-

Social engineering

Fraudsters manipulate victims into providing confidential information or other actions that will compromise their security using social engineering techniques known as phishing, vishing and smishing. There are other types of social engineering that specifically target businesses, such as CEO impersonation.

Phishing

Phishing is the fraudulent use of emails to manipulate targets into revealing passwords and sensitive information or transferring money into other accounts. Phishing messages often contain links to fake websites that request password and account information or install viruses in your devices.

Business email compromise (BEC) is a more sophisticated type of phishing where criminals gain access to an individual’s email account and use their emails to pose as a trusted individual to try and trick you into sending money or divulging confidential information.

How to stay safe

  • Stay vigilant: Be alert to the style, tone and grammar of emails you receive, especially if they don’t use your name, even if they follow an existing email chain
  • Personal information: Never enter any personal or security information in a site accessed through an unverified email link
  • Unverified senders: Never click on links or open attachments in emails from unverified senders 
  • Remember: We will never contact you and ask for your PIN, passwords, payment authorisation codes or full account details. Nor will we ask you to make a payment or request access to your systems or PC 
  • Employee training: Make all staff aware of the risks of phishing emails, especially payment scams, and inform them of how to respond if they are targeted
  • Wider implications: it’s important to remember that phishing emails can lead to further problems, including data breaches or malware.

Vishing and smishing

Vishing is the fraudulent use of phone calls or voice messages to impersonate trusted organisations to obtain sensitive information. Smishing is the fraudulent use of SMS text messages to get targets to click malicious links or hand over private information. Bank impersonation is a type of vishing and/or smishing, and both forms of fraud are growing threats.

How to stay safe

  • Always be alert: Never assume a caller is legitimate because they know information about you, your company, or your colleagues
  • Don’t rely on caller ID: Caller ID can be faked, so don’t rely on this as an indicator of legitimacy
  • Stop and think: If a call or text creates a sense of urgency stop and think is it legitimate? Do you really need to rush? 
  • Don’t click links: Links received from suspected smishing text messages may contain viruses
  • Contact someone trusted: If you get a suspicious call, end the conversation immediately and call a trusted contact at the organisation in question. Use a different phone as the fraudster can keep the original line open. Do not use a number provided by the caller.
  • Remember: We will never call you and ask for your PIN, passwords, payment authorisation codes or full account details. Nor will we ask you to make a payment or request access to your systems or PC.

CEO impersonation

In CEO fraud, in attempts to persuade staff into making urgent payments or to transfer funds, criminals are posing as CEOs, as well as other members of staff within businesses such as system administrators or financial controllers. The requests are often made via email but can come via a phone call and are sometimes made when the real member of staff is out of the office. They may also ask for financial information such as reports, trade debtor lists and/or customer contact details for chasing payments.

It’s important to remember that even an apparently genuine email address may have been hacked, and that fraudsters may apply pressure by implying urgency as a means of persuading you to bypass controls around payments. Reference to the payment being ‘special’ or ‘secret’ should also ring alarm bells.

How to stay safe  

  • Independent verification: Independently verify any payment requests, using contact details that you know and trust, involving new beneficiary’s, amended bank details, or enquiries about payment processes – including those that appear to have come from internal emails or senior management. Do not use contact details that are included within the request
  • Employee training: Ensure all payments staff are trained, vigilant and empowered to challenge such requests
  • Restrict information: Be alert to how much information is revealed about your company and key officials through your website, social media and out-of-office automated replies.

Invoice scams

Also known as mandate fraud, a fraudster poses as one of your suppliers. They tell you their payment details have changed and provide new account details. They may ask for a payment urgently. The fraud may only come to light when the genuine supplier seeks payment.

How to stay safe  

  • Be cautious: Treat any request to change payment details with extreme caution. Remember that even an apparently genuine email address may have been hacked
  • Verbal checks: Check the request verbally, using a trusted contact for the supplier held on file. Do not use a number included within the request as this can result in you speaking to the fraudster
  • Points of contact: Consider setting up single points of contact with suppliers you pay regularly
  • Staff training: Ensure staff who process invoices are trained about risks and know how to respond 
  • Invoice details: Compare invoice details against previous, genuine invoices. Apply the same principles to requests from within your own organisation
  • Be aware of public platforms: Fraudsters may use knowledge about your supply chain, including information gleaned from your website or social media. Consider removing details such as supplier testimonials from public platforms.

Network attacks

A network attack is an attempt by cyber criminals to gain unauthorised access to a company’s network by exploiting security vulnerabilities. These attacks vary in type, but all involve the exploitation of an unsecured network. Where networks are not encrypted a third party can intercept communications and eavesdrop on sensitive conversations.

How to stay safe  

  • Policy: Implement a cyber security policy – if you don’t know where to start, seek professional advice
  • VPN: Use a Virtual Private Network (VPN) which will enable more privacy and security when remotely accessing your company’s systems and help protect sensitive data
  • Avoid public Wi-Fi: If you don’t have a VPN avoid public Wi-Fi sources, only use trusted secure connections
  • Website security: Ensure websites you visit use the ‘HTTPS://’ prefix. But be aware: hackers can create HTTPS sites to infiltrate your network! 
  • Web addresses: Check all web addresses for subtle spelling mistakes and other irregularities that could indicate a malicious site
  • IP addresses: Configure your routers to block invalid IP addresses
  • Use intrusion-detection systems: To monitor threats to your network and automatically notify your security team
  • DDoS: Invest in DDoS (distributed denial-of-service) mitigation appliances which block illegitimate traffic to your website4 
  • Increased bandwidth: Purchase increased bandwidth to handle spikes in demand caused by DDoS attacks, or purchase on demand services like burstable circuits that provide more bandwidth when you need it
  • Check: Check with your official authority on cyber security for the latest threats, for instance the National Cyber Security Centre in the UK at www.ncsc.gov.uk or the Agence Monégasque de Sécurité Numérique in Monaco at amsn.gouv.mc. 

Investment scams

Fraudsters can pose as sales people or bank employees, offering investment opportunities such as shares, gold, bonds or digital currency with the promise of great returns. They often use hard-selling tactics to persuade you and suggest that the offer is time-limited. Scammers may praise your understanding of risk and say you’ve been selected for an ‘exclusive’ chance. The shares they’re pushing may be listed on an illiquid market so can’t be sold, or may be a small unquoted company that, the fraudster claims, is planning to list. In other cases, the company may not exist or the share certificates are fake.

How to stay safe  

  • Remember: Any so-called ‘investment opportunity’ you receive out of the blue is likely to be very risky or a scam 
  • Consult: Speak to a trusted friend or family member before investing, and consider consulting a qualified financial adviser 
  • Check: If you’re considering an investment, do plenty of research including consulting with your local financial regulator for trustworthy or suspicious firms before you invest:
""

Fraud awareness and digital security

Smart tips to help protect yourself online, keep your personal data safe, avoid fraud and how to contact us if you suspect of misuse on your account.