Empowering Employees to Identify Business Fraud
How increasing employee awareness of business fraud can help protect your bottom line
Fraud attacks targeting businesses are on the rise. This means that companies, regardless of size, must learn how to identify online security threats. But this goal can seem like a moving target. While most firms are able to react to conventional fraud, fraudsters are continually creating more sophisticated attacks.
U.S. companies are at risk of losing $1.7 trillion to cybercrime over the next five years, according to Accenture’s annual Cost of Cybercrime report. And in 2018, the average cost of cybercrime per company grew 29 percent. That means, on average, U.S. companies now lose $27.3 million annually to cybercrime.
While the current state of fraud may seem bleak, the situation is not hopeless. There are many emerging technologies and best practices that companies can implement to help reduce their risk or limit the effect of an attack.
These include equipping employees to fight fraud on the front lines.
Common Types of Business Fraud, What They Are and How They Work
Some of the most common attacks—phishing, business email compromise (BEC), malware and ransomware—are often avoidable if employees know what to look for. When attacks do occur, it can be the result of an employee accidentally clicking an unsafe link, responding to a fraudulent email and disclosing personal information, or visiting an unsafe website.
Employees can help tackle business fraud if they know how and where to look for it. It’s also important to remind employees that fraudsters can come from both inside and outside the company.
These are the common types of business fraud, what they are and how they work:
Phishing and Business Email Compromise (BEC)
In a BEC attack, fraudsters send emails pretending to be an employee or external vendor. Their main goal is to collect personal login information or gain access to company data and systems. Often, fraudsters take advantage of employees by:
- Using an urgent email subject requesting immediate fund transfers
- Inviting them to “click to register” for an event
- Registering a domain similar to that of its target organization in order to make employees think it’s legitimate. This is also known as spoofing.
- Posing as the influential leader of a fake organization
With access to company data and systems, fraudsters can make unauthorized payments, install malware or ransomware, or package and resell confidential information. This can result in a data breach, a security event in which company data is accessed without authorization.
Malware and Ransomware
Malware or ransomware is software designed to damage a computer, server or client or computer network is unknowingly installed by employees, this is malware or ransomware.
In malware attacks, fraudsters threaten victims into paying a fee to avoid activation of the software. In ransomware attacks, fraudsters hold company systems, data or both hostage until the company pays a fee—often in bitcoin or another cryptocurrency.
Often the result of targeted phishing attacks, an account takeover occurs when a fraudster gains enough personal information to take control of an account.
Account takeovers enable fraudsters to make unauthorized transactions. Many times, the fraudster will change contact and login information, making it difficult for the true owner to access the account.
A cashflow scam occurs when a fraudster seemingly sends funds, which they don’t actually have, to a second account, and then withdraws the funds from the second account.
Cashflow scams exploit the time it takes for a transaction to clear after the receiving party has access to the funds. The first transaction bounces because of the lack of funds, but the fraudster has already withdrawn the cash from the second account.
Internal Fraud Incidents
Internal fraud incidents—sometimes called “malicious insider attacks”—are committed by an employee within the organization.
Commonly, these attacks authorize funds to be sent to a personal account. The employee may also sell company data to a fraudster or competitor.
Best Practices for Business Leaders to Spot and Fight Fraud
Learning about fraud should involve more than just training. Educational material often provides employees with the facts about security best practices. But providing real-life scenarios can give opportunities to test their understanding. Using simulations and case studies can be good ways to do this.
Here are four best practices for fighting fraud at your organization:
Educate All Your Employees
These days, with connected and cloud systems, all company computers and devices are vulnerable to online security threats. Fraudsters need only one vulnerable employee in order to gain access to the entire system. By educating all employees about online security, not just the payments and IT teams, companies may be able to reduce the risk of fraudsters gaining access to or damaging company data.
Limit the Use of Company Devices for Personal Use
Limiting company devices for personal use is another good way to protect against security threats. If you decide to allow employees to use company devices for personal reasons, you can consider limiting usage or installing a strong firewall. It’s also helpful to educate employees about the risks of surfing the internet or checking personal emails.
Test the Human Factor
Test your employees’ awareness and response to potential business fraud by bringing the education outside of the classroom. You can send fake phishing emails and measure how employees react. This approach can help identify where to invest in additional training, and ultimately, can help change behavior.
Make Reporting Easy
Once you’ve educated your employees on what to look for, make sure you have an easy way for them to report business fraud when they see it. Having a built-in button for reporting suspicious email—and ensuring helpful resources are easily accessible—can increase the rate at which your employees alert you to attempted attacks. If your security team is aware of these attempts, they can be on high alert for others.
Balancing Your Priorities to Identify Business Fraud
Your best path forward for helping recognize business fraud is typically to implement solutions for both technology and employee education. If your budget is limited, start with the employees. It’s often the least expensive way to yield strong results.
Ultimately, investing in your employees may give you the most bang for your buck in the fight against fraud. And making some simple changes there could have a major impact on your bottom line.
Government and private relief efforts vary by location and may have changed since this article was published. Consult a financial adviser or the relevant government agencies and private lenders for the most current information.
These materials are for informational purposes only. These materials do not represent any opinion, guidance or recommendation, whether formal or informal, of Capital One, National Association, or any of its officers, directors, employees, advisors, attorneys, consultants, affiliates or subsidiaries (collectively, “Capital One”). Without limiting the generality of the foregoing, these materials do not represent legal advice or guidance by or from Capital One. In no event may the recipient of these materials rely on these materials for any purpose whatsoever. Nothing contained in these materials shall give rise to, or be construed to give rise to, any obligations or liability whatsoever on the part of Capital One. Nothing contained in these materials shall alter or modify, or be deemed to alter or modify, applicable law (including, but not limited to, the limitations under applicable law of Capital One’s obligations and/or liability in applicable matters). The recipient of these materials should consult the recipient’s own counsel to understand the recipient’s obligations and liability in applicable matters.
Capital One does not provide, endorse, or guarantee any third-party product, service, information or recommendation listed above. The third parties listed are solely responsible for their products and services, and all trademarks listed are the property of their respective owners.