So, we’ve already done an article on fake emails and how to best protect yourself from them, but what about other types of online fraud? According to www.scamwatch.gov.au Australians lost $340 million dollars to fraud in 2017, and this amount seems to rise year-on-year. This article discusses the most common ways that businesses are affected by online fraud, and what you can do to prevent your business from suffering the same fate!
It may feel like we’re stating the obvious here, but bear with us, as compromised passwords are one of the most common causes of fraud against businesses. You will probably have heard some of these already, but here are the dos and don’ts of password security.
Here are the don’ts:
- Don’t use the same password for multiple logins. If you do this and one password is compromised, it means that all of the logins using that password are also compromised. Isolate the damage to just one login by keeping different passwords.
- Don’t write down your usernames and passwords together in the same location. Even if you’re not writing what the username and password is for, anyone with access to your office has just gained your credentials for something.
- Don’t use password manager applications. You are giving away your passwords to a third-party organisation.
And here are the dos:
- Use strong passwords. The longer and more complicated the password is, the more difficult it will be for anyone to guess or hack your password. Using a combination of uppercase and lowercase letters, numbers and symbols is the way to go.
- For best practice, some organisations have IT policies in place to change all of their passwords every six months. This means that anyone who may have had access to a password will no longer have access after a period of time. This is especially important for larger organisations with many people accessing sensitive information, and organisations with high turnover of staff with access to passwords.
- If you have an IT person on staff, add a responsibility to their role that they must change passwords and remove saved credentials from computers whenever an employee leaves the employment of the business. Sabotage and leaked information is incredibly damaging to a business’s reputation.
- Ensure your account recovery information is up to date for all your online accounts. If you forget a password and need to change it, the last thing you want is to discover that the account is linked to an old phone number or out-of-use email address.
Invoice Fraud & Billing Scams
Now, we have already dedicated a full article to email scams (you can check out the article here: www.aboutnetworks.com.au/2018/09/06/the-journey-begins/), but lately a new trend has emerged that is different to the phishing or malware emails of yesteryear. Invoice fraud has emerged, and many businesses are falling victim to this type of scam. Emails containing invoices claiming to be from suppliers are sent to unsuspecting businesses, and many businesses are paying the invoices to scammers believing them to be legitimate invoices. In 2018 a Perth car dealership paid an invoice for $65,000 believing it was from a legitimate supplier, and only realised a week later that they had fallen victim to a scam, read more about this story here: https://www.smartcompany.com.au/finance/fraud/perth-car-dealership-loses-65000-invoice-scam-despite-best-security-practices/.
Additionally, the ACCC (Australian Competition and Consumer Commission) are also warning of ‘billing scams’ affecting businesses, where a bill is emailed to a business for a product or service that they did not sign up for; for example, a magazine subscription. Sometimes the scammer will even call the business demanding payment. This type of scam often targets small businesses. The ACCC have taken action against companies found to have engaged in this behaviour, and in 2013 a company called Adepto Publications Pty Ltd were fined $750,000 for their predatory behaviour. If your business has been affected by a billing scam, you can report the scammer to the ACCC, for more information see their website: https://www.accc.gov.au/update/the-rise-of-the-billing-scam.
To avoid being affected by invoice fraud and billing scams, always ensure that the following steps are taken prior to any payments being made:
- Ensure that your accounts department checks and confirms that the invoice details are correct and legitimate before making payment. If any details are different to those on file for the organisation (particularly contact and banking details), require the accounts department to confirm with the company prior to making any new payments.
- Limit the number of staff able to access company financial information and ability to make payments and perform refunds on behalf of the company to your accounts department only.
- Require all staff to submit purchase orders for any purchases made.
- Limit company credit card use to as-necessary basis. Keep all company cards in a locked drawer accessible by the accounts department only.
Another area of concern for many businesses is the use of unsecure Wi-Fi networks. If employees are using personal devices for work, then your business’ security is only as good as each employee’s personal device security. Additionally, if your employees are accessing company information online, then the security of the information being accessed is potentially compromised whenever employees are using open or free Wi-Fi. There are changes that businesses can make to combat this, and they include:
- Control access to your business’ files. Restrict file access to only those employees that need to use the files for their work and disallow access to all others.
- Restrict online access to files outside of the workplace. This will not be possible for every business due to individual requirements but is an excellent security measure for businesses that do not require employees to have remote access to company files while off-premises. If your company does require online access to files off-premises, implement a VPN (Virtual Private Network). A VPN uses encryption to protect data being transferred across the internet, and is used by many businesses. You can learn more about using a VPN for your business here: https://www.itproportal.com/features/vpn-or-virtual-private-networks-what-businesses-need-to-know/.
- Restrict access to company files to only company devices. Restrict use of personal devices at work to break times only, (in the break area rather than at work desks if possible). Disallow personal devices from being connected to company computers and devices (cable, Bluetooth and Wi-Fi connections).
There are many other areas of IT and online security that can make a business vulnerable if they’re not properly attended to. If you are unsure, it is best to review any areas of concern. If your situation is an unknown altogether or if you have several grey areas that could lead to compromised security, it may be better to perform a full IT security overhaul and review and update all of your current and past security practices. If you’ve got any concerns about your business’ online security, give us a call today, we’ll be happy to discuss any concerns you may have about password security, best practice or any other areas of IT security.