Today's digitised business environment has undoubtedly presented huge opportunities for businesses. However, it is now easier than ever for criminals to exploit vulnerabilities which waste huge amounts of your time, damage your business' reputation and reduce your bottom line.

And these scams are not solely aimed at large, multi-national organisations or tech companies. In fact, the family-owned businesses and SME's we look after are often seen as easier targets.

In the second of our series of articles, our E-Law and Cyber Services team highlight some of the more common issues we come across and offer some practical tips on what you can do about them. We also set out some suggestions of things to do if you are the victim of a scam.

The “Bogus Supplier” or “Bogus Boss” Scam

This is the most common successfully executed scam we have seen in recent months.

The scammer poses as one of your suppliers or senior staff members (usually in an email) to manipulate your employees into making payments to the scammer's bank account.

The fraudulent email will often have a sense of urgency. It may also contain personal information about the sender to make it more convincing - for example where that person is, perhaps on holiday or at a conference - which has been obtained from a source such as social media.

Similar emails have been sent notifying the recipient of a change of bank details - e.g. from the supplier's usual account to that of the scammer.

'Phishing' Scams

These involve the sending of fraudulent emails (again often purporting to be from a reputable source) to manipulate individuals to disclose information to the scammer, or open an infected file which puts malicious software onto your IT system.

The days of these e-mails telling you that you have won the Azerbaijani lottery are long gone! Now the scammer may send a very convincing looking email apparently from your bank or a professional body (HMRC, Companies House, etc) and requesting you click a link, download a file, fill in some details, etc.

Ransomware & Spyware

These are types of malicious software commonly used by scammers. It is often introduced using the Phishing scam mentioned above.

'Ransomware' has been in the news a lot recently - this denies you access to your files or IT system until a ransom is paid.

'Spyware' allows cyber criminals to obtain private information without your knowledge. The hidden software records your keystrokes or login details without you knowing and sends this to the scammers.

What should you do about this?

The scams mentioned above do not require the scammer to have any advanced or sophisticated technology - they simply exploit procedural weaknesses or information already in the public domain (often voluntarily put there by potential scam victims).

It is impossible to be 100% safe. But there are a number of practical measures that your business can take today to minimise its risk. And if you turn out to be a difficult target, chances are the scammers will look elsewhere.

Check/improve your current systems & procedures

Put in place systems to mitigate the likelihood of a scam being successful, such as:

1. For verifying changes in payment instructions to vendors/suppliers - e.g. independently over the phone or via an established e-mail address;
2. Training finance team staff to be cautious of urgent or secretive requests;
3. Limiting the number of employees within your business who have the authority to approve and/or conduct wire transfers;
4. Requiring dual-approval for certain wire transfer requests, e.g. involving:
   • transfers above a specified value;
   • new trading partners, or new bank and/or account numbers for current trading partners; and/or
   • wire transfers to countries outside of the normal trading patterns; and
5. Using an alternative method (not e mail) authentication to verify wire transfer requests that are seemingly coming from executives.

You might also want to have an external cyber security expert test the robustness of your existing IT system and suggest improvements.

For businesses with valuable data - consider whether a secure, daily backup should be created which is taken off-site. This could help limit the damage of a serious breach to the loss of one day's data.

Minimise your online presence

Be aware that information that you or your staff publish online or on social media (e.g. regarding your recent house move, imminent holiday or newly purchased car) can help a scammer to create a more convincing phishing email.

Set social media pages to privacy mode to restrict the number of people who can view your profile. Consider periodically reviewing the social media presence of your staff.

If you are a company director, is your residential address published on Companies House? If so, change it to your company's registered address. It is a simple process to make this change online - if you send us your company's webfiling code we will do this for you.

Implement a strong password policy

As tempting as it may be to use one simple password for numerous online accounts, doing so is risky.

Making your passwords more complex and implementing a policy whereby your employees adopt the same practice will reduce the risk of future problems.

The National Cyber Security Centre has recently published guidance on this which can be viewed here.

What to do if you are the victim of a scam

Clearly what you should do in response depends on the specific circumstances.

But the first thing is to act very quickly. Often scams are perpetrated on a Friday afternoon so that the victim does not know about it or cannot do much about it until the following Monday. By which time the money is long gone. The faster the victim acts the better. It may be that your bank can stop the movement or if it has only moved on once still trace it. After that it gets increasingly difficult to trace.

You might want to:

1. Inform your bank of the fraud;
2. Contact your insurers or your insurance broker - do you have any cover? Is there anything the insurer requires you to do?;
3. Contact Action Fraud/the Police in the UK to report the crime;
4. Can you (or any agent you use) contact the police in any relevant foreign jurisdiction?;
5. Run a full scan of your IT systems to make sure you have no (other) security breach. Has your supplier/agent/ senior employee done the same? It may be that their system has been hacked;
6. Keep all e mails and documents relating to the fraud safe so they cannot be deleted;
7. Consider using a private agency to trace and try to recover the funds;
8. Put in place systems to mitigate the likelihood of another scam being successful (see the suggestions above); 
9. Update your terms and conditions of sale so that customers who are due to pay you must not make payments to any newly advised account details unless they have followed a designated procedure. Failure to follow this procedure will be deemed to constitute an invalid payment and that customer will still be liable to pay the full invoice value to you; and
10. Have terms and conditions of purchase which say that any transmission of funds to an account where the details have been provided by the recipient will be deemed a full and valid payment regardless of whether the funds are received by the recipient.

If you would like further details or information on any of the points raised in this article, please contact us on 01482 324591 or email: info@sjplaw.co.uk