More than four out of five manufacturing executives fell victim to at least one instance of fraud over the past twelve months, according to new report.
Typically, a single case of fraud costs a UK business on average £57,000 with some individual cases in excess of £2m.
As well as the financial implications, a case of fraud can cause reputational damage, disruption and impact on staff morale, the 2017/18 Kroll Annual Global Fraud & Risk Report has shown.
With advances in technology and changing legislations, educating management teams on how to minimise the risks of cybercrime and protect against fraud is vital to safeguarding manufacturing businesses.
How do fraudsters target manufacturing businesses?
Phishing
Many cyber frauds start with a phishing email which is a specifically targeted to capture secure information or trick the recipient into downloading malware by disguising it as a genuine email message.
These emails are often made to look like they’ve been sent by your Bank and may contain hyperlinks or attachments to fake websites or malware downloads.
Malware describes software which is deliberately designed to deceive a PC or its user.
It can allow a fraudster for example to secretly and remotely view information on a PC network or capture keystrokes and passwords which could be used to access a firm’s online bank accounts as well as many other operations.
CEO Fraud
Instruction purporting to have originated from a senior official (e.g. CEO, Finance Director) requesting an urgent payment to a specified bank account.
These instructions commonly replicate language, terms and phrases regularly used by the supposed sender and will often express urgency and privacy to encourage the recipient to act quickly without asking questions.
Invoice Fraud
Redirection of a payment to a genuine supplier/contractor. An instruction is received advising of a change of bank account or a forged invoice which appears to be from a regular supplier/contractor requesting payment to a nominated account.
Vishing (Telephone Scam)
Call purporting to originate from a trusted source, often allegedly from the Bank’s Fraud Dept. The intention is to trick the call recipient into taking action under the misapprehension that it is required to protect the firm’s money.
This could be to download software allowing the attacker to take remote control of the computer, or to disclose passwords/card – reader codes to allow the attacker to set up fraudulent payments, or to trick the victim into moving money to accounts described as safe/secure.
Prevention is better than cure… Some practical steps that you can take to protect your business:
CEO Fraud
- Have a process in place to ensure that all payment instructions are confirmed regardless of whether the instructions says it’s ‘urgent’ and/or ‘strictly confidential’. Refer to the sender or someone else in authority if the sender is unavailable.
- Do not rely on the email address appearing to be legitimate or the wording to be familiar – fraudsters often intercept emails and modify the details contained within. Use other forms of communication to verify the details e.g. phone, face to face.
Invoice Fraud
- Authenticate any instruction to change details of a supplier/contractor, particularly if the notification is a change of beneficiary bank account number. Call the supplier/contractor on a number independently sourced e.g. supplier’s website.
- Have a process in place to validate that invoice requests are legitimate.
Vishing
- Authenticate a call by calling the organisation back on an independently sourced number e.g. bank website.
- Never rely on the number appearing on your caller display as confirmation of the source of the call. These numbers are easy to “spoof.”
- Remind all staff that banks will never call to ask for full passwords, PIN’s, card/reader codes.
- Have dual authorisation set with your online banking provider to set up new payment instructions.
- Only download software from sources you trust. Be highly cautious if asked to download software from a caller that you’ve not authenticated.
General Advice
- Raise awareness of these fraud attack methods with all staff and remind them of key messages on a regular basis.
- Implement a clear and documented procedure for payments e.g. dual authorisation.
- Review your internal controls and procedures to ensure you minimise the risk of fraud e.g. ring-fence employee access to data, review internet usage and consider restriction of some websites.
- Use a good quality Anti-Virus software suite, updating regularly to ensure you are using the latest version.
- Don’t rely on a phone’s caller display to identify a caller, as fraudsters can make the phone’s incoming display show a genuine number.