The recent “Wannacry” cyber attack which disrupted organisations around the globe, including our own National Health Service, brings into focus the increasing risk of cyber attacks and cyber fraud facing businesses today. Businesses need to be alert to these risks and take steps to protect their own IT infrastructures.

Increasingly our clients operate online banking and bank payment facilities, and we have seen increasing instances over the past 12–18 months where cyber attacks are specifically targeted in this area, where there are weaknesses with general online security or computer systems, as well as online banking systems.

Some of the common areas where businesses should be “on guard” include the following:

• “Phishing” Emails – A number of businesses have suffered a fraud due to failure by employees to recognise an email/ notification which is in fact just a phishing email. Fraudsters will masquerade as the business’s bank and send emails asking for verification of certain account details. Unaware or uninitiated employees may well respond to such emails, thus putting the businesses’ whole internet banking facility at risk.
• Fake Emails – Here hackers enter into a business’s email system through malicious software, and, masquerading as the managing director or another responsible employee, issue instructions to the accounting staff to make payment to accounts which belong to the fraudster. This has been one of the frauds that is most commonly witnessed by our clients. As matter of prudence, we would suggest that the company instructs all personnel that on no account should any electronic payment be made only on the instructions from an email, or at least not unless verbally verified by discussion with the assumed sender of the email.
• Telephone Fraudsters – There have also been cases whereby employees have been “duped”, perhaps over a period of time, by a telephone caller. Here the caller, again masquerading as a bank representative, uses the phone conversations to build up a relationship, and over a period of time obtains details and information about the business’s bank account. Again, as a matter of prudence, we would suggest that all staff are educated as to the possibility for this type of fraud, and to ensure that only verified callers from the company’s bank are engaged in conversation, and only with authorised personnel at the company’s premises.
• Supplier Emails – As with fake emails we have also seen instances where hackers have masqueraded as a supplier, imitating the supplier’s details to send an email to instruct that future purchase payments should be made to a new bank account, of which they supply details. Thereby diverting payments to a false account which is subsequently drained. Again, we suggest a manual procedure, whereby supplier details (and in particular bank details) are never altered unless also verbally confirmed directly with the supplier.
• Updated Anti-Virus Software – Many banks operate their own form of anti-virus software in respect of which updates are periodically issued. It is vital that the business should activate these and always upload any updates to the anti-fraud software received from the bank. If nothing else, this will give not only a measure of protection, but will also provide more onus on the businesses’ bank should there be a fraud, and should the anti-fraud software not operate as it should.
• Authorisations – As with physical cheque authorisations, it is important that with any online system there should be two separate levels of authority before any form of payment can be made. This acts not only as a safeguard against employee error, but also against collusion between an employee and outside parties.

The above are just a sample of the more common problems that we have seen in recent times, but do give a flavour for some of the issues that you, as business owners, have to be alert to. We would recommend that, as a minimum, you compare the above points to your own procedures to ensure that these are sufficiently robust to protect the business’s online bank systems.

By David Johnson