Phishing scams – how are businesses tackling cyber fraud?

Summary

• Cybercrime is a growing threat to UK businesses as it has the potential to derail company operations and drain businesses of money due to ransom demands, penalties, and high customer turnover rates as a result of security breaches.
• Four in ten businesses (39%) report having cyber security breaches or attacks in 2021. Like previous years, this is higher among medium businesses (65%), large businesses (64%) and high-income charities (51%).
• The coronavirus pandemic created an optimum environment for fraudsters as employees worked from home and businesses embraced whole new digital infrastructures. This not only stretched resources but forced businesses to juggle priorities.
• According to Action Fraud, the national reporting centre for fraud and cybercrime, Covid-19 related fraud reports increased by 400% at the onset of the coronavirus pandemic in March 2020., including 200 reports of coronavirus-themed phishing emails.
• The recommendations put forward by the National Cyber Security Centre (NCSC) include taking a 4-layer approach to deter scammers, identify and report possible scams, protect your organisation and respond to incidents.

How prepared is your business?

Although phishing scams are prevalent in the corporate world, the repercussions of a phishing attempt are often underestimated by business owners.

Just three in ten businesses (31%) have a business continuity plan that covers cyber security and just a quarter of businesses (23%) have cyber security policies that cover home working.

As a business owner, it’s your duty to store customer data under lock and key (or appoint a data protection officer to oversee this) and take the necessary steps required to keep this information away from the prying hands of fraudsters. If you hold client money, a successful phishing scam could have a long-term detrimental impact on your business and tarnish your reputation.

How fraudsters catch their prey…

To protect your business against phishing attempts, you must educate staff on the different types of phishing scams that are common in the business world. This is vital as fraudsters know all too well that IT security has been ramped up, therefore the route through is manipulating or engineering your people so that they drop their guard to click on a link, open an attachment or worse, share access data.

Email phishing – A general non-personalised phishing email may arrive addressed from what appears to be a reputable organisation, such as a government body, entertainment provider or broadband supplier, requesting information or action from the recipient, such as opening an attachment or clicking on a link. The aim of such emails is either to extract personal information from the recipient or to install malware on their device allowing the cybercriminal access to the victim’s IT system.

Spear phishing is a type of email phishing whereby a personalised email is used to target a specific rank of employees at an organisation. Whaling is similar to spear phishing, although, emails are targeted at high-ranking individuals.

Phishing website – This is when a user is directed to a compromised web page, such as a website imitating a legitimate platform. Once they click on the page, the user may be locked out or a virus enters their system.
New data from Action Fraud, the national reporting centre for fraud and cybercrime, found that 20,144 people fell victim to scams where they were persuaded to grant criminals remote access to their devices. Victims reported losing a total of £57,790,384 – an average loss of £2,868 per victim.

How to recognise a phishing scam…

There are a number of red flags to watch out for within phishing emails including:

• Urgent or threatening language
• Poor use of English or grammatical errors
• An offer which is too good to be true
• Unexpected emails from sources that you have not previously interacted with
• Information mismatches
• Requests for sensitive information
• Unprofessional design
• Suspicious attachments

How to protect your business…

Human error has been identified as the biggest contributing factor to cybercrime; therefore, it is imperative that employees are given regularly updated training and information to help spot scams.

In addition, there are a number of actions that businesses can take to protect against cyber-attacks, such as:

1. Ensure cybersecurity is installed, up to date and fit for purpose.
2. Ensure access to remote desktop services is restricted to only those areas you want your employees to be able to access remotely, and that your employees are careful about logging on using public Wi-Fi access, which carries security risks. It is better to not use public Wi-Fi where possible.
3. Set password requirements and ensure passwords are changed regularly.
4. Educate employees on the dangers of clicking on links in emails.
5. Keep up to date with emerging cybersecurity threats.
6. Have a reaction plan to know what you would do and who would be in control of reacting to a cyber-related fraudulent event.
7. Ensure your IT system is backed up, and that backups are both encrypted and stored off-site. This will ensure minimal disruption to your business in the event of a cyber-attack.
8. It is also wise to ensure your business is insured against the losses that can be incurred as a result of a cyber-attack.

Conclusion

If your business falls victim to a phishing scam, you must follow these steps:

• Contact your bank to report an unauthorised fraudulent transaction, or report a scam
• Report to Action Fraud which is the UK’s central hub of fraud and cybercrime intelligence
• Report to your insurer to inform them of the crime which could result in a future claim
• Report to your professional body/association if there is a requirement to do so, such as the ICO (Information Commissioner’s Office), Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) or Care Quality Commission (CQC)
• Reach out for support if you require further help or wish to speak to other victims about your experience

If confidential data falls into the wrong hands and the breach is likely to result in a high risk to the rights and freedoms of individuals, you must inform the victims, such as employees, suppliers, or customers, directly without delay. Not only can this retain trust, but it can also provide you with an ideal opportunity to provide reassurances before the breach is made public.

Keith Tully is a partner at Real Business Rescue, part of Begbies Traynor Group. Real Business Rescue is dedicated to providing company restructuring and insolvency advice to company directors in financial distress, including those that have fallen victim to phishing scams and cyber fraud.

Should you suspect that you are a victim of fraud or other wrongdoing, please do not hesitate to get in touch at hello@tenetlaw.co.uk