Protecting Your Business from Online Scams
There are a number of ways scammers and cybercriminals are stealing money, customer data and company secrets from small businesses. Losses like these affect a small business’s reputation, ability to operate and (if the theft is large enough) the entire future of their business..
Scammers often catch you out when you are least expecting
Scammers know businesses, sometimes even better than businesses know themselves! They prey on the reliance small businesses have on email and phone calls as well as the trust their customers have in the brand they’ve worked hard to create.
Unfortunately, no one is immune to online scammers. Staying aware of how your business might be targeted and ensuring your team knows what to look out for and what to do when they spot something is critical to protecting your business.
Give your team the right information
Start by working with your team, particularly those with additional responsibilities or the ability to transfer money on your behalf, to ensure they can identify and recognise dangerous messages.
Sharing with your staff alerts from services like Stay Smart Online or our free Cynch Cyber Fitness membership will help keep your team informed.
Don’t forget to be clear with them around what to do if they receive one and where to report it.
Protect your business from payment scams
The most common scams targeting small business are those looking for you to transfer your hard earned money into a criminal’s pocket. These scams use professional services to create marketing emails, invoice documents and other materials that look identical to those a supplier you’re already familiar with might send in order to trick you or your finance team into paying into the wrong account.
To protect your business from payment scams
Implement a policy requiring in-person confirmation of higher risk transactions (e.g. larger payments or changes to account details). This should include:
Calling the Payee to confirm the banking/request details.
Adding a second approver to first payments to a payee, large transactions, international transfers or direct debit requests.
Set a transaction limit on your bank account.
Implement multi-factor authentication on your bank accounts and emails wherever possible.
Regularly review outgoing payments for anything that looks suspicious.
Protecting your business from malicious and scam emails
As common as it is, email is inherently insecure and complex to make safe. There are tools searching public websites for email addresses constantly. Any email address that is discovered gets thrown onto a list and sold on to scammers and cyber criminals looking to send out their latest campaign. They’ll try to get you to click a dodgy link, run a dangerous attachment or just threaten you into paying them.
To protect your business from malicious and scam emails
Remove personal email addresses from public websites and social media profiles. Use a webform instead to make it harder to collect details about your business.
Consider the risk of publishing your company directory and employee details on your public website.
When you and your team go on leave, take care not to give too much away in your out-of-office message.
Ask your email support provider to review DMARC, SPF and DKIM rules for your domain.
While you’re there, talk to them about enabling audit logging so you have details in the event something goes wrong.
You could also ask them about additional email filtering options from providers like MailGuard.
Sign-up for notifications from Have I Been Pwned? for your domain and let your team know to be aware of scams if any of your email addresses show up.
Check that everyone has multi-factor authentication enabled on their email account - Follow our guide on how to check your email account security if your not sure how.
Consider running phishing simulations as a way of training your staff on what to look out for. Google has a free online phishing quiz you can share as a quick alternative.
If you receive a phishing/scam email. Report it.
Protecting your business from phoney phone call scams
Just like your email address, scammers can find your phone number from public websites and other places it may have been shared. Once they have your number they’ll send it to their scam call centre operators to try and convince you or your staff into making an urgent payment or give them remote access to your computer.
To prevent phone call scams impacting your small business
Remove your personal phone number from public websites and social media profiles.
If a phone number is required, try to use a landline with an appropriately trained and aware team member answering calls.
Reduce the number of marketing calls to your office phone number by registering with the Do Not Call register.
Protecting your business from website scams
The last thing any of us want is for malicious software to find its way onto one of our computers. Particularly those computers with access to business secrets of sensitive customer data.
Fraudsters are out there copying well-reputed websites like Government departments (including the Tax office), telecommunications providers, banks, retail stores and technology companies. They do this in an attempt to try and convince you and your staff to visit a website they’ve set up. Once you hit their website you’ll be asked to download something for free, sign up for a new cure or buy something for an unprecedented, limited, once in a lifetime discount. Wherever possible they’ll look for current news and trends to draw attention, usually at times of need when we are the most vulnerable.
To help your team avoid running into something dangerous online
Ensure your team is aware that these types of scams exist and that they know what to do if they accidentally fall for one
Encourage reporting immediately as time is critical when recovering money for a scam.
Update your cybersecurity policy to include guidance that every employee has:
Administrator permissions removed wherever possible.
An Ad Blocker (eg. UBlock Origin) and Safe Browser (eg. Verdict, Mcafee) add-ons installed on their browser.
Multi-factor authentication enabled on email and any other service/application where available.
Anti-Virus and or Advanced Malware Protection installed
Clarity on what web browsing is or isn’t acceptable on their work computers.
Implement DNS Filtering for every device used for work.
Before transacting large payments, it’s a good idea to
Check the legitimacy of the company/service on social media and in reviews, asking around or checking the unlicensed companies list.
Purchase with a credit card dedicated to online purchases that has a threshold limit and insurance.