The links contained within this bulletin will mean you will be departing from the regulatory site of Opus Gold. Opus Gold is not responsible for the accuracy of the information contained within the linked site
Welcome to the latest edition of our Financial Crime Awareness Bulletin. This bulletin considers recent developments and trends in the Financial Crime sector and is designed to bring them to your attention. It is intended to draw your attention to key topics affecting the industry, highlight important issues and changes to legislation and re-emphasize the need to remain vigilant to the potential for you to be used as a conduit for financial crime.
Social Engineering Fraud
The threat of fraud and cyber-crime can seem difficult to combat, as the techniques used by fraudsters can be extremely complex. However, it is important to remember that most fraud and cyber-crime attacks depend heavily on human interaction. Fraudsters have long identified that the easiest way to breach an organisations defences is to target its people, not its systems.
Social engineering refers to the psychological manipulation of people so that they perform actions of divulge confidential information. Fraudsters are usually looking for the victim to give up sensitive information such as login details or trick the victim into carrying out a fraudulent payment themselves.
Fraudsters in social engineering cases often have detailed knowledge of the company to enable them to build trust with their victim. They may be aware of regular payments that are due, or of the structure of teams within your company, enabling them to impersonate internal employees, regular suppliers, clients of your business and even bank employees.
In this bulletin we will cover five different types of social engineering fraud:
- Invoice Fraud and Email Scams
- Business email compromise Fraud
- Phishing
- Vishing
- Smishing
Invoice Fraud and Email Scam Case Study
A firm received a letter purporting to be from one of their customer’s explaining that their bank details had changed and that any future invoices should be paid to the specified beneficiary account. When the firm receive a genuine invoice from their customer, they paid it to the fraudulent details. It only became apparent that it was fraud when the genuine customer called to as why they have not received the funds. The genuine email had been intercepted, the bank details changed, and the email sent on.
Protecting your business against invoice fraud and email scams
- Make your employees, especially those that make payments aware of this threat.
- Ensure any new or amended bank account details on an invoice or payment instructions (including templates and manual payments) are independently verified by using details held on file and not on the instruction and read back the account details in full.
- Instruct employees with responsibility for paying invoices to check invoices for irregularities and escalate suspicions using a known contact.
- Consider setting up single points of contact with the companies / customers you pay regularly
- Regularly conduct audits on your accounts.
- Remember, electronic payments in the UK are made based on sort code and account number only, and any account name given is not routinely checked. It is the responsibility of the remitter to ensure the account details being used are correct by conducting independent verification.
- We strongly recommend minimum dual transaction approval for making payments, and administration changes and use two separate machines for setting up and approving the transaction.
- Enable email filters to highlight and/or block external emails automatically. You can set up rules within your email application to identify and/or filter out emails from external domains. Alternatively, you can speak to your email provider to find out how you can do this.
Business Email Compromise Fraud
Business email compromise fraud is increasingly popular with cyber criminals to steal money and information as well as spread malware. This involves tricking recipients of emails into transferring money into accounts controlled by cyber criminals, another objective is to also get the recipient to click on a malicious link aimed at stealing information or spreading malware.
Protecting your Business against Business Email Compromise Fraud
- Make your staff, particularly those that make and/or process payments aware of this threatBe cautious with the amount of information you reveal about yourself; your company and key officials via social media platforms and your company website and regularly review your privacy settings. Fraudsters are able to gather essential personal information about an employee, including out of office information to enable them to assume their identity and make the email and payment instructions look genuine.
- Be on your guard for payment requests that are unexpected or irregular.
- Always check with the person you believe sent the email, that it is from them. If in any doubt, do not make the payment, however urgent it may seem. Ensure details of any new or amended payment instructions are independently verified by using details held on file, not on the instruction.
- We strongly recommend minimum dual transaction approval for making payments, administration changes and use two separate machines for setting up and approving the transaction.
- Enable email filters to highlight and/or block external emails automatically. You can set up rules within your email application to identify and/or filter out emails from external domains. Alternatively, you can reach out to your email provider to find out how you can do this.
Phishing involves a fraudster, posing as a known organisation or sender, sending emails that aim to trick people into divulging sensitive information or transferring money into other accounts. The emails typically contain a link to a fake or compromised website, which will request that you enter financial or confidential information. Alternatively, the email may be designed to contain and deliver malware via an attachment or a link. If the link is clicked or the attachment is opened, the criminal will be able to gain access to your system.
Vishing
Vishing, or telephone scams involves a fraudster phoning a company in order to convince a member of staff to reveal sensitive company information or make a payment to cyber criminals.
Vishing Case Study
The accounts department at XYZ Ltd received a call from a representative of ‘the Barclays Fraud and Security team’ who explained to the accounts executive that their PC was infected with malware.
The accounts executive allowed the caller to remotely control the PC and the screen went black. As the fraudster had visibility of the user’s PC, he quoted genuine payment details that were recently made to gain the employee’s confidence. The fraudster then advised that some of the legitimate payments had been held due to the virus alert and needed to be ‘re-released’. The fraudster then input five fraudulent payments (hidden from view of the accounts executive) and requested the accounts executive to release the ‘genuine’ payments by inputting his PIN details. By doing this, the employee had in fact released the payments to accounts controlled by fraudsters.
Smishing
Smishing is a type of phishing via text message where a fraudster targets a victim via a text purporting to be from their bank, in order to convince them to reveal sensitive information, transfer money into other accounts or install malware. As with vishing, details can be spoofed, so it can seem as if the texts are coming from a legitimate source and they can even be inserted into genuine text communications with the bank.
Protecting your Business against Phishing, Vishing and Smishing
- Do not assume a caller is genuine because they know information about you / your company or the telephone number looks familiar – fraudsters are skilled in collecting enough information and use technology to be convincing.
- If you are suspicious, terminate the call and call back using your usual contact number, and not the number provided by the caller.
- Never enter any personal or security information on a site accessed through a link in an email.
- Never click on links or open attachments in unexpected emails or unknown sources. If you roll your mouse pointer over the link and it differs from what is displayed in the email link or is different from the usual website that you use, do not follow the link. If you are unsure, contact the sender directly on a method other than the email.
- We strongly recommend minimum dual transaction approval for making payments, administration changes and use two separate machines for setting up and approving the transaction.
Is Your Email Account Secure?
It is essential that you use a strong and separate password for your main email account, without this, you risk giving cybercriminals a wealth of information that could be used against you.
Research from UK General Insurance in partnership with Cyber Aware (https://www.cyberaware.gov.uk) reveals that people are storing sensitive information within their email accounts with 51% of people storing e-receipts revealing purchase history and potential card details. Storing this kind of information can be like ‘gold dust’ to criminals, who can use it to commit cybercrime including making phishing emails more convincing by including personal information or impersonating you or friends and family.
Cyber Aware has released the following tips as part of its #OneReset awareness campaign:
- Use a strong, separate password for your email.
- A good way to create a strong and memorable password is to use three random words. Numbers and symbols can be used to make it stronger.
- Use words which are memorable to you, but not easy for other people to guess. Don’t use words such as your child’s name or favourite sports team which are easy for people to guess by looking at your social media accounts or simple substitutions like ‘Pa55word!’.
- When available you should use two-factor authentication (2FA) on your email account. It gives it extra layer of security, as it means your account can only be accessed on a device that you have already registered.
- Don’t use public Wi-Fi to transfer sensitive information such as card details.
Please ensure that you pass on these tips to your employees, friends, family and clients, so that they are aware and do not become a victim of cybercrime.
If you would like to know more about further financial planning services we can offer please e mail or call us to discuss:
London 020 7871 5387
Brighton 01273 457100
Horsham 01403 333666