Fraudsters are becoming more sophisticated and dangerous. Within minutes with the right information they can cripple or even destroy a business. Like the vast majority of businesses across the UK, at Volcanic we've seen a increase in the number of 'grifter'-style fraud or security attack attempts on our own business - essentially an old-fashioned con, often carried out by telephone. We’ve implemented a comprehensive staff training programme to recognise and prevent fraud from occurring.
Here are some top tips that we use to ensure our own team doesn’t fall prey to fraud:
1. Phishing scams
Beware of suspicious emails and phone calls and ensure all your staff are trained to spot fraud or malicious data theft attempts. Common problems are when a bank calls or emails - most people are aware of these but you still need to check.
Never give any details about anything to anyone - our rule is that if we don’t know them personally or have a way to identify them by ringing a number we obtain, we don’t tell you anything.
2. Invoice fraud
We’ve seen a massive increase in the number of invoice fraud attempts. These appear to be legitimate in every way, from known suppliers, look genuine and will even be for the right amount. But how do you know they are genuine?
I’ll give you an example. We attend tradeshows and the show organiser tells everyone that we will be attending. We then receive a phone call about electricity for the stand from the legitimate supplier, we confirm we want it, they send us an email with an invoice attached and online payment terms - we pay. Well guess what - there's no way to tell if that’s a fraud.
3. In between fraud
This is incredibly difficult to spot because the victim is unaware that the person they are talking to is a fraudster, as they take many months to nurture a relationship before they strike.
I heard of an instance where a landlord and tenant both received emails informing each other of changes of circumstances and the fraudster sat in the middle exchanging emails (this went on for months where they built up trust). When the hacker was ready they told the tenant that the bank account details had changed and then told the landlord about issues at the bank. They then were able to steal money for three months before the fraud was uncovered - but the money was gone and the tenant liable.
- Consider how you would stop this fraud occurring?
- How do you know who you are talking too, even on the phone?
4. Overpayment scheme
A company sends a payment significantly higher than the owed amount and then asks for the funds to be returned. The sender's bank is usually located overseas, in Eastern Europe for example, and the initial payment is found to be fraudulent, often after the financial transfer has occurred due to time delays.
5. Merchandise that never arrives
This fraud occurs when a payment is sent but the goods and services ordered are never received, in other words theft. This can happen on many different sites such as Ebay or Amazon. Even if the seller appears legitimate, fraudsters can steal identities of legitimate accounts.
Never pay directly into a bank account for goods. Instead use a credit card to protect yourself.
Recommended good practice
- Implement 2 way matching: Raise a purchase order stating the amount and supplier, and subsequently only pay invoices that match purchase order details - any discrepancies will require investigation.
- Train teams to improve their awareness of phishing tactics and fraud methods. This will help ensure employees are aware of what to look out for, and allow action to be taken early on in the process.
- Always obtain invoice approval from the relevant purchasing department.
- Monitor variances to budget - although a reactive check, it defends against malicious activity exacerbating over time.
- Ensure two people are involved in the payment approval process.
- For large, one off payments, verify the bank account with your supplier.
- Provide remittances - this gives your supplier the opportunity to match payments to invoices and inform you of any discrepancy.
- Be wary of urgent payment requests from senior figures, and pay very close attention to email addresses in such instances - phishing often involves an element of pressurisation in terms of timing and position of power.
- Don't respond to requests to re-enter login details within a different system for which they are used.
- Limit publication of sensitive information on social media and content.
- Obtain at least two modes of confirmation for changes in billing details (verbal, letter or email), seeking verification from more than one contact.
- Verify credentials of new contacts, especially where payments are concerned.
For more advice and information on our market leading recruitment websites, get in touch.