In the digital age any business is at greater risk of a cyber-attack. Cyber criminals don’t discriminate, and all businesses from FTSE 100 companies to sole traders are at risk of having confidential data stolen, being scammed or even worse being forced to stop operating like the recent attack on Jaguar Land Rover.
These attacks can be subtle, making them hard to spot.
Lurking in your email inbox
Fran Puddick spoke with PIB's cyber expert, Jason Ozin, on the latest trends and how to protect your health and wellbeing business from potential attacks.
According to Ozin, there is a new type of scam fraudsters are using around called Business Email Compromise (BEC). Ozin describes BEC as, “Attackers infiltrating your email account, being able to see your emails and silently watch for a period looking at invoices coming into the business and being paid out.
The cyber criminals then replace a genuine invoice with what looks like a genuine invoice but has different bank account details. Either you or your client can pay an invoice that is paid to the criminal’s bank account. This can cause everyone blaming everyone else!”
Unlike phishing, the attacker doesn’t ask for information. By infiltrating your email and threads they can delete existing emails and send near identical ones with their account information in there instead.
How BEC works
In BEC scammers will ask for money in two ways. According to Ozin victims of such scams will, “receive a pretty believable invoice and then a follow-up email that appears to be from a colleague headed: ‘Urgent-please pay today.’ This sort of social pressure bypasses sensible checks. If your accounts team, or in smaller businesses, just you, aren’t protected by robust processes to validate payment details, then money moves, and cab then easily on occasions, end up in the hands of the fraudsters!”
What should you do to protect your practice?
So, what should you do in these instances? Ozin suggests that the first actionable step is to make a call to your supplier before you pay anything. “If an invoice comes from a new supplier, or even an existing supplier with ‘updated’ details… pause, take a breath.
“Call the supplier using a known number from your own records (definitely not from the email you’ve just had) and tell them you are doing a security check before paying their invoice. Ask them to state their account details (sort code and account number) verbally. No call-back, no payment.” By taking this step, you are removing the urgency that typically catches people off guard and instead following a process that will provide you with all the facts you need to make the best decision rather than a reactive one.
If something does go wrong, what should you do? Ozin advises the best thing to do is remain calm.
“Don’t panic. Disable the compromised account, rotate credentials, and revoke sessions. Preserve evidence (don’t wipe laptops!). Call your bank immediately if any money gets moved; the sooner the better.”
Final Takeaways
Ozin’s final takeaways for small and medium sized businesses is to be proactive and not reactive when it comes to cyber security. It is worth investing the time and effort into establishing policies for everyone to follow, regardless of how big or small your team is.
“Make the easy things mandatory, always use verified call-backs, Multi-Factor Authentication. These sorts of things can help prevent a financial loss occurring. Also, there are some brilliant, trusted resources out there for businesses."
The National Cyber Security Centre has a great website that you can take a look at: https://www.ncsc.gov.uk/section/respond-recover/sole-small
“It even features a checklist tool, so you can work through how to protect your business, step by step. Also, you can get yourself Cyber Essentials Certified. Doing so will guide you on security basics and provide some reassurance for your customers. “