March is Fraud Prevention Month in Canada, and here in BC the province has updated its own fraud resource center to make sure that residents and businesses alike have taken the necessary precautions. In fact, continuous updates to this security protocol are needed given the ever-changing landscape of online criminal activity. Awhile back, Park Insurance provided a 5-step guide to keeping businesses safe from fraud, and while it stands today, 2019 demands an addendum to account for recent concerns surrounding fraudulent practices that could impact your commercial liability.
5 Other Ways Your Company Can Protect Itself from Commercial Fraud in 2019 and Beyond
1. Place Responsibility on Executives
We live in a different time, one where corporate accountability starts and often ends at the top, no matter where the fault may lay. The latter statement is the key, as figureheads now need to understand that they are responsible for the actions of their entire hierarchy. In our recent article about top-down cyber liability we noted how corporate boards could be named liable if it could be proven that there was a failure to exercise due diligence and governance when it comes to security policies and procedures. This doesn’t just apply to cyber crime, but all forms of fraud that can harm the company and its customers/clients. By making clear (documenting) this top-down liability, you will witness executives take a more proactive role in mitigating fraud risk. And yes, one of those executives (or the sole executive) may be you.
Moving forward, executive responsibilities should include:
- Delegating and segregating accounting duties
- Monitoring and maintaining internal controls
- Checking business bank accounts daily or weekly (contingent upon business)
- Auditing financial records daily or weekly (contingent upon business)
- Training staff on fraud identification and prevention
- Improving top-down communications with all employees (local and remote)
- Seeking outside support services where needed (i.e. cyber security, risk management, etc.)
2. remove the onus from the customer/client
In our recent article about corporate responsibility we asked that businesses come to terms with the fact that they cannot place the onus of customer/client account protection solely on the customer/client. Not only must your business take necessary internal precautions, you must provide customers/clients with education about how they can better protect their own accounts and the data (that passes between them and your business) from fraud.
This education includes information on phishing schemes, password creation best practices, to ask that they never login to their accounts (with you) from an insecure WiFi channel, and to never give up sensitive information over the phone or SMS when solicited to do so. The latter can protect them not just from external parties, but internal staff who may abuse their position to steal customer/client records for financial gain. View more on your role in educating customers/clients on fraud prevention.
3. new cyber threats to watch
As referenced above, phishing is a leading cyber threat. It currently headlines the Canadian Anti-Fraud Centre’s Fraud Types to watch list, and has already surpassed malware/ransomware as the biggest threat to both commercial businesses and consumers in 2019. This ties into item #2 above, and insists that you brush up on phishing schemes so that you can better educate staff and customers/clients on what to watch out for. But it’s not just them you need to worry about.
As a company CEO/CFO/COO (etc.), you are a prime target for whale phishing (aka whaling), a more targeted form of phishing-based cyber fraud that goes after the head cheese. After all, you have the authority and access criminals need. Whale phishing is occurring over email, instant messaging apps, and smartphone SMS. The fraudster will be somebody who tries to obtain valuable information by pretending to be a trusted contact, perhaps another executive, or third party partner (vendor, supplier, etc.). The nefarious individual will learn as much as they can about you and the party they are purporting to be so as to make the communications seem more authentic. They may have gathered this information by hacking into email accounts, monitoring social network communications between you and high-level managers, and/or by digging deep into public facing online personas of you both, until they have enough to initiate the first communication.
Another sneak tactic, is to secure a website domain and email extension very similar to your own. For example, let’s say your CFO’s email is jane@yourcomanyname.com. The fraudster may secure the email address jane@yourcompanynname.com (note the extra “n”?) and request a password or other form of account access. Given that many people comb through dozens of emails per day there’s a good chance you may not notice this small difference and simply hit reply, handing over all that is needed for fraud to occur. From here on in, get into the habit of validating all communications that request sensitive information no matter how inconvenient it may seem. That means you may need to call or message the manager or vendor to verify whether or not the communication came from them.
4. TIGHTEN UP ON BYOD
Another new threat to internal fraud comes from the proliferation of the bring your own device (BYOD) concept in the workplace. Companies are allowing both internal and remote staff to access company databases and accounts from their own smartphones and tablets. But in doing so, you allow them to maintain high-level access 24/7/365. That creates a lot of opportunity for fraud should they lose or have their mobile devices stolen or compromised. However, the convenience and cost effectiveness of BYOD has many businesses sticking to the model in lieu of buying everyone devices to use in the course of doing business. If BYOD is to persist, institute non-SMS Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA) for all databases and accounts, whether housed on premises or in the cloud.
5. Be Transparent About Your Company’s Fraud Prevention Plan
The Province of British Columbia’s Bait Car program has been successful in putting a dent in automobile theft not just because of the fact that it catches criminals in the act, but because it deters the act itself by communicating the program on a wide scale across the province. It’s “marketed” on TV, radio, billboards, bus stops, and via signage near parking lots. The guerrilla communications make car thieves think twice about picking off seemingly easy targets.
The same concept needs to be applied to your organization. By communicating to staff that you have a stringent anti-fraud program in place, and that you will prosecute to the full extent of the law, you will effectively deter the ill-intentioned. Launch the program with an internal email blast and staff meeting, and send out quarterly (if not monthly) updates even if to report “zero day” fraud activity, which will keep the topic on the top of the mind and tip of the tongue for all staff and stakeholders.
In addition to following the protocol above, please remember reference our longstanding guide to commercial fraud prevention, and most importantly, secure the most comprehensive commercial crime and commercial liability insurance possible for your industry. Contact Park Insurance right away to speak with an independent broker.
