At its Exeter Broker Insight Event, NatWest highlighted some processes and controls that business can use to enhance the security of firms and their clients.
The lender explained that the methods behind current scams are much the same as they have always been when individuals are duped, and their goodwill undermined.
The difference is that today the technology allows criminals to reach more people and immediately distribute large sums of money around the world.
“If money is taken from an account as the result of a successful scam and we can’t stop it very quickly, that money can move around the world in six minutes,” said NatWest security business partner Sophie Urquhart.
To reduce their vulnerability and protect their assets including data, information and money from being targeted, Urquhart offered some basic actions firms can take.
“It’s about understanding your organisation from a criminal’s perspective,” she said.
“Create scenarios to test you have processes and controls to protect the things that might be of interest to them. Make sure everybody in the organisation is aware of why they are expected to do things the right way.”
Building up a picture
In one example, Urquhart highlighted that the online world, including social media, is a significant source of material for prospective fraudsters to build-up a picture of the business, its key people, from a personal and professional perspective, its business cycles and operations.
“It’s really important to think about what the firm and its employees share in the public domain,” she said.
“Engage colleagues to think about what information has been made available, where it is and whether it needs to be so accessible. Piece by piece, how could it be used to construct a credible scenario about individuals and the firm’s internal structure and communication channels that could be exploited by an attacker?
“Might you be able to reduce the information employees and the firm, shares?”
Urquhart continued: “I’m not saying that an online presence is a bad thing, but you do need to be aware of how information can be misused and the means by which this can happen.
“If a cold caller seeks to obtain more information than they already have, or gives instructions you weren’t expecting, some scepticism on their rationale and authenticity goes a long way to protecting your firm’s interests.”
Brokers should be vigilant when they are sent details of new supplier or client accounts into which any future monies should be paid.
“Don’t allow just one employee to change account details on the basis of a call or email because that’s how funds can be diverted from the intended recipient, and quickly lost,” she added.
Importantly, Urquhart emphasised that if it is suspected that monies have been incorrectly paid away, the sooner the lending bank is informed, they can initiate a response to try and stop or recover funds.
Essentially, and to ensure that requests are genuine, people should refer to original records of contact names and telephone numbers, speak to account owners and follow strong process controls, including, but not relying on, dual authorisations. This should be done before details are changed.
Executive impersonation scams
There is a resurgence in executive impersonation scams Urquhart explained. In this situation, employees are requested to make payments which, while absent, senior leaders have supposedly authorised.
Success of these scams can depend on company culture; if its open and collaborative, employees are more likely to question anomalous behaviours and so they become the first point of protection for the firm.
“If you’ve got the processes that say we must have two people sign it, that’s the control, and what people should be expected to do – or use an agreed alternative – but process is key,” she said.
Employees need to be aware of how they can prevent malware from being introduced to the firm by clicking on links in emails or texts. These messages might be identified by their incorrect web addresses or other incorrect information.
They often convey a sense of urgency, not giving people time to think about risk, and are worded convincingly to obtain information that people wouldn’t normally expect to share such as personal details, PINS and passwords.
In conjunction with staff vigilance, it is critically important to have up to date anti-virus software, Urquhart said, stressing that IT teams should apply appropriate patches as they are made available.
‘Always trust your instinct’
Urquhart concluded by reminding brokers that there are many cyber scams, but in relation to lending, if they receive an unexpected communication or unusual instruction, to “always trust your instinct. So many times, when a scam is successful, people reflect on the moment they knew something wasn’t right. Don’t let that be you or your firm” she said.
Help and support can be found through the following:
- Take Five: takefive-stopfraud.org.uk
- National Cyber Security Centre: ncsc.gov.uk
- Action Fraud: actionfraud.police.uk
- Financial Fraud Action UK: financialfraudaction.org.uk
- Become a Friend Against Scams: friendsagainstscams.org.uk