Why do fraudsters target SMEs?
by David O'Brien Nov 13 2017
As a small buiness owner, it may not be at the top of your list of priorities, but you can't underestimate how vulnerable SMEs are to a potential online fraud attack.
SME owners are easy targets and you only have to read on to see why.
Who are online fraudsters looking to target?:
- Someone who does lots of financial transactions so a request for payment will not seem unusual
- Someone who is busy and won’t be concentrating on the details
- Someone who is not expert enough to keep up to date with cyber security measures
- Someone who will at times have large amounts of money in an online account
In “vishing” scams, the fraudsters piece together a profile of a company and individual employees to establish credibility. By taking information from your website and then adding information gathered on calls, they create a convincing script.
For example, if they phone and find out that “Jenny in Accounts is on holiday until next week”, they can phone the next day and say “I usually speak to Jenny but I know she is on holiday until Monday, she said someone would be able to help me with this payment”. At this time of year, holiday dates can also be gathered from Facebook and Twitter accounts.
Don’t think the fraudsters won’t go to all that trouble!
There are companies set up in other countries whose business is fraud. They recruit graduates, have big offices, business plans, targets, bonuses. The main difference between them and your business is how they make their profits.
The fraudsters go to great lengths to create authenticity: there may be call centre noise in the background and they may record your bank’s recorded telephone message and play it to you when you call them back. Then they look to create a sense of urgency, maybe by saying they have detected a suspicious transaction and “We have put your account on hold until the matter is sorted, so you won’t be able to have any payments leave your account”.
If this is at the end of the month when wages and invoices are due, the business owner or Finance Manager may be desperate to sort the problem out and this reduces rational thinking.
The most common passwords can be hacked in seconds. The most common one (123456) will be hacked in 0.4 seconds. Changing to !!123456!! means it would take a year to hack.
How to protect your business from fraudsters:
- Make your staff aware of the dangers and make sure they are alert at all times. Tell them the 25 most common passwords and see whose face goes red.
- Review your processes. Or write some processes if you haven’t got round to it yet.
- Do an audit of where you are vulnerable. The government’s Cyber Essentials website is a good place to start.
- Make sure you back up your data and make sure your back up is actually working and the data can be restored – before you need it!
- Make sure you have paid anti-virus software and that it is up to date.
- Make sure you are on the latest patch of your software. E.g. whatbrowswer.org will tell you if you are on the latest version of your web browser. A big factor in the recent NHS Ransomware attack was the large number of NHS PCs still using Windows XP, which hasn’t been a supported version since 2014.
- Be careful of what personal information you release. In addition to Facebook and Twitter posts telling the world that the MD is in the Bahamas for the next fortnight, an Out Of Office email may announce that the FD will be on annual leave until 29th August – a gift for fraudsters.
- Trust your instincts. If something sounds suspicious, put the phone down and phone a number that you know already (not a special one provided by the fraudster) to check authenticity. Any bank will be happy to provide confirmation.
- Finally, if you are a victim, report any fraud immediately to the police and your bank. You may be embarrassed to have been fooled, but you can help prevent anyone getting caught by the same scam.
Some email scams use requests which look like they are internal emails, maybe the MD or FD asking you to make a payment because they don’t have time. Think: does this seem out of the ordinary or out of character? One recent fraud was detected because the email purporting to be from the MD was too polite!
If the idea of taking control of your cyber security seems too difficult, technical or time-consuming, there are plenty of local IT specialist companies across the country who will be happy to partner with you and put your IT house in order. The time to act is now – before you have a problem. It might even be the start of a great local partnership.