Fraud and cybersecurity risks continue to reach high levels across the manufacturing sector, but help is at hand.
According to the 2017/18 Kroll Annual Global Fraud & Risk Report, 86% of manufacturing executives reported that their companies fell victim to at least one instance of fraud over the past 12 months – 2% higher than the global average across all industry sectors.
Typically, a single case of fraud costs a UK business on average £57,000 with some individual cases in excess of £2m. As well as the financial implications, a case of fraud can cause reputational damage, disruption and impact on staff morale.
With advances in technology and changing legislations, educating management teams on how to minimise the risks of cybercrime and protect against fraud is vital to safeguarding manufacturing businesses.
So, how do fraudsters target manufacturing businesses?
Many cyber frauds start with a phishing email which is a specifically targeted to capture secure information or trick the recipient into downloading malware by disguising it as a genuine email message.
These emails are often made to look like they’ve been sent by your Bank and may contain hyperlinks or attachments to fake websites or malware downloads. Malware describes software which is deliberately designed to deceive a PC or its user.
It can allow a fraudster for example to secretly and remotely view information on a PC network or capture keystrokes and passwords which could be used to access a firm’s online bank accounts as well as many other operations.
Instruction purporting to have originated from a senior official (e.g. CEO, Finance Director) requesting an urgent payment to a specified bank account. These instructions commonly replicate language, terms and phrases regularly used by the supposed sender and will often express urgency and privacy to encourage the recipient to act quickly without asking questions.
Redirection of a payment to a genuine supplier/contractor. An instruction is received advising of a change of bank account or a forged invoice which appears to be from a regular supplier/contractor requesting payment to a nominated account.
Vishing (Telephone Scam)
Call purporting to originate from a trusted source, often allegedly from the Bank’s Fraud Dept. The intention is to trick the call recipient into taking action under the misapprehension that it is required to protect the firm’s money.
This could be to download software allowing the attacker to take remote control of the computer, or to disclose passwords/card – reader codes to allow the attacker to set up fraudulent payments, or to trick the victim into moving money to accounts described as safe/secure.
Prevention is better than cure
Some practical steps that you can take to protect your business
- Have a process in place to ensure that all payment instructions are confirmed regardless of whether the instructions says it’s ‘urgent’ and/or ‘strictly confidential’. Refer to the sender or someone else in authority if the sender is unavailable.
- Do not rely on the email address appearing to be legitimate or the wording to be familiar – fraudsters often intercept emails and modify the details contained within. Use other forms of communication to verify the details e.g. phone, face to face.
- Authenticate any instruction to change details of a supplier/contractor, particularly if the notification is a change of beneficiary bank account number. Call the supplier/contractor on a number independently sourced e.g. supplier’s website.
- Have a process in place to validate that invoice requests are legitimate.
- Authenticate a call by calling the organisation back on an independently sourced number e.g. bank website.
- Never rely on the number appearing on your caller display as confirmation of the source of the call. These numbers are easy to “spoof.”
- Remind all staff that banks will never call to ask for full passwords, PIN’s, card/reader codes.
- Have dual authorisation set with your online banking provider to set up new payment instructions.
- Only download software from sources you trust. Be highly cautious if asked to download software from a caller that you’ve not authenticated.
- Raise awareness of these fraud attack methods with all staff and remind them of key messages on a regular basis.
- Implement a clear and documented procedure for payments e.g. dual authorisation.
- Review your internal controls and procedures to ensure you minimise the risk of fraud e.g. ring-fence employee access to data, review internet usage and consider restriction of some websites.
- Use a good quality Anti-Virus software suite, updating regularly to ensure you are using the latest version.
- Don’t rely on a phone’s caller display to identify a caller, as fraudsters can make the phone’s incoming display show a genuine number.
- Never divulge online banking passwords or online banking secure codes to anyone on the telephone, or via email, even if you think it’s the Bank contacting you.
- Backup regularly, to a source that is independent of your network. This will enable machines and systems to be restored in the event of infection, without a significant impact.
- Regularly test your recovery process and if you are targeted, retain the original cyber extortion emails. Maintain a timeline of the attack, recording all times, type and content of the contact and report it to Action Fraud.
- Have a documented process for employees to follow which ensures that email requests to set up or amend payment details are verified as genuine. They should use known contact details, other than e-mail to make these checks and apply the same caution to all payment related emails from both external and internal sources.
- If you do identify that a fraudulent payment has been made, let your bank know immediately and then report it to Action Fraud.
Where to go to for more information:
- lloydsbank.com/fraud or www.bankofscotland.co.uk/fraud
Go deeper – learn more about the different types of fraud and how to protect your business by downloading the latest Lloyds Bank Fraud Risk brochure here.