s routine, knowing they may do it without too much thought. It might be asking them to click on a link to confirm the delivery of a parcel, for instance. “Recently, we’ve seen ransomware based around services that allow remote workers to e-sign documents,” adds May.

Relying on trust

A little background research into a company or individual can personalise scams, making them more plausible to potential victims.

A common trick is to find out who a firm’s trusted, regular suppliers are, intercept invoices and send fake ones with different bank details in their place, so victims transfer funds to the criminals’ accounts instead of their normal suppliers.

They might also use a company’s website, LinkedIn or Facebook profiles to gather personal details about a senior leader within the business. “We often see cases where someone has pretended to be a CFO and asked staff to transfer money,” says a spokesman for the National Cyber Security Centre (NCSC). This line of attack can prove successful because, when asked to do something quickly by an authority figure, many employees will follow orders without question.

Company leaders aren’t immune to being duped. In 2019, the CEO of a UK energy firm transferred almost £200,000 to a scammer who posed as the head of his firm’s parent company, using artificial intelligence (AI) software to disguise his voice.

An engaging website, full of little personal details, and a strong social media presence can be very useful for SMEs to show potential clients who they are and what they’re about. But, notes the NCSC expert: “The more information you make available publicly, the easier you are for criminals to impersonate.” So if your online footprint goes beyond what is needed for your business to thrive, you need to scale back.

Businesses must also be vigilant to the risk of social media profile cloning. This technique sees fraudsters create a new account that closely replicates an existing social media account, down to the name and images used. Jake Moore, security specialist at ESET UK, suggests searching for your hashtags or doing a reverse image search in Google to see if your pictures or posts are appearing elsewhere.

Staff must also follow secure processes. This might include a protocol to double-check with a colleague or phone a new supplier who’s sent an email request before transferring money or releasing sensitive information. You might also choose to encrypt documents, such as invoices, before sending them to suppliers.

Encouraging staff to report incidents should they occur is also crucial. Cyber incidents can be difficult to spot, and mistakes do happen; make sure your staff know that they shouldn’t be afraid to report an incident, even if they have caused it. Timely reporting will help limit the potential damage to your business.

Above all, you need to instil what Andy May calls a “think twice” attitude. If your staff aren’t taking just a few minutes to scrutinise or check a third-party request before acting on it, they could be exposing the business to substantial losses. The NCSC’s Top Tips for Staff cyber-security training is a useful resource to help your staff get to grips with staying safe online, from how to defend against phishing through to reporting an incident.

SMEs with a small staff and a modest budget may have limited anti-fraud technology. But most firms could benefit from investing in a virtual private network (VPNs) for secure remote working or junk mail filters that screen out phishing emails from unsolicited senders.

Do you want to find out how to guard your business against fraud, scams and cybercrime?

You can register for our free fraud webinars here.