While it might seem everything has changed – much still stays the same. That includes the things we’d rather go away. Like the fact there are people out there who will always try to cut corners and do the dishonest thing to get ahead, including cyber attacks and fraud.
The bad news is that this type of behaviour has increased during this pandemic. The good news is that putting yourself in a strong position to defend yourself only takes a few quick easy steps:
Understand the risk
The first and most effective line of defense against online security threats is understanding the risk.
With many more people working from home now, the opportunity to exploit weaknesses in technology systems has risen – and so have cyber attacks. From Lion Nathan, to Toll and Honda, businesses across the world have found themselves being taken offline and rendered unable to do business by sudden attacks.
So much so that the Australian government is talking about introducing new cyber protection standards for all businesses.
Fraud a longtime foe
Even before the pandemic, fraud of various kinds was a threat for small businesses. In fact, it was recently revealed by the ACCC that over the past decade, financial scams have cost Australians $2.5 billion in losses.
Recent research shows that business email compromise scams caused Australian businesses the most loss of any type of scam in the past decade. In 2019 alone, business email compromise scams cost $130 million, up 120 per cent over the previous year. Small and micro businesses reported more scams than medium and large-sized businesses.
Losses averaged $11,000, with businesses reporting scammers impersonating senior managers, staff and suppliers while demanding payment of fake invoices.
As small businesses look towards post-pandemic recovery, turning awareness of these risks into defensive measures is important.
Taking necessary steps to protect your business from these malicious attacks may seem like the last thing on your mind right now, but there’s good reason to move it up your priority list. An attack that leaves you out of pocket – or forced to temporarily suspend operations – could be even more damaging in these uncertain economic times.
Bring staff up to speed that risk is their responsibility too
If they’re educated on the most common tricks scammers use to take advantage of small businesses, you’ll go a long way in making sure your company doesn’t become a victim. So, building a culture of cyber awareness and responsibility is key.
How does a business email compromise scam – otherwise known as invoice fraud – work, exactly? And how can you defend your business? Fortunately, knowing the answer to the first question helps with the second.
- A scammer hacks a staff member’s email then sends out invoices to customers. That email includes a real invoice but with payment details adjusted so that the cash paid goes to the criminal, not the real supplier. You or your customers could be on the receiving end of one of these.
- A scammer impersonates a staff member’s email then sends out invoices to customers. The email includes a fake invoice and payment details that see any cash paid go to the criminal. Again, you or your customers could be on the receiving end of one of these.
The Australian Cyber Security Centre (ACSC) advises companies to encourage staff to keep an eye out for the following warning signs to avoid being on the receiving end of a business compromise scam:
- An unexpected email. Did the email come from a supplier you haven’t used in a while, or did the amount seem unusual?
- An unlikely sender. Did the email come from someone in your suppliers’ business that you wouldn’t normally expect to send a payment request, like a CEO?
- A rounded amount. Scammers will often send fake invoices with rounded amounts, so suppliers with a high percentage of rounded-amount invoices should be closely checked.
- New payment details. Are they asking for you to send the payment to a new bank account?
If you or your staff notice any of these red flags, it’s time to double check if the request is legitimate. Make a phone call to the company that sent the invoice to confirm. Don’t reply via email, as it’s highly likely the account is still compromised and being monitored.
As a business you can also protect yourself by setting up dual authorisations for payments, so two people must always confirm when money is going to leave your business.
To avoid being one of those businesses that is hacked and become the unwanted senders of fraudulent invoices, you’ll need to reduce your chances of your staff’s email accounts getting compromised by cyber criminals.
- Encourage staff to choose strong passwords and never share their credentials. The Australian Signal’s Directorate has a handy guide on how to choose a strong password.
- Let staff know that they should never click on suspicious looking links or attachments in emails.
Get tech on your team
Just as cyber criminals use technology to their advantage, getting tech on your side is a key line of defense for your business too.
Many of the ways you can further protect your business are already available within your existing systems and just need to be enabled:
- Ensure your software and operating systems are up to date. Turn on automatic updates.
- Keep your business data backed-up regularly.
- Enable multi-factor authentication wherever possible.
- Ensure staff are aware they must allow these updates to occur.
Other tech that can support a strong cyber posture includes fraud detection software, with its features like email filtering, firewalls and regular server/end-user device patching.
Automating accounts payable with cloud accounting software will also ensure you and your staff have far less chance to let any invoice fraud slip through the cracks.
Automated invoice processing allows for invoices to be automatically scanned when received. Relevant information is extracted digitally and invoices are matched to known suppliers in your system, before being routed for approval. The role of your finance staff is to check for any exceptions to the rule and ensure they are legitimate.
Manual invoicing not only keeps accounting and finance departments weighed down with unreliable security but also slow processes, poor oversight and subpar reporting. An effective solution can eliminate almost all the manual processing that’s normally required – reducing the chance for mistakes and speeding up the process.
Beyond the security benefits it enables, automated invoicing is one important way that you can speed up your capital cycle and optimise your working capital at a time when cash flow is more critical than ever. Not to mention that invoice automation will also free up time in your business to get more done and provide a better customer service – two things that are crucial as we enter the recovery phase.
Cyber-attacks and fraud are on the rise, but there’s no need to panic. By taking some time to understand the risks, informing your team and getting tech on your side you’ll be strides ahead.