Fraud, phishing scams, and cyber-attacks are sadly a very real fact of business ownership, though it’s all too easy to think it’s the sort of thing that happens to other people. In truth, it can happen to anyone, with businesses falling victim to scams and attacks all over the world, every single day.
Fraud can happen to anybody, and can be fatal for a business no matter how large or well-established, though particularly so for smaller businesses.
Why are small businesses more at risk from scammers?
Micro, small, and medium-sized enterprises often don’t have resources readily available to fortify the business.
Their physical size in terms of staffing power is part of the problem; fewer people means that secondary checks are less feasible. Any process with a reduced amount of ‘contact’ points means fewer opportunities to spot problems and deal with them.
Smaller business operations also tend to have smaller cash reserves, so simply can’t afford the more sophisticated end of the security market. A business with less cash is also more likely to feel the impact of any disruption to cash flow.
Plus, smaller businesses pose much less threat to scammers. Sadly, their lack of resource indicates less likelihood of the business being in a position to cause a fuss.
Comprehensive tax return services
From only £24.50 per month
The financial cost of scams for UK business
UK Finance found that bank fraud alone is now costing the UK economy more than £1 billion a year, with authorised push payments (38%) being the main culprit.
Almost a third reported security breaches as a result of cyber-attacks
BDO LLP’s research also found that while a third of UK fraud came from external sources, the majority came from collusion between internal and external individuals (38%).
Even more alarmingly, almost a third (29%) was committed against businesses by their own staff.
A loss or breach of data might even result in fines under GDPR. The UK’s data protection authority, the Information Commissioner’s Office (ICO), has the power to issue fines of up to 4% of your annual worldwide turnover.
What are the most common types of frauds and scams in small businesses?
Unfortunately, the multiple ways that fraudsters can target a business mean that any defence must consider multiple entry points.
Payment cards can make online purchases, only for the payment to be queried by the genuine cardholder once the goods are sent out to the scammer. Cyber-crime during the payment handling process can target unprotected ecommerce sites, whilst phishing campaigns can decimate a business.
Spotting the warning signs of business fraud is increasingly difficult, as thieves become ever more sophisticated. Red flags might include sudden changes of address, unsolicited opportunities, or even changes in staff circumstances.
Cyber-attacks and phishing scams
Most businesses find themselves responsible for sensitive data, such as customer information or employee details, at some point. Whilst this information can be useful for you in the running of your business, it can be extremely valuable to fraudsters who can exploit it for their own benefit.
Data can become vulnerable from something as simple as sending an email to the wrong person, but it can also be far more sophisticated, and much less innocent.
For example, a cyber-attacker might steal customer payment information from a database, or a phishing scam email might encourage an employee to enter card details to renew an ‘expired subscription’.
Some businesses also store commercially sensitive data, such as the details of ongoing research and development, or ‘the secret recipe’ that made you a success. If it’s financially valuable to your business, it can be just as valuable to someone else.
What is invoice fraud?
Invoice fraud can manifest in several ways, and an attack can come from within the business or an external source. For example, an employee could create a fake supplier and enter counterfeit invoices, or simply change the payment info for a genuine supplier.
Similarly, fraudsters might contact the business claiming to be one of your suppliers letting you know about a change of bank details.
How do ransomware attacks work?
One of the most common tactics that hackers are using is ransomware. This is when a criminal gets access to a system and encrypts important data. Literally holding your data to ransom, they will then offer to decrypt it if you pay them a fee.
Some companies pay because the alternative is losing data that a company needs to function, or the risk of reputational damage. The problem is that you’ve got absolutely no guarantee that you’ll get your data back if you pay up.
As the name suggests, payroll fraud involves manipulating the payroll system and processes in order to funnel money out of the business unlawfully. Some common ways this category of fraudulent activity can manifest include:
Fake timesheets (so that the person can be paid more than they earned)
Issuing fake bonuses
Paying fake employees
This type of fraud might come from within, but it can also be committed by external individuals – those who can hack your payroll system to steal money under the guise of employee payments.
This covers all types of fraud that is committed within a business by any of its members of staff. This includes things like payroll fraud and invoicing fraud – both summarised above – but comprises any form of theft or fraudulent activity that an employee carries out.
Fake HMRC correspondence
As if the threat of a scary-sounding letter from HMRC wasn’t enough, there’s also the risk of it actually being a scam. This usually takes the form a phishing-style attack asking you to click links or enter sensitive information.
This type of fraud describes the deliberate theft or misuse of business assets, such as:
Theft of company equipment
Stealing physical cash
Stealing money via digital transfer
Sharing trade secrets or commercially sensitive information with fraudsters or competitors
If you offer your employees any kind of insurance benefit this, sadly, leaves you vulnerable to potential insurance fraud. This is where a member of staff falsifies claims or incidents as a means by which to steal from your business in plain sight.
Social media ransom and ruin
It’s worth mentioning social media attacks separately because many of us will be much more casual in our approach to social media accounts than other aspects of the business. After all, what’s the worst that could happen?
The risk of reputational damage is likely to be far worse than a comment which is a bit off-brand, particularly if your business is responsible for sensitive client data.
Over half of the SMEs who had suffered hacking of their social media accounts admitted it had caused ‘significant’ damage to their business, and nearly two-thirds said the hackers had demanded a cash ransom for returning account control back to the business.
What is the fine for not complying with data protection?
GDPR rules regulate the way businesses handle and protect the personal information of their customers. Businesses who suffer a data breach as a result of any negligence in their security processes could find themselves with a pretty nasty fine – up to 4% of your annual worldwide turnover.
It’s a massive financial hit, not to mention the reputational damage. Customers are likely to be wary, and it could also put off potential investors or money lenders too.
What can small businesses do to protect themselves from fraud?
Introducing additional measures or due diligence might seem onerous, but there are lots of opportunities for reducing risk in your business.
Secure data and back it up properly
Storing data securely, whether physical or digital, is essential. Not only are there legal requirements for this, but doing so can protect your business, and even help you remain operational in the event of any disruption. Office flooded? Just as well all your data is safely backed up.
Encrypt as much data as possible, be ruthless about keeping passwords safe, and only ever use reputable, trustworthy software, apps, and digital services.
Bring in the professionals for business fraud protection
As tempting as it might be to shriek Ghostbusters when asked who you’re gonna call, they’re unlikely to be the best bet. Instead, calling in the relevant experts for to take care of cyber security, or qualified accountants to keep an eye on financial issues, is likely to see you in good stead!
Take Five to Stop Fraud
Take Five to Stop Fraud is a national campaign designed to stop individuals becoming victims of fraud, but the concept can be applied to businesses too. The idea is to stop, think and assess before acting if you are suspicious or if something doesn’t feel quite right.
Withhold information, refuse to answer questions, and halt contact if you feel alarmed and assess the situation before moving forward. If it seems too good to be true, listen to your gut.
Train staff to spot scams and counterfeits
As a business owner, you can’t have eyes and ears everywhere, as much as you might like to. This means you can’t always do everything yourself, so train staff to identify and manage fraud for themselves. This applies to everything from counterfeit bank notes, all the way up to things like processes and security infrastructure.
Do a background check on people in your business before working with them
In the same way you might run background checks or request references for potential new employees, you can also research prospective suppliers. Make sure they’re legitimate before sharing any information or money with them.
For example, check the company registration or VAT number is legit, and that registered addresses match up.
Don’t let one person be responsible for all financial tasks
Distribute money-related tasks across multiple members of staff so that they’re not all left with one person. If your workforce isn’t that big, you could enlist the expertise of an accountant, or even just sign-off everything yourself.
Restrict access to sensitive data and information
Protect your sensitive data and information by restricting access only to those who need it. Leaving it open to be accessed by anybody is a dangerous way to run your business. Giving access only when relevant can help you to limit risk, and will eliminate individuals from your enquiries if fraud-based problems do arise.
Carry out regular audits and inspections
Regularly audit things like stock, inventory, and equipment to ensure that all of your business’s assets are present and correct. Doing this on a regular basis means you can spot any problems early and nip them in the bud before they get any more serious. You can introduce similar checks for your data handling processes and auditing your bookkeeping.
Implement a double signature policy on contracts and documents
Double down on security by requiring a double signature on relevant contracts and documents. This means asking more than one employee or director to sign important paperwork, as opposed to leaving it all in the hands of one individual.
If you feel like there’s something not quite adding up with your finances, get your accountant to cast an expert eye over it to identify any problems or specific activity.