Businesses – it’s time to step-up the fight against the fraud pandemic

Although it feels like the world has pushed the pause button, sadly fraudsters and cyber-criminals have not.

Fraud may or may not be increasing - it is hard to tell - but it is clearly mutating as fraudsters are now taking advantage of the opportunities created by the current anxiety over Covid-19 and the new working conditions for most of the population.

What we are seeing: what frauds, scams and cyber threats are prevalent

Overall we have seen a rise in impersonation frauds, with fraudsters harvesting personal data, security credentials and infecting devices with malware.

We are also seeing fraudsters turn their attention to defrauding businesses. Many firms have now made the mass transition to home-working, and this might have led to a relaxation of anti-fraud controls - which fraudsters can and will take advantage of.

We are seeing a rise in what is known as Business Email Compromise (BEC). These are emails that appear to come from within the business, say from the CEO or finance Director, requesting urgent payment to be made and often claiming the company is at some sort of risk. The email header will be spoofed so it appears to come from within the company, and fraudsters will usually have done their homework by researching the name and position of senior people within the business.

The average loss from this type of fraud is £32,000, but some companies have been taken for millions.

We also know that fraudsters are masquerading as bona fide suppliers asking for bank details to be changed, or asking for payment of a recent purchase to a specific account. The fraudsters research the company and often the emails appear professional and legitimate.

If you don’t think it can happen to you, then think again. UK Finance reported that firms lost £82m last year to these type of scams.

We have also seen criminals impersonate HMRC offering bogus tax refunds and access to government grants and loans. Most are attempts to elicit a fee or obtain banking details of the company.

The latest scam we have seen is the HMRC Job Retention Scheme Phishing Email.  Business owners have recently been targeted by emails purporting to be from the Chief Executive of HMRC. Under the heading ‘HM Revenue & Customs’, the email asks for the bank account details of the recipient to assist them in making a claim through the Coronavirus Job Retention Scheme.

We have also seen the continuation of Tech Support scams. These are phone calls or emails purporting to come from an employee’s technical support function or from technology companies such as Microsoft or BT. These usually claim to be in relation to slow Wi-Fi or problems relating to malware that may have been downloaded. The ‘tech/IT support’ worker will ask permission to take over the computer through a software download, or ask for passwords. Individuals working on their own computers at home may be shamed by claims that malware has been downloaded after visiting a pornographic or gambling site, meaning the criminal is able to gain access to confidential information or bank accounts, or will charge a ransom to give back control of the computer.

This type of scam is likely to be more effective at the moment given that so many people are working remotely for long periods and may be having connectivity issues.

We have also seen a rise in ransomware attacks where cyber criminals seek to freeze out a whole company from its IT services – which we are now more reliant on. They ask for ransom, usually in bitcoin, in order to release systems from capture. I strongly recommend contacting the NCSC if you such an attack happens to your business.

Advice to businesses at this time

Heightened risk and relevant communication to staff about what frauds are circulating is crucial.

Cifas has created a webpage which includes a daily update of the intelligence we are receiving about new and emerging Covid-19 fraud. This is a public page on the Cifas website.

In all circumstances the advice is to STOP, CHALLENGE and PROTECT

• STOP: If you receive a request to make an urgent payment, change bank details of a supplier, or have a request to let your IT department or broadband provider access your computer. Take a moment to consider whether its genuine;
• CHALLENGE: Ask yourself, could it be a fake? Check with the supplier directly by phone on a number not on the email or communication you have received;
• PROTECT: If you believe you could have been defrauded then contact your bank immediately and report the incident to Action Fraud.

Remember fraudsters are practiced conmen. Don’t assume that everyone is always on their guard and could not fall for a scam. If you do find yourself a victim of a fraud, don’t hide it, report it to your bank and Action Fraud.