Being part of Manchester Digital, we get access to exclusive events talking about the serious changes in digital and current trends. We recently attended an event talking about online fraud and cybercrime, and honestly, this is much more serious threat that most businesses even realise.
At the event we heard from DC David Stott from Cheshire Police force and Raoul Charlett, a Complex Fraud and Corruption Investigator. Talking about cybercrime and fraud proofing your ecommerce business. Also speaking was Gareth Williams from Metapack who covered various tips and advice about how businesses can protect their-self online.
Traditional Business Fraud
Some of the more common business related fraud relate to long term frauds within organisations, invoice diversions and even internal fraud related to BACS, accounting and false invoices being processed. These clearly have serious consequences for businesses beyond the obvious monetary costs. From data loss, disruption within your business, the branding and PR nightmare if this information gets released and more.
What is more worrying is around the lack of capability for a lot of digital fraud to be investigated. As you know, the UK has borders and so does the capabilities of the law enforcement organisations who can pursuit such fraud. Typically speaking, a lot of digital fraud is instigated overseas which means that the efforts involved in bringing criminals to justice required a lot of work and often never actually happen. This is a huge issue for businesses, particularly those running ecommerce websites as you can lose a lot of money in the process with little chance of getting this back.
Data Commissioners Office
One point reiterated at the event was about how all organisations storing personal information that is used for specific purposes must register at the Information Commissioners Office. If you aren’t sure if you need to register, then it is recommended to complete the self-assessment on the website, and if you do need to register this is only a nominal fee of £35 per year.
With data breaches on the rise, it is essential that businesses treat data security seriously as it is a criminal offence if you don’t do this and are required to do so. Over recent years we have seen literally billions of customer details stolen from only a small handful of companies storing personal information for their customers.
Digital Fraud and Cybercrime
Moving onto some of the more modern frauds that happen, it is often the ones you may not even have thought about, yet are a serious problem for businesses. We are increasingly speaking with clients and other businesses about how to mitigate the risk for their businesses related to cybercrime and we are able to provide key recommendations on this topic.
Intellectual Property Theft
How secure is your intellectual property within your business? As a digital organisation, your intellectual property isn’t likely to be in the form of manufacturing processes, secret recipes, physical designs or some of the other traditional areas that you would generally relate to intellectual property theft.
When looking at digital businesses, how secure is your data, your databases, your software code and other sensitive information about your business, your customers, products and services? In our experience, for many small to medium sized businesses, there is often quite a significant opportunity for fraudulent activities and cybercrime to take place due to lack of procedures, understanding and internal training.
This is way beyond our level of expertise at Contrado Digital, although we like to keep our ears open to the news related to hardware security. Specifically around open source and freely available software called Reaver which is designed specifically to hack into WiFi routers using WPS, WPA and WPA2 passwords using a brute force style attack.
To keep this into perspective, once someone accesses your internal network, they often have access to a wide range of other data within your business if your data isn’t locked down and secured well. This is beyond simply having a more secure password on your router, this comes down to how you and your staff access the files, data and systems within your organisation. To the point that you not only have the internal security of only allowing access to data from an internal IP address, but also only allowing access to data for staff who have the authority to view this data, regardless if they are within the internal office IP or not.
There are a lot of technical ways and some common sense methods which you can use to protect your business from cybercrime and online fraud. Have a think about some of these questions to see how they relate to your own business;
- What is your fraud policy?
- How are individual members of staff managed in terms of the data they can access?
- Do your staff understand how Trojans, malware and phishing scams work, specifically related to clicking links and opening emails from unknown sources?
- How do you mitigate risks from updating your accounts, specifically related to invoice fraud?
- How do you investigate new customers to check that they are genuine? A note on this topic is that you can be legally responsible and open to jail time if you have not performed detailed enough checks and your customer ends up being identified as part of a criminal organisation. This could have serious implications for your business
- How do you thoroughly vet new and existing members of staff? This sounds obvious, but have you spoken to their references?
A note on background checks related to companies is rather interesting, as the data that you will often be researching on freely available company check websites and companies house is only as accurate as the data that is entered by the company. This is really important to understand because this data does not state that the data is accurate, the information you see on these services states that this is what the company has said is accurate. This can be significantly different, particularly when online fraud and cybercrime is taken into account. Do you honestly believe a companies that is not legitimate would submit legitimate data? The same applies when another company could be created with a very similar name to your business which could confuse people trading with you, or you viewing another company.
An interesting service that was recommended included WebFiling Protected Online Fraud (PROOF) which helps companies, i.e. yourself, safeguard your information and protect against corporate identity theft and fraudulent filings. The short video below explains this in more detail;
Another check point discussed was The Gazette which allows you to check company information from an official source. When checking details of a company you are either working with currently or about to work with, it is essential to check through as many sources as possible to get a good understanding of who you are working with.
Hackers for Hire
Thinking hacking and cybercrime isn’t that much of a threat? Think again. There are services popping up such as HackersList which allows you to actually rent hackers for a specific project and pay for their services. And this is just the public face of what is happening. Within the underground there is an awful lot more happening that most people simply aren’t aware of.
Hacking is always seen as this big bad term, yet often hacking isn’t that difficult. Hacking can be extremely simple, particularly when companies employ sloppy web developers and leave their customer details wide open for anyone to access. This isn’t difficult for anyone to access with half a brain cell and a small bit of technical knowledge. This isn’t cyber criminals working away, this can be simply equated to finding a hidden link on a page that happens to be the same colour as the background. The technicalities behind this aren’t much more complex than that.
London Met Fraud Advice
The London Metropolitan Police are very much leading the way when it comes to cybercrime and security prevention in an official sense and have a very valuable website on the topic to help individuals and companies protect their-self. If you aren’t too familiar with some of the basics of protecting yourself and your business, I’d suggest you spend a bit of time researching this and understand what you can do within your own business.
MetaPack is a service designed to track ecommerce deliveries from end to end while looking to reduce fraud at every step of the process by using smart technology. Interestingly, 80 of the top 100 online UK retailers use MetaPack which managed around 50% of the online orders in 2014 (excluding Amazon).
Another interesting fact is that between 1-3% of sales are classified as Goods Lost in Transit (GLIT) which is actually an extremely high amount when you think about the scale of online orders within the UK, some of the highest per capita in the world. Some of the common problems related to this simply comes down to different departments within larger organisations simply not talking to each other, whether this is people or systems, think sales, website, warehouse all using different spreadsheets, databases and platforms with no centralised system.
A prime example of this is for items with a higher value which is often simply not worth the ecommerce retailer collecting the item from the customers. Imagine, as a fraudster, ordering a bathroom suite, 5 items, from 5 companies (bath, toilet, bidet, tiles and basin). When each arrives, calling each company to inform them that the item has arrived damaged. Then when they ask if you would like another item delivering, you say no and they simply issue a refund without ever collecting the apparently damaged item from you because it is too expensive to collect or verify. This is clearly an issue if you don’t have the correct procedures in place for your business and happens more than you could imagine.
While I hate to say this, the authorities are too slow to adapt to the changes within digital to keep up with the ever changing technologies, threats, knowledge and information with an ever decreasing budget for public services. When you compare the resources and knowledge the official sources have on cyber security and online fraud in comparison to what is actually happening, this is worrying. To the point whereby Stuxnet managed to go unnoticed for quite some time. If you haven’t heard about this, read up on it if you don’t want to sleep at night.
This is going to change over time within the authorities, although as a business you need to take responsibility and protect yourself to avoid any serious issues within your business.
Online fraud and cybersecurity covers a lot of topics from user behaviour, training, IT hardware, physical security and more. This blog post isn’t designed to be a resource covering all of these topics, instead more of a warning to companies to take online fraud, cybercrime and security seriously.
We do our part related to website security which is why we offer services designed specifically to help businesses manage their online security through our WordPress Security and Maintenance packages along with providing industry leading web hosting solutions for small to medium sized businesses.
Online fraud, cybercrime and security needs to be taken seriously by businesses within the small to medium sized range. Do not take the threat lightly and assume that it will not happen to you. Cyber criminals will be targeting non-corporate businesses as these are the businesses who often have the least security policies in places throughout their website and internal procedures.
If you would like to talk through how business could be impacted, get in touch to discuss your specific business needs and how we can help protect your business.