The most destructive Scams are largely avoidable.
What can Business Owners do to reduce their vulnerability?
The ACCC estimates that Australians lost over $2.7 billion in scams in 2023.
Yes, there are lots of vulnerable people out there, especially amongst the elderly, but it is business owners who are being hit for the largest chunks of money. How is this possible? You could be next.
Fraud by strangers. Fraud was once mostly committed by people you knew.
We have seen multiple successful attacks on our clients, colleagues and community. For very large sums of money. Smart, well run, conservative businesses… stung by nasty attacks. Most of them were foreseeable and avoidable.
1. The “Change of Bank” trick
No, your supplier or real estate agent didn’t just change their bank account for payment, but your accounts payable staff think they did. They received an email or phone call explaining the change. And these bad guys are very convincing, write well, and speak like you and me.
And if you pay the fraudster instead of the correct payee, who suffers the loss? Whilst there may be mitigating circumstances, it may well be you. And these losses can be huge, probably uninsured, often targeted to large ‘normal’ business payments.
Especially progress claims, trust account payments, capital equipment, loan payouts and so on. A lapse in security has enabled the fraudster to know about an upcoming payment.
In the last few years, we have seen several of these types of frauds. Each costing hundreds of thousands of dollars. Your well-meaning accounts staff accommodating supplier wishes.
How do you prevent this type of fraud? A simple procedure would kill off most attacks like this.
Make (and enforce) a policy that every notification about the change of client details (bank accounts, telephone numbers, email addresses) is accompanied with a verification telephone call, initiated by your people, to the payee organisation, using the telephone number and contacts already on your file… not the one that came with the notification.
Never rely on an email. Never trust a phone call. Your organisation must initiate & independently confirm and double check, changes to client files.
You need a culture of scepticism.
2. The recycled password problem
There are a few of us that get annoyed at the vast number of online requests we get to set up an account and add a password. And there could well be a few of us who re-use common passwords repeatedly (I see you squirming).
Why is this a problem? After all, most of these are unimportant sites.
If one of those sites gets hacked (or their client lists get sold) then your login details (your email address and your re-used password) are then available on the dark web. Unscrupulous operators can now use their computers to trawl sites to see which ones fit your email and password combination.
If they find a fit… they may have the ability to order in your name with the credit card, you have on file with that supplier. And the next supplier for which they find a fit.
Worse still, you may have possibly used the actual password and email combination that lets them into your email. They can now take their time to look for gems that might yield results as now they can impersonate you. They can discover a lot about your circumstances, finances and vulnerabilities.
One of your email contacts may soon think you have emailed them. From your real email address. And you will never know.
This happened to me 6 years ago and I came very close to losing a lot of my money. I won’t say exactly how they did it, but if it had gone wrong, the organisation that would have given my money away would have claimed that it was my fault.
So, what can you do to fix this problem?
Go online, subscribe and download an encrypted password manager (such as Keeper, Last Pass) to your phone (and computer but only if your computer has face or fingerprint recognition). You only need remember one complex password (or write it down and keep it in a very safe place) and immediately change your passwords for your most important accounts (mail, mobile, banking, internet, WIFI, social) to a unique, complex, new password. Each account gets their own unique password.
Then, progressively change every one of your other passwords to a unique complex password generated by the App. This might take a little time (you will still find more of the old ones in 2 years’ time) but at least they will all be in the one place and the App will populate these fields when you revisit the same sites.
In a year or two, you will realise that you probably have a few hundred (now unique) passwords. Your password manager will probably also tell you of which of your old passwords have been compromised in the past. You will be shocked.
3. Authenticate that it is really you?
How can you be sure that no other person can access sites as you? Is there any process that makes it hard to fraudulently impersonate you? Passwords only provide the first layer of protection.
Authentication is the key. Something that you have (your phone) and something unique to you (your face, your fingerprint).
Two Factor (also called Multi Factor) Authentication adds another layer of protection over passwords alone. Most banks now require you to authenticate a proposed transaction (especially to a new payee). This can be as simple as an SMS to your mobile but where an Authenticator App (such as 2FAS, Google Authenticator, Microsoft Authenticator) can be used, this provides an even higher level of protection. Some banks (like Macquarie) even have their own Authenticator App.
SMS authentication has been compromised in the past where Fraudsters have swapped SIM’s directly with mobile phone carriers. That is probably more difficult now, but it shows the limitations of this technique.
An Authenticator App requires you to biometrically authenticate (face recognition) yourself and then approve the payment or entry into an account. Many sites (especially high-risk sites) enable you choose to activate authentication, and this will provide you with much greater protection. You should consider which sites are the most vulnerable and activate authentication.
4. Change your passwords
Do your people systematically and regularly change their passwords? Are they required to use complex passwords? How are they expected to remember a complex password without a password manager? Have their written down their password somewhere silly?
Do you have an unauthorised access vulnerability?
5. Never trust an email
Whether sending or receiving. Incoming emails may be compromised, and the purported genuine sender has no idea. You may be asked to rely on information that may be altered but seems genuine because it relates to facts that you or your people know about… such as an impending transaction.
Outbound emails should never contain financial or confidential information. If it is necessary to send this, encrypt the data first. Or store it in a safe place in the cloud and communicate the password via a safe means. Obviously, not email.
6. Education & Cyber Review
Explore educational material or podcasts and run training sessions with all your people to help them understand potential areas of attack. It will help your business, and of course, help protect your people from personal attacks.
Make this a regular and ongoing part of training.
In our business, our IT contractor drives this training process and report on compliance and effectiveness of the training. They also undertake a periodic review of our firm’s IT security.
7. Need more info?
A little care and effort can make all the difference. There are very sophisticated, clever and organised criminals out there looking at you and me right now. We are all at risk and need to take steps to protect ourselves.
Check these sites:
<Australian Signals Directorate>
(Federal Government resource centre for business owners to understand and manage cyber security)
<Fraud & Corruption Training>
(Commonwealth Fraud Prevention Centre)
<Anatomy of a Scam>
(Crimestoppers and BankVic Podcast series)
Chris Alp