Empowering employees to identify business fraud

Fraud attacks targeting businesses are on the rise. This means that companies, regardless of size, must learn how to identify online security threats. But this goal can seem like a moving target. While most firms are able to react to conventional fraud, fraudsters are continually creating more sophisticated attacks. 

U.S. companies are at risk of losing $1.7 trillion to cybercrime over the next five years, according to Accenture’s annual Cost of Cybercrime report. And in 2018, the average cost of cybercrime per company grew 29 percent. That means, on average, U.S. companies now lose $27.3 million annually to cybercrime.

While the current state of fraud may seem bleak, the situation is not hopeless. There are many emerging technologies and best practices that companies can implement to help reduce their risk or limit the effect of an attack. 

These include equipping employees to fight fraud on the front lines.

Some of the most common attacks—phishing, business email compromise (BEC), malware and ransomware—are often avoidable if employees know what to look for. When attacks do occur, it can be the result of an employee accidentally clicking an unsafe link, responding to a fraudulent email and disclosing personal information, or visiting an unsafe website. 

Employees can help tackle business fraud if they know how and where to look for it. It’s also important to remind employees that fraudsters can come from both inside and outside the company. 

These are the common types of business fraud, what they are and how they work:

In a BEC attack, fraudsters send emails pretending to be an employee or external vendor. Their main goal is to collect personal login information or gain access to company data and systems. Often, fraudsters take advantage of employees by:

• Using an urgent email subject requesting immediate fund transfers
• Inviting them to “click to register” for an event
• Registering a domain similar to that of its target organization in order to make employees think it’s legitimate. This is also known as spoofing. 
• Posing as the influential leader of a fake organization 

With access to company data and systems, fraudsters can make unauthorized payments, install malware or ransomware, or package and resell confidential information. This can result in a data breach, a security event in which company data is accessed without authorization.

Malware or ransomware is software designed to damage a computer, server or client or computer network is unknowingly installed by employees, this is malware or ransomware. 

In malware attacks, fraudsters threaten victims into paying a fee to avoid activation of the software. In ransomware attacks, fraudsters hold company systems, data or both hostage until the company pays a fee—often in bitcoin or another cryptocurrency.

Often the result of targeted phishing attacks, an account takeover occurs when a fraudster gains enough personal information to take control of an account.

Account takeovers enable fraudsters to make unauthorized transactions. Many times, the fraudster will change contact and login information, making it difficult for the true owner to access the account.

A cashflow scam occurs when a fraudster seemingly sends funds, which they don’t actually have, to a second account, and then withdraws the funds from the second account. 

Cashflow scams exploit the time it takes for a transaction to clear after the receiving party has access to the funds. The first transaction bounces because of the lack of funds, but the fraudster has already withdrawn the cash from the second account.

Internal fraud incidents—sometimes called “malicious insider attacks”—are committed by an employee within the organization.

Commonly, these attacks authorize funds to be sent to a personal account. The employee may also sell company data to a fraudster or competitor. 

Learning about fraud should involve more than just training. Educational material often provides employees with the facts about security best practices. But providing real-life scenarios can give opportunities to test their understanding. Using simulations and case studies can be good ways to do this. 

Here are four best practices for fighting fraud at your organization:

These days, with connected and cloud systems, all company computers and devices are vulnerable to online security threats. Fraudsters need only one vulnerable employee in order to gain access to the entire system. By educating all employees about online security, not just the payments and IT teams, companies may be able to reduce the risk of fraudsters gaining access to or damaging company data.

Limiting company devices for personal use is another good way to protect against security threats. If you decide to allow employees to use company devices for personal reasons, you can consider limiting usage or installing a strong firewall. It’s also helpful to educate employees about the risks of surfing the internet or checking personal emails.

Test your employees’ awareness and response to potential business fraud by bringing the education outside of the classroom. You can send fake phishing emails and measure how employees react. This approach can help identify where to invest in additional training, and ultimately, can help change behavior.

Once you’ve educated your employees on what to look for, make sure you have an easy way for them to report business fraud when they see it. Having a built-in button for reporting suspicious email—and ensuring helpful resources are easily accessible—can increase the rate at which your employees alert you to attempted attacks. If your security team is aware of these attempts, they can be on high alert for others. 

Your best path forward for helping recognize business fraud is typically to implement solutions for both technology and employee education. If your budget is limited, start with the employees. It’s often the least expensive way to yield strong results.

Ultimately, investing in your employees may give you the most bang for your buck in the fight against fraud. And making some simple changes there could have a major impact on your bottom line.