Businesses are attractive targets for fraudsters at the best of times, but they’re even more at risk during an economic downturn.
There are already signs that 2023 will be a damaging period in this respect in the UK. In November 2022, Cifas, a not-for-profit provider of fraud prevention services, reported that the number of cases of fraud committed by employees against their firms had risen by 25% year on year. It suggested that the ongoing cost-of-living crisis was a factor pushing more “staff members into committing dishonest conduct”.
As trading conditions toughen, businesses tend to become more vulnerable to fraud, both internal and external. With their budgets shrinking, they may have less money to spend on keeping their security processes up to date, for instance, while job cuts may leave them understaffed in key areas.
“Business owners who are under financial pressure may also become more susceptible to fraudsters promising monetary gain,” notes Tina McKenzie, chair of UK policy and advocacy at the Federation of Small Businesses.
Know your enemy
To protect themselves properly, employers must first understand all the most prevalent forms of fraud so that they can train their staff to spot them, McKenzie advises. One of the most common is invoice fraud, where a criminal posing as a genuine supplier contacts a company and asks it to change the details of the bank account it uses to pay them.
In a similar vein, impersonation scams, where a fraudster contacts a firm pretending to be a trusted organisation such as a bank or HMRC – or even a senior figure inside the organisation – and convinces it to transfer money into another account.
There are several types of cyber fraud too, of course. They range from technologically sophisticated forms such as ransomware and distributed denial-of-service attacks to an enduringly popular set of methods that rely more on social engineering to deceive their victims: phishing.
Luke Beeson is group CISO at Aviva and chair of the Chartered Institute of Information Security, a standards body that monitors online fraud threats. He reports that phishing remains the most common class of fraud committed against businesses, which puts the onus on employees to serve as the first line of defence against it.
“The risk of a successful phishing attack will be much lower if they understand why it’s a threat, why they specifically might be targeted, what a phishing attempt looks like and what to do if they spot a suspicious email or link,” he says.
They will therefore require comprehensive awareness training, says Beeston, but he adds: “The message won’t sink in if you use too much cybersecurity jargon.”
How to fend off the fraudsters
Many of the fundamental safeguards should already be familiar to all employees. For instance, no one should ever let themselves be convinced by an unsolicited caller to share sensitive data, download software or allow remote access to their computer.
“A good general rule to follow is: don’t be rushed into doing anything,” McKenzie says. “Fraudsters will often try inducing a sense of urgency, as people in a panic are more likely to act out of character and share information they would usually know to keep private.”
Using strong passwords and changing them regularly is key, she adds, as is setting up two-factor authentication for log-ins into important sites.
Any business that fails to maintain such basic defences is putting itself at unnecessary risk. Yet companies must balance preventing fraud with maintaining a smooth customer experience, which isn’t always straightforward, notes Caitlin Sinclair, head of payment solutions at the London Stock Exchange Group.
Online shoppers have become so used to interacting seamlessly with etailers such as Amazon that any firm adding cumbersome security features to its website is likely to deter customers just as much as criminals, she warns.
“Consumers and SME users are increasingly basing their buying decisions on the process they have to navigate to make their purchases,” Sinclair says. “Businesses must therefore prioritise the design of their onboarding and verification processes to remain relevant.”
Updating fraud prevention for 2023
She adds that the security measures that firms adopt should vary according to their clientele. For instance, if you’re a company that caters mainly to “digitally native” consumers who are happy to interact with you via a smartphone app, then adding an ID verification process that uses biometrics and open banking should do the job. If your target market is less comfortable using such tech (and perhaps includes extremely wealthy people), then a different approach that offers easy access to human support is likely to work better.
It’s also important to remember that, while most cases of fraud against businesses are committed by outsiders, the threat of an inside job is very real – as the 2022 report from Cifas indicated. In cases of invoice fraud, for instance, it’s not uncommon for a senior employee in a trusted position to collude with the criminals. For this reason, firms must look carefully at their auditing processes and may want to consider digitising elements of procurement, including contracting, buying and invoicing.
If business fraud does indeed increase sharply this year, it will happen as trading conditions deteriorate for many companies. They must therefore act promptly to ensure that they are as well prepared as they can be for the coming challenges, McKenzie warns.
“A pinch of prevention is worth a pound of cure, especially when it’s all too easy for fraud losses to run into many thousands of pounds,” she says. “The hassle and heartache of falling victim to scams is the last thing that small firms need at the moment.”