I recently came across an interesting news bulletin from the Education and Skills Funding Agency (ESFA) about yet another phishing scam. ‘Here we go again’ I thought to myself. Reading it I hardly raised an eyebrow and was about to move on with my life when something struck me.
We’ve almost become immune to this type of electronic fraud. It’s been a long time since I was met with a puzzled look by someone who thought this type of scam referred to fly fishing. People just aren’t shocked by phishing scams anymore. And it’s not just phishing scams that are commonplace, there are a plethora of techniques used by the inventive fraudster; DDoS attacks, malware, ransomware to name but a few.
So, despite being so commonplace and publicised, why are we still falling victim to these scams? Am I wrong in my assumption that everyone is more aware these days? I don’t think so. The media reports the latest scams and countless bodies churn out endless information and alerts to keep us aware and informed. Action Fraud, the NCSC, CIFAS are some such organisations (check out their websites). It can’t be down to a lack of awareness.
The article actually circled around this topic. At the end of the day, it is about awareness and vigilance. If your staff (or you) are not being properly trained on how to deal with a suspicious email or how to spot a suspicious email then you will (and it is ‘will’, not ‘if’) fall victim to one of these scams. With so many variants, how up to date are you, your colleagues or employees with the latest techniques fraudsters are using? The ESFA bulletin described a technique whereby the fraudsters intercept a legitimate email trail and send their emails to the victims with the same header to fool the user into thinking it is a legitimate email (or to simply not pay as close attention to what they’re doing as they probably would ordinarily).
The ESFA, to their credit, have a specific mechanism for reporting fraud or suspicious scams for educational institutions who have become victims. A simple email address to report incidents to. It wasn’t long ago, that Action Fraud was the only organisation that you could report fraudulent emails to, but now there is an increasing level of bodies taking the matter more seriously. Reporting is highly unlikely to get you your money back as it’s almost impossible to trace the funds once they’ve left your account as fraudsters avoid leaving an audit trail. Reporting does, however, help with education and the analysis of the latest techniques. If you have fallen victim to any type of electronic scam, I would recommend you report it to your relevant body (if they allow for that) and/or Action Fraud, to inform and alert others.
Sharing experiences and information you’ve received with friends, family, colleagues is an effective way to help people around you stay vigilant and safe.
So, aside from reporting, what can you do? I could write a book on this topic, but instead I will highlight three absolutely crucial steps that you should take.
If you’ve followed these steps, but still suffered an attack, you need to do them differently or more often! If you haven’t been a victim yet, that doesn’t mean it won’t happen. The key is to protect yourself as best you can. If you’re too difficult for the fraudsters to crack they’ll hopefully move on to easier targets (a harsh way to view things, but unfortunately that is the reality of the online world).
Talk about it
Make sure that fraud is talked about openly at home and work and there is active sharing of new information. How about running a training/ information sharing session at work? Sign up to a news alert for Fraud today and read the bulletins that you receive. Our Fraud team’s twitter page is set up specifically to send alerts from a variety of sources (@TheFraudbusters)
Consistent Tone from the top
Leaders and management need to actively foster a culture of sharing information, and of training and vigilance. The example from the top will permeate throughout an organisation and encourage all employees to take the topic seriously. Punishing your employees if they fall victim to fraud is counter productive and people will avoid alerting the organisation to any breaches. This in turn will increase the risks an organisation faces.
Robust banking controls
Ultimately, a scam is after either personal details or your money. At work and home there are several simple steps and controls you can implement to ensure that erroneous payments are not made. In the office you should have separate people responsible for setting up payments and authorised to pay them. That second eye on the details should spot risky items, especially if they are reviewing the reports properly.
Our certified fraud examiners work with organisations in all sectors to help them identify any areas of weakness and make recommendations for regular and ad hoc training to keep everyone up to date.
If you or your organisation would like an in depth review of your systems and controls for fraud prevention or one off training workshop for your team, please contact us for a confidential discussion on how we can help your organisation develop a culture of openness and education and mitigate the risk of fraud.