Back in 2017, a case involving one of our clients highlighted the dangers of online payment scams – a threat that remains as relevant today as ever. An employee received what appeared to be a legitimate email from their company director requesting a £20,000 transfer. Due to sheer luck, a technical issue with the banks website led to a phone conversation between the employee and the director, revealing the truth: the email was fraudulent.
The scam was part of a sophisticated phishing attack. Hackers had compromised the director’s email account, altering settings to auto-delete incoming messages to cover their tracks. They had obtained the director’s login credentials through a fake Dropbox file and used the access to send convincing payment instructions. Adding to the damage, the attackers also sent the same phishing link to 400 contacts in the director’s address book.
This incident illustrates the very real financial and reputational risks businesses face from online scams. In 2024, the techniques used by cybercriminals have only become more advanced, so it’s critical to stay one step ahead. Here’s how to protect your business:
Protecting Your Business: Essential Steps
- Enable Two-Factor Authentication (2FA): Always use 2FA for critical systems, including email, financial platforms, and cloud storage accounts. It provides an additional layer of protection even if login credentials are compromised.
- Directly Verify Payment Requests: Confirm any unexpected or high-value payment requests by contacting the requester through a trusted method, such as a direct phone call. Avoid relying on contact details provided in the email.
- Implement Secure Payment Procedures: Establish a clear, well-documented process for all financial transactions. Flag and investigate any requests that deviate from the established process.
- Employee Training: Regularly train employees on identifying phishing emails and suspicious requests. Simulated phishing campaigns can help staff stay alert.
Spotting and Preventing Scams
- Scrutinize Unusual Requests: Be wary of urgent or unexpected demands for payments or gift cards, even if they appear to come from senior staff.
- Use Strong, Unique Passwords: Encourage the use of password managers to generate and store secure, unique passwords for each account.
- Monitor Email Activity: Implement tools that monitor for unusual login locations or behaviors in email accounts and alert administrators to suspicious activity.
- Beware of Fake Login Pages: Always verify the URL of login pages before entering credentials. Bookmark important sites to avoid phishing traps.
- Check for Email Spoofing: Look for slight misspellings in email addresses (e.g., “@yourcompnany.com” instead of “@yourcompany.com”).
- Back Up Data Regularly: Ensure critical business data is backed up securely to mitigate potential ransomware attacks that may accompany phishing schemes.
- Review Permissions: Regularly audit who has access to sensitive accounts and systems. Use the principle of least privilege to minimize risks.
The latest methods...
Cybercriminals are increasingly leveraging AI and social engineering to make scams more convincing. Voice deepfakes, for example, can mimic the tone and speech of senior staff to trick employees. Consider these additional tips:
- Secure Voice Verification: Use code words or secondary verification steps for financial transactions initiated over the phone.
- AI-Based Threat Detection: Invest in tools that use AI to identify unusual behavior or phishing attempts in real-time.
- Zero-Trust Framework: Adopt a zero-trust approach to cybersecurity, requiring verification for every access attempt, regardless of whether it’s internal or external.
If something doesn’t feel right, trust your instincts and reach out for professional advice. Your security is our priority. Let’s stay ahead of the scammers together.