How to help protect your business against impersonation fraud

Date: 10-07-2017

Tagged as: RiskCyber ThreatGameplanFraud

 

Fraud and cyber related fraud is on the rise, and all businesses are vulnerable. John Unsworth, CEO of the London Digital Security Centre and Martyn Rochelle, Senior Manager, Fraud Education and Control at Lloyds Bank, explain why business leaders need to take the threat seriously and how they can reduce their business exposure.

Impersonation fraud is on the rise in the UK and globally. Financial Fraud Action UK claims that "impersonation and deception scams continue to be one of the primary drivers behind business losses to financial fraud".1

In many cases, impersonation fraud takes place where a cyber security attack has occurred. The cyber breach allows fraudsters to conduct reconnaissance, research and harvest valuable information which is used to make their attack very convincing. 46 per cent of businesses identified at least one cyber security attack or breach in the last 12 months according to the Government’s Cyber Security Breaches Survey 2017.2

The two most common types of impersonation fraud attack targeting UK businesses are CEO fraud, where staff receive a payment instruction that purports to be from the CEO or C-suite executive, and invoice fraud, where staff receive new payment information from a fraudster disguised as a supplier.

Putting impersonation fraud on your radar

"Impersonation fraud is relatively straightforward to carry out," says John Unsworth. "It’s also fairly easy for businesses to mitigate the risk – but it needs to be on their radar. Protecting a business is in everyone’s interests. As CEO or MD, you’re responsible for its culture, reputation, expenditure and the bottom line – impersonation fraud is a simple way of undermining that."

Creating a culture of openness

"One of the main reasons impersonation fraud succeeds is due to the culture within a business," says Martyn Rochelle. "Fear of questioning an apparent direct order from the CEO can mean that money is paid without question. Or fear of admitting they may have been duped to click on a fraudulent link in an email can stop employees from reporting potential breaches.

"Money moves fast, so every minute matters – the sooner a fraud or malware breach is notified, the greater chance you have of preventing an attack or getting the money back. Business leaders need to foster a culture of openness, no-blame and awareness."

“One of the main reasons impersonation fraud succeeds is due to the culture within a business.”

Removing the opportunity for fraud

Tackling impersonation fraud requires a two-pronged attack, covering both culture and processes. For example, requiring dual-authorisation for payments, a clear chain of command and setting levels for access and limits for authorisation are all changes CEOs can effect within their organisation in order to help thwart the fraudsters. Regular staff training and testing also encourages ongoing awareness.

Fraudsters are organised and plan, often taking advantage of periods of change or busy times when staff may be stretched. "Time around bank holidays can be prime targets," says Martyn. "The government requirement for banks to ring fence accounts could also provide an opportunity. Many banks are changing customer sort codes and account numbers, so staff need to be aware of the processes to verify any changes suppliers request."

Ensuring processes keep pace with growth

"Creating and reviewing processes may not be exciting, but it is important," says John. "What we see, particularly in fast-growth business is that policies, processes and paperwork don't keep pace with an increase in staffing levels, suppliers, contractors and so on. That can leave businesses vulnerable."

Business disruption, loss of confidence, reputational damage, compromised cash flow and actual financial loss are all potential consequences of fraud. "A lot of businesses aren’t aware they've been hit," says John. "Many fraudsters will take relatively small amounts from a number of businesses so they're less likely to be caught, but we've also seen many businesses losing £20k, £50k and even much more, amounts that have the real potential to wipe out their working capital and maybe have catastrophic business outcomes."

How to reduce your risk

According to John, there are some simple steps businesses can take to reduce their exposure:

  1. Make staff aware of the cyber-security threat – and keep reminding them.
  2. Put controls in place – signatory limits or authorisation protocols, for example.
  3. Take Five – if something doesn’t look or feel right, ensure staff won’t feel pressurised to act.
  4. Verify everything – create processes where staff will check and refer requests to change beneficiaries or make out of the ordinary payments; a phone call to check can make all the difference.
  5. Train and test – undertake a false phishing exercise to test how staff respond.

"Business leaders set the tone for their company,” John remarks. “Our message is clear – take the threat seriously, raise awareness of how this fraud works, build controls into your processes and create a culture that encourages staff to question suspicious activity."

Article contributors: John Unsworth, CEO of London Digital Security Centre and Martyn Rochelle, Senior Manager, Fraud Education and Control at Lloyds Banking Group.

Impersonation fraud - our interactive guide

Below is an interactive guide on how to detect impersonation fraud. Please share it with anyone in your business involved in financial processes or administration to help protect your business from fraud.





Footnotes

  1. https://www.financialfraudaction.org.uk/news/2017/03/30/financial-fraud-data-for-2016-published/
  2. https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/609186/Cyber_Security_Breaches_Survey_2017_main_report_PUBLIC.pdf

Useful Links

Back to top

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Lloyds Bank plc Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone: 0207 626 1500.

Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under Registration Number 119278.

We subscribe to The Lending Code; copies of the Code can be obtained from www.lendingstandardsboard.org.uk

Eligible deposits with us are protected by the Financial Services Compensation Scheme (FSCS). We are covered by the Financial Ombudsman Service (FOS). Please note that due to FSCS and FOS eligibility criteria not all Business customers will be covered.

Lloyds Banking Group includes companies using brands including Lloyds Bank, Halifax and Bank of Scotland and their associated companies. More information on Lloyds Banking Group can be found at www.lloydsbankinggroup.com