Cyber Crime and Online Fraud is a growing epidemic worldwide, with fraudsters using the power of the internet and various cunning methods to try and get their hands on funds from online bank accounts. Recruitment agencies will make numerous online banking transactions on a daily basis, especially if they have active contractors, simply due to the nature of the business. With banks trying to make their online systems as user friendly and simpler to use there is always the problem that fraudsters will try to exploit any weaknesses in these processes followed.
Below is a list of the common frauds that banks are seeing where criminals are trying to extract funds and information from companies in order to defraud them:-
- Bogus Boss Fraud
Bogus boss fraud is where a fraudster will send an email to a member of the accounts team requesting an urgent payment as if they were the director of the company. Often these requests will be using friendly language as the fraudster will use information about the directors to try and disguise themselves. The fraudsters may also use a similar email address (using dots and dashes in the domain name or persons name, “.com” instead of “.co.uk”, using i’s which look like l’s) to make it look like a genuine request.
- Invoice Redirection
Invoice redirection is where either an emailed invoice is intercepted during transmission and the bank details changed on the invoice before being routed onwards, or a request is sent to the client requesting a change in company bank details. This means that the client may pay to the fraudsters bank details, leaving your invoice unpaid.
- Telephone Fraud / Vishing
Telephone fraud or “Vishing” is where a fraudster will impersonate the bank over the telephone to try and get a payment made or to obtain details of their usernames, passwords and PINs. Often, the fraudster will build up trust by going through security processes to extract login information and inform you that there is a problem with your account or a transfer that has been made. Some fraudsters may even ask you to make test payments or reverse transactions to a bank account (which is really to their account) to ensure that the system is working correctly. Fraudsters are even using text messages to contact potential victims in the hope that you will disclose banking details or make a payment.
- Financial Malware & Phishing
Financial malware is a type of software which is downloaded from a link or an attachment on a phishing email. These phishing emails will often look genuine and come from various reputable companies such as Companies House, HMRC or even the bank itself. Once the link or attachment is opened it will install the malware. This malware will sit on your PC (often undetected) until you go onto your banking system. It will then either record the keystrokes on your PC to get your login details or show a different screen to what you are seeing to enter payments in the background for you to authorise without your knowledge – until it is too late.
The best ways for you to protect your recruitment agency from being a potential victim of these kind of frauds are:-
- Make all of your staff aware of the types of frauds that could occur
- Ensure your staff are aware that the bank will never ask for PIN’s, passwords or authorisation codes over the telephone
- Ensure your staff are aware that the bank or the police will never ask for a payment to be made to a test/safe account
- If in doubt, hang up the phone and call the bank back directly from an independently found number and, where possible, from a different phone line
- Have a dual authorisation system in place (i.e. one person enters payments, another authorises them)
- Verify any unusual requests or change of bank details with person making the request
- Never open email attachments or click on links that come from unknown sources/email addresses
As TBOS manages the online banking for our clients on a day-to-day basis, it is important that we have security checks in place before any payments are made. TBOS works with our agencies to ensure that the company bank account has dual authorisation, with a user (often an account administrator) who can enter payments but not authorise and a user (often a manager) who can authorise payments but not enter. TBOS runs quarterly security audits internally to review current processes, identify potential risks to the system and come up with methods to reduce fraud within TBOS and our agencies. TBOS also runs regular training seminars to all staff regarding fraud awareness in conjunction with our banking partners to ensure our staff are aware of the ways that criminals may try to extract funds.
If you have been the victim of an online fraud then please ensure you speak to your bank and contact Action Fraud on 0300 123 2040 / wwwactionfraud.police.uk.
For more information on how TBOS can help provide back office services for your recruitment agencies, please contact our office.