Article:

How to Protect your Business from Electronic Fraud

11 March 2015

Technology has transformed the way we live and work, but it can be double-edged sword. While it continues to offer businesses enormous opportunities for efficiency and innovation, it also offers increasing opportunities for fraudsters to exploit it.

Here’s one example. When a motel owner was contacted by an overseas IT company seeking long-term accommodation for several staff while working on a project in New Zealand, they were over the moon. The booking was during their low season and the company even offered to pay in advance. After several emails confirming requirements, the IT company sent their credit card details for payment, advising that if the project went well there was the potential for significant further business.

Shortly afterwards, the IT company contacted the motelier to say the initial phase of the project had been reduced by a month (although they fully expected to be back later in the year), and asking the motelier to send a refund for one month’s accommodation by money order to an overseas bank. Eager to keep their new customer happy, the motelier obliged – and that was the last he ever heard from them.

Soon after, the police contacted the motel owner to tell them that the ‘IT company’ was a fraudster and the credit card used to pay for the accommodation had been stolen. The accommodation payment was reversed, and the motelier had effectively sent the fraudster a money order for several thousand dollars of their own money.

These days, no organisation can be complacent. Not even charities are safe. The New Zealand Herald recently reported on two New Zealand charities which were exposed to attacks. Fraudsters peppered the charities with thousands of attempts to submit fake donations from stolen credit cards, to test which cards could be used for subsequent online fraud. The result for the charities was a big headache - and many staff hours spent refunding the fraudulent payments and cleaning up the mess.

Balancing risk and reward

Fraudsters are manipulative and increasingly inventive. And as businesses become ever more dependent on technology, the already significant risk of electronic fraud is growing.

As with anything in business, there’s always a trade-off between risk and reward. The rewards of new technology can be very high, but the risks are often not well understood.

For  example, the move towards cloud computing gives businesses much easier access to data and applications, with significantly reduced overheads. But it also requires you to put your enterprise data under the control of a third party to some extent – and that’s something that shouldn’t be undertaken without carrying out appropriate due diligence on the provider. If the provider is ‘hacked’ or goes out of business and you could lose access to your data, the impact on your business could be catastrophic. Yet cloud computing, or outsourcing of IT functions, is often done with little or no analysis of the risks.

Of course, the potential for cyberfraud don’t just come from outside you need to manage your internal risks as well. The potential for employee fraud has always existed within businesses and organisations, but technology has provided the potential to make it easier and more damaging.

For example, an employee who gains unauthorised access to your company’s payroll and financial systems can easily inflate their own timesheets, create a non-existent employee and pocket their ‘salary’, or change a vendor record to redirect an electronic payment to their own bank account.

Managing the risks

The good news is that while the risks of electronic fraud are real, they can be managed. Cybercrime is based on finding and exploiting weaknesses in your systems, so the key is to identify and remove those weaknesses.

While not all businesses will have the resouces to implement a full Risk Management Strategy, they should at least consider developing a Technology Strategy to help identify risk areas in their technology

systems and secure their business is protected. There are some relatively simple things you can put in place to help identify and mitigate your IT risks - the list below is a good starting point.

Managing External Risks

Install anti-virus software and keep it up to date – it’s one of the simplest and most effective measures you can take.

Protect your passwords – make sure you and your staff change your passwords regularly.

Educate your staff – keep your staff up to date on the risks and how to avoid them – for example, never opening an attachment or

clicking a link in an email from someone you don’t know (it could download ‘malware’ onto your system which could give fraudsters access to bank accounts details or other sensitive information).

The Ministry of Consumer Affairs Scamwatch website (scamwatch. govt.nz/scams) has information on different types of scams and how to avoid them.

Protect the entry points to your system – for example, do third parties like IT service providers have access to your systems?

Understand the potential threat and put measures in place to manage it if necessary.

Protect mobile devices too – mobile phones, ipads etc. are an increasingly important part of your technology setup, but they often don’t have the same level of protection. Using PINs, passwords, fingerprints etc. can help ensure fraudsters don’t get easy access to your system via mobile devices.

Vet your suppliers – e.g. if you are using cloud computing, understand the security and contingency measures your provider has in place.

Remember the golden rule - fraudsters understand very well that everyone loves getting something for nothing. But if it looks too good to be true, it almost certainly is.

 

Managing Internal Risks

Give your staff only the access they need – for example, don’t give your salespeople access to your financial systems. Make sure

system access is restricted to areas that are relevant to each staff member’s job role.

Ensure you have reviews and checks in place to identify any potentially fraudulent or suspicious activity as early as possible– for example, in a small business the owner may review payroll or other major payments prior to processing.

Don’t share logins and passwords – make sure for example that employees who need access to your online banking system are set up with separate access details. Educate and reinforce to your staff the need for security – e.g. leaving your password on a post-it note attached to your screen when you go on holiday is an invitation to fraud.

Ensure segregation of duties – while this isn’t always possible in smaller businesses, ensuring more than one person is required to complete specific tasks is a key principle of internal control.

It’s also important to get good advice. BDO can help you understand where your business is currently exposed, and put measures in place to address your technology risks. If you’d like to find out more, contact us today.