It is good to talk: criminals rely on the lack of communication between commercial organisations to win

When we talk to our forum members about fraud, we always ask: have you had an attack recently? If so, was it successful or were your internal processes strong enough so they went away empty handed?

It is very understandable many businesses do not want to admit to being attacked and to not publicise if the fraudster was successful. Businesses are aware that making these events public, even if it is only internally, could affect staff morale and customers can become alienated. Even small frauds can add up to significant sums and major fraud losses can ruin businesses.

Criminals can exploit human frailties in order to facilitate crime, however. When these attacks do take place (hopefully rarely) then you should always have a debrief. Look into the detail of what happened, who was involved, what actions were taken, did your fraud prevention procedures and alerts work. Then see if there are things that need changing. As your businesses evolve and the markets you trade with change, then fraud prevention processes need to be updated. Please always see this as positive. It is the security of your businesses that matters.

During this debrief, consider if the improvements are people related so training is needed or is that the fraudster has become more sophisticated and that is the driver for better defences. Also do not undertake these investigations without involving all the appropriate team members and please remember there are professionals available too.

Cybersecurity: I find this word invokes one of two reactions. Either eyes roll and glaze over – ‘oh here we go again another chat about IT security’ – or there is a look of fear and dread, in preparation of a load of technobabble. I try to avoid such reactions by taking away the terminology and I always focus on the biggest risk which is not the technology but is invariably the human.

"As your businesses evolve and the markets you trade with change, then fraud prevention processes need to be updated"

At a recent cybersecurity audit, it was agreed staff would benefit from attending a short cyber-awareness session. During these sessions held across different departments it became apparent that there was a lot of ‘shadow IT’. What is shadow IT? Well, this is when departments or individual members of staff make use of software, cloud services, or IT infrastructure without knowledge of the organisation’s IT department. It became apparent the use of personal cloud storage and personal e-mail was widespread. From a data-protection perspective this rang alarm bells as it meant sensitive data was leaking outside the control of the organisation and the passwords most people were using were weak.

The cybersecurity audit included some technical testing and results were rather startling. Around 2,000 passwords for accounts on the local network were cracked within just a few hours. The most common passwords in use were:

  • xxxstarter (where xxx is the name of the organisation)
  • 12345678
  • 1234qwer
  • password

The typical password length was eight characters. Short passwords can be cracked by brute force easily using tools that are openly available to criminals and hackers.

This resulted in some immediate actions to improve and enforce policies on passwords and, where possible, to switch on multi-factor authentication. Following open communications with the staff via the training and awareness exercises the organisation’s IT department has regained control and dealt with shadow IT issues which has improved their cybersecurity risk and monitoring for GDPR compliance.

In conclusion, the simplest measure you can make to improve cybersecurity at work is to ensure you keep an open dialog with your staff, train them regularly and empower them to raise issues or concerns with your IT team.

Sharing experiences and intelligence is the best ammunition you have in your armoury to combat the fraudster. I am a believer that there is no experience somebody has had like yours. We, via our forums, give you the opportunity to understand what fellow members did in response and did it work. Similarly sharing intelligence can safeguard both you and fellow forum members. Fraudsters are very astute, and they go after multiple targets so if you get the word that they are working in your industry then forewarned can be forearmed. The Fraud Prevention Forum with our partners Graydon, Cifas & LittleGratti provide the vehicle to intelligence sharing. CCR

Written by Laurie Beagle (Forums International) & Darren Hodder (LittleGratti)

Originally published in CCR Magazine, Feb 2020

Register free for the next online FPN meeting

21 May 2020, 10am – 1pm BST
We invite prospective members to try a Fraud Prevention Network meeting for free, simply register here

Agenda:

  • 10.00. Welcome, introductions
  • 10.10. Fraud – The latest picture – Alan Norton, Head of Intelligence, Graydon UK
  • 11.00. Information & Intelligence Sharing – Laurie Beagle, MD, Forums International Ltd
  • 11.20. Break
  • 11.35. Payment Risk update – Kevin Smith, Managing Director, Kevin Smith Consulting Ltd
  • 12.30. Covid-19 – Fraud Scams, Lee D’arcy, Commercial Director, Cifas
  • 13.00. Wrap up & Close