people at window
How manufacturing businesses can fight fraud
Jim Gee, Partner, Head of Forensic and Counter Fraud
02/08/2018
people at window
With help from the Fraud team at Lloyds Bank Commercial Banking Team, Jim Gee considers how fraud affects businesses in the manufacturing sector.

Over half (54%) of all reported crime in the UK is fraud and cybercrime, and manufacturing businesses are not immune.

Manufacturers must take steps to deter and prevent fraud – it’s more cost effective than reacting after a fraud has happened.

Fraud facts

  • Businesses lose an average of 5.95% of their expenditure every year to fraud. Read our Annual Fraud Indicator article for further information.
  • 86% of manufacturing executives reported that their companies fell victim to at least one instance of fraud over the preceding 12 months - two percentage points higher than the global average across all industry sectors.
  • Typically, a single case of fraud costs a UK business on average £57,000, with some individual cases in excess of £2 million.
  • A case of fraud can cause reputational damage, disruption and impact on staff morale.
  • If there is a cyber component, as there often is, there is also the risk of data loss and subsequent legal sanction by the Information Commissioner’s Office.

Fraud changes and evolves all the time, and the best way to think about it is like a clinical virus that responds and adapts as processes and systems change.

Phishing

Many cyber frauds start with an email specifically designed
to capture secure information or trick the recipient into downloading malware. These emails often look like they've
been sent by your bank and may contain hyperlinks or attachments to malware downloads.

Malware is malicious software designed to deceive a PC or
its user. It can allow a fraudster to secretly and remotely
view information on a PC network or capture keystrokes and passwords, which could be used to access a firm's online
bank accounts as well as many other operations.

How to fight phishing

  • Commission periodic penetration tests; use certified and specialist experts and ensure the test report includes the solution to any vulnerabilities identified.

CEO fraud

CEO Fraud normally takes the form of an instruction, apparently from a senior official (e.g. CEO, Finance Director), requesting an urgent payment to a specified bank account.

These instructions normally use language, terms and phrases regularly used by the supposed sender, and will often express urgency and privacy to encourage the recipient to act quickly without asking questions.

Such frauds may combine a cyber breach that enables the fraudsters to misdirect emails and view correspondence between the CEO and their contacts.

How to fight CEO fraud

  • Have a process in place to ensure that all payment instructions are confirmed, even if they are 'urgent' and/or 'strictly confidential'. Check with the named sender, or someone else in authority if they are unavailable.
  • Use other forms of communication to verify the email e.g. phone and face to face.

Vishing (telephone scam)

Vishing takes the form of a call apparently from a trusted source, often a bank's Fraud Dept, saying that the person being called must take some action to protect the firm's money.

They caller might ask you to download software that will allow them to take remote control of the computer, or to disclose passwords/ card-reader codes so the attacker can set up fraudulent payments.

They might even try to trick the victim into moving money to accounts described as safe/secure.

How to fight vishing

  • Authenticate a call by calling the organisation back on an independently sourced number e.g. bank website.
  • Never rely on the number appearing on your caller display as confirmation of the source of the call - these numbers are easy to ‘spoof’.
  • Remind all staff that banks will never call to ask for full passwords, PIN’s, card-reader codes.
  • Have dual authorisation set with your online banking provider to set up new payment instructions.
  • Only download software from sources you trust – be highly cautious if asked to download software from a caller that you have not authenticated.
  • Train staff and commission mock-phishing exercises to help to identify employees who need additional training.

Invoice fraud

This is the redirection of a payment intended for a genuine supplier/contractor. An instruction is received advising of a change of bank account or a forged invoice, which appears to be from a regular supplier/contractor requesting payment to a nominated account.

This is a common fraud that relatively simple processes and procedures will help to prevent.

How to fight invoice fraud

  • Authenticate any instruction to change details of a supplier/contractor, particularly if the notification is a change of beneficiary bank account number. Call the supplier/ contractor on a number independently sourced e.g. supplier's website.
  • Have a process in place to validate that invoice requests are legitimate.
man leaning on chair

General advice

  • Raise awareness of these fraud attack methods with all staff and regularly remind them of key messages.
  • Get Cyber Essentials Plus accreditation - it is a government supported standard that is estimated to prevent 90% of the most common cyber incidents.
  • Create a clear and documented procedure for payments e.g. dual authorisation.
  • Review your internal controls and procedures to ensure you minimise the risk of fraud e.g. ring-fence employee access to data, review internet usage and consider restriction of some websites.
  • Use a good quality Anti-Virus software suite, updating regularly so you are always using the latest version.
  • Conduct periodic (annual) penetration tests.
  • Never give online banking passwords or online banking secure codes over the telephone, or via email, even if you think it’s the Bank contacting you.
  • Backup regularly, to a source that is independent of your network, so machines and systems can be restored in the event of infection.
  • Regularly test your recovery process and if you are targeted, retain the original cyber extortion emails. Maintain a timeline of the attack, recording all times, type and content of the contact and report it to Action Fraud.
  • Have a documented process for employees to follow which ensures that email requests to set up or amend payment details are verified as genuine. They should use known contact details, other than email to make these checks and apply the same caution to all payment related emails from both external and internal sources.
  • If you do identify that a fraudulent payment has been made, let your bank know immediately and then report it to Action Fraud.

Useful links

   
  • www.lloydsbank.com/fraud
  • www.bankofscotland.co.uk/fraud
  • www.takefive-stopfraud.org.uk
  • www.cyberaware.gov.uk
  • www.actionfraud.police.uk
  •  www.getsafeonline.org/business
  •  www.ncsc.gov.uk
   


Where to go for more information

If there is anything related to fraud and cybercrime you would like to discuss, contact Crowe’s Forensic Services team. The head of the team, Jim Gee, would be happy to discuss your particular circumstances and what specific steps would be most appropriate for your business.

If you would like to speak to the Lloyds Banking team to discuss Fraud and cybercrime in further detail please contact Dave Atkinson, UK Head of Manufacturing, SME & MM Commercial Banking.

Contact us

Jim Gee
Jim Gee
Partner, Head of Forensic and Counter Fraud
London