Experts and small firms share some advice on how to avoid scams.
Limit the scope of responsibility
Lisa Forde, director, Dotty About Paper
When setting up my second firm, Tree of Hearts, we were contacted by an alleged grant company who offered to fund 50pc of our business if we put in the remainder ourselves and worked with a digital marketing agency with which they introduced us. We had to pay in advance and would receive our grant at a later date, but when I tried to contact the agency, I could not get through. I had been the victim of fraud.
It’s crucial to train staff to prevent such attacks from happening, so inform employees of potential dangers and how to avoid them. Hold awareness training days tailored to your market that go through the warning signs of fraud schemes, such as unusual financial transactions or suspicious behavior. You can then show them the procedures that you have in place to handle any scams, including where to report the information.
It’s also a good idea to create layers of protection for your business by breaking up duties between employees and providing limited access to sensitive data. Only give staff members the specific details that they need – this will limit the scope of responsibility and give you additional safety.
Set up a two-signatory policy
Edward Whittingham, managing director, Business Fraud
Identity theft is a huge risk area for small and medium-sized enterprises (SMEs), due to their personal information often being readily available on the internet via sources such as Companies House, online electoral rolls and even through social media websites like LinkedIn.
To prevent identity theft, SMEs need to think about how they currently share data, from determining what information needs to be shared and where, to ensuring that they keep login credentials secure and difficult to guess.
They should also keep an eye on online banking, because SMEs tend to have only one signatory to deal with it. This can potentially lead to fraudulent transactions or even simple, avoidable mistakes. By setting up a two-signatory policy, it ensures that all payments are sense-checked and helps to avoid fraudulent banking transactions, as well as ensuring that the individual responsible for banking is accountable.
Focus on email security
Tim Sadler, co-founder, Tessian
Relatively simple email phishing and whaling scams are far more likely to be the cause of fraud than anything more sophisticated.
Phishing scams are attempts to trick staff into giving out personal information – such as bank account numbers, passwords and credit card numbers – while whaling emails are designed to masquerade as a critical business email from a legitimate authority. It only takes a momentary lapse in concentration not to see the warning signs, so mitigate the chances that simple mistakes can escalate.
The best place to start is to educate your team to help them to understand when they could fall victim to fraudulent activity. Go through the simple checks, such as looking at who an email is from and not just the alias. Reiterate that organisations will rarely ask you to update or re-enter personal or bank details out of the blue. When in doubt, phone the organisation using the number on their website.
Finally, email autocomplete functions enable employees to mindlessly forward on or reply to fraudulent emails, so install double-check warnings to alert users whether they really want to send a suspicious-looking email.
Get an SSL certificate
Lili Piskunova, office director, Studio Mark Ruthven
In 2016, I received an email from a company that we work with asking when we intended to make a payment, which is not irregular. Shortly before we made it, we received another email from them saying that they had changed their bank details and asked for email confirmation when the payment was made.
We transferred the payment to the new bank account and fortunately, the studio owner made a call to the owner of the other business and mentioned that we had made the payment to their new account. That’s when it transpired that we had been victims of fraud.
We immediately called our bank, but it took more than two hours to speak to the right person. They froze the fraudster’s account immediately and we got our money back.
We increased our security regarding email addresses, not only to protect ourselves, but our clients and suppliers as well. We changed all of our passwords and put a two-step verification on our email accounts, as well as purchasing an SSL certificate for our website, which enables the secure information exchange between browsers and web servers.