Are we getting too comfortable with giving out our data these days? With the emergence of Chat GPT, everyone seems more than happy to share even more than they were before! People are giving more, because Ai is becoming ever more articulate and bespoke in terms of its response. We are all aware of cyber threats and internet fraudsters, but how many of us think along the lines of “this will never happen to me” or “I would know for sure if I received a dodgy link”?
Some real-life examples now have me thinking even harder about how serious the risk is, and how a single action from someone in an Accounts team could ultimately cost a business thousands of pounds.
Take a moment to consider your company assets. Do you have expensive laptops and mobile phones in your offices? Do you have valuable machinery in your warehouses? At night when you go home, do you leave your buildings unlocked for anyone to walk in and help themselves to these assets? Do you allow all of your staff access to every piece of equipment and machinery? I am sure you have procedures in place to secure your building, your stock and your other physical assets.
The same must be said for data
Here at Microbyte, we are constantly working internally and with our clients to ensure that data is as secure as possible. What I would like you to think about is what happens beyond that? What happens when a fraudster or spam emails bypass the security measures and allows someone to ‘walk’ into your business potentially accessing emails and bank accounts?
Before the days of internet banking, all we really had to worry about was someone getting hold of our chequebooks and writing a fraudulent cheque. It seems hard to believe that many years ago when I worked for a High Street bank, there would be one person responsible each day for checking all presented cheques over £1000 in value. Signatures would be checked and any unusual amounts or payees would be clarified with the account holder. At this point, the cheque could still be ‘stopped’ and the funds be reversed.
Today, with the advances in internet banking, we can send thousands of pounds at the click of a button, from our PCs, our phones and even our smartwatches. There is no recalling these payments, no stopping them and no reversing the transaction. It is so easy to do that perhaps we are less vigilant. Are we really thinking about the value of this payment and the potential loss to our company if something goes wrong?
If you have access to company bank accounts or sensitive information, you are holding the entire company cash assets in your hands. So, if you receive an accounting request you must be equally mindful of acting on this, even if you deal with the sender regularly. The person who is apparently sending the request may be a victim of hacking in their own right.
Imagine if you were paying someone a large amount of cash. Let’s say you have the arrangement to pay the owner of a business £25,000 for payment of their previous months’ invoices. You arrive at the business with your bag of cash and an unknown staff member greets you and says they have been asked to take the cash on the owner’s behalf.
Would you hand it over? I imagine not! So take a moment to think about what you would do if you received an email asking you to send a payment to a different bank account from the one you normally send to.
Fraudsters are regularly attempting to access mailboxes. Are you aware that just by clicking on a link, you are one step closer to enabling a hacker to gain access to your mailbox? They will then wait for the right moment to intercept a relevant email thread. There have been reports stating that emails from fraudsters advising of new bank details have been sent from genuine mailboxes. Recipients have acted on this and subsequently sent money to incorrect bank accounts.
Within our Accounts department, we have procedures in place to significantly reduce the risk of this happening. We would never act on an email from anyone (even if it looked to have been sent from the business owner’s email address) asking us to send money to any other bank account other than the one specified on their invoices. Requests of this nature would always be followed up by a phone call to the business owner and unless we could positively identify him or her, we would not act on the request.
Do you have similar procedures in place?
I am sure you all will have at some point, received an email from a bank asking you to follow a link to reset/enter your password. Never ever do this. The emails are rarely (if ever) genuine. Media reports tell of hackers obtaining access to bank accounts in this way. Funds are moved quickly before anyone realises.
Please ensure that staff with access to bank accounts are fully aware of all such risks. Perhaps implement a procedure where you have dual access or limited access for certain staff members. Fraudsters are becoming more and more competent and are catching all IT users unaware. They are targeting us in so many ways and it takes just minutes for our bank accounts to be compromised once they have access.
Be wary also of internal spam – these are emails which seem to have come from a colleague containing payment requests. Do not act on these emails unless you are 100% sure this is genuine. You would be surprised at how genuine these emails can look – I have had several. Why not consider a procedure involving a payment requisition form which should be signed by an authorised member of your business?
Finally, please do stay aware of any data you provide whether willingly or accidentally, as you never know where it might end up.