Fraud costs UK businesses billions of pounds a year and, while anti-virus software and cyber security measures undoubtedly have their place, one of Barclays’ top fraud experts says the simplest way to avoid becoming a victim of online crime is to implement the human touch.
Damian Brazendale, director of fraud operations and product implementation, client service, has more than 16 years’ experience in the fraud sector and he believes that up to 80% of online fraud could be stopped with the right checks and systems in place
“Everybody automatically assumes that you need a great deal of sophisticated software and a dedicated cyber crime team,” he said. “Those measures have an important role to play, but to protect against the type of crime we are seeing today, it is the simplest of controls that will prevent the majority of attacks.”
Brazendale says evidence shows that cyber criminals began targeting the corporate world more widely from 2013/14 onwards, utilising malware tools to attack computers and gain access to online banking systems and infrastructure.
Since then however, the banking world’s significant investment in online security has seen the hackers move on to a more ‘back door’ approach, helped in no small measure by the rise in remote working and the ability to access systems at all times.
“Rather than writing malicious code, the fraudsters are now using legitimate code to send emails that each of us get every day of the week,” continued Brazendale. “An email to say a parcel has been delivered to a neighbour, an invoice from our phone provider – it is so easy to get people to click on the link and, once they do, they have allowed the fraudster access to their computer.
“All the fraudster has to do then is bide their time. They sit and watch your key strokes, they learn about the structure of an organisation, see which bills are being paid to whom, they study the language used and, in time, they will send a fake invoice confident in the knowledge they are very likely to be paid.”
Typically, says Brazendale, they may infiltrate a financial director’s PC, so that when an invoice goes to the accounts department instructing immediate payment to a “new” supplier, it appears to be a legitimate request and will be acted upon.
This, he says, is one of the challenges, as the fraudsters know that by targeting a more senior executive, their email is less likely to be questioned, while in fact it is the accounts team members who need to be most aware of the possibility of scam invoices and changes to bank details.
Other tricks include the spoofing of email addresses or domain names with such tiny variations they are unlikely to be picked up, allowing payments to go through the system unchecked; and the familiar trick of a legitimate supplier apparently advising that their bank details have been updated.
“With the fraudsters tracking payments over a period of time, they will see when demands are due, so they will send what appears to be an email from the supplier stating a change of bank details,” continued Brazendale.
“The customer has already received the goods and knows payment is due, so is unlikely to query the request. The true beneficiary may not chase the payment until at least 30 days, and in the meantime the fraudster has the money in his account with no questions asked. Because the bank has been fulfilling the customer’s instruction, it is very difficult to recover that money.”
To help raise awareness about the lengths fraudsters will go to and the actions that can be taken to stop them, Barclays has an ongoing education programme, including online activities such as podcasts, articles and webinars, use of LinkedIn, Facebook and other social media channels, plus regional seminars and events.
The concluding message from Brazendale however is clear: “The good news is that over the past few years awareness is improving and overall, customers are losing less money to fraudsters but no-one is immune. Everyone has the means to protect against fraud by putting the right invoice and ledger processes in place and employing the human touch.
“Take time to independently verify customer details, and don’t just call the number on the invoice, check your records, check previous invoices to see if anything has changed and do not just rely on email instructions – you don’t know where they might have come from.”
Barclays Bank PLC is registered in England (Company No. 1026167) with its registered office at 1 Churchill Place, London E14 5HP. Barclays Bank PLC is authorised by the Prudential Regulation Authority, and regulated by the Financial Conduct Authority (Financial Services Register No. 122702) and the Prudential Regulation Authority. Barclays is a trading name and trade mark of Barclays PLC and its subsidiaries.