NEW CROPPED instasupply logo.png

SME Guide: 4 Key Tips on How to Protect Your Company Against Phishing Attacks

B2B Finance Invoice Fraud

We've all heard of phishing attacks and the rise of cyber crime but very few businesses we speak to actually think it could happen to them.

But the truth is, it can happen to any business, at any time. Take two of the world's biggest (and you'd think safest) companies in the world, Facebook and Google. Over a two-year span, a corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the companies figured out what was going on,  over $100 million had been lost.

Most phishing attacks tend to have distinct patterns: criminals will send fake emails either asking for sensitive information (such as bank details or even direct payments), or containing links to fake websites. They will either impersonate someone in your organisation and try to trick you into sending money to specific accounts,  steal your details to sell on, or try to access and use your company's information for political reasons.

The common thing amongst all phishing emails is that they are becoming are harder and harder to spot. Whatever your business, however big or small it is, you will receive phishing attacks at some point.

So we've put together our top five tips to avoid phishing happening to you:

Tip 1: Reduce access and limit damage

You should configure all staff accounts in line with their levels of access to business information. This applies to anything from email access to Google Docs/Sheets/Slides and any log-ins giving them access to operational and financial software. Beware, old software will typically give a "one access fits all" level to all users so it might be time to switch to newer technology.

To further reduce any damage caused by malware, loss of login details or impersonating attempts, each member of staff should have their own log in. Using general email addresses tends to dilute accountability and makes it a lot easier for scammers to access your systems. Putting a system of record style software in place will ensure all activity is traccked and can be traced back to each individual member of staff accessing and interacting with company data.

Administrator accounts should typically be reserved for top tier users such as heads of departments and C level staff as they allow users to change security settings, install software and hardware, and access all data on a computer/within a network/software. If an attacker gains access to an Administrator account, this could be significantly more damaging than accessing a standard user account.

Tip 2: Have a transparent process in place

Now, the main reason phishing attacks succeed is because there is typically no set company wide process/protocol in place, many actions happen offline and there is no real time transparency across departments. Should someone target your organisation, you must make sure your staff are fully aware of the right set of steps/rules/actions taken in specific processes. This is especially important when dealing with other organisations.

The vast majority of fraud resulting in loss of funds occurs because no formal approval process exists or the approval process in place to release funds is not all tracked within the same system. An offline process or a mix of online/offline creates blind spots and this is exactly where fraud thrives.

Common tricks tracked by government Cyber Security Centres include sending invoices for a service the company has not used and requesting payment, sending authentic looking emails to finance staff asking for money or information transfers by scammers impersonating C level executives, diverting funds by impersonating suppliers you already deal with and sending you a request to change their bank details etc.

Action points:

  • Setup and circulate a to-do checklist should staff receive unusual requests
  • Make sure any important individual (a customer or manager) getting in touch should be asked to verify their identity before any requests are actioned. Better yet, try to replace email in purchasing or finance process and upgrade to a secure system that removes any ad hoc actions. All activity is then tracked and accessible in real time so the legitimacy of a payment or a request can be automatically verified.
  • Phishing emails tend to either impersonate large organisations (such as banks) or companies you have regular dealings with. By tracking all spend within one platform and removing the need for emails, you remove the risk of being caught out by scammers slightly altering domain names.  If you get an email from an organisation you don't do business with, always treat it with suspicion.

"Encourage and support staff to question suspicious requests – even when they appear to be from important individuals. Having the confidence to ask ‘is this genuine?’ can be the difference between staying safe, or a costly mishap." - UK National Cyber Security Centre

Tip 3: Lookout for red flags

Many phishing emails follow a set pattern so whilst you look for a better way of managing your operations, here are the most common red flags to look out for:

  • Emails trying to impersonate larger organisations or companies you deal with on a regular basis will attempt to make their emails look genuine. Adding logos and graphics is one way to achieve this so lokout for the quality of any logos/graphics. If you have previous emails from that company, try and compare.
  • Is the email addressed to you directly? If the email starts with 'accounts department', 'valued customer', 'support team' etc. it could be a sign the email is in fact part of a phishing scam.
  • Does the email demand that you act urgently? Be very suspicious of wording like 'send these details within 24 hours', 'make the payment ASAP', 'send this information first thing' or 'you have been a victim of crime, click here immediately'.
  • Be very aware of emails received from a high-ranking person within your organisation, requesting things like paymenst to a particular bank account. Especially if this person does not normally interact with you via email/would request something like this. Always check the sender's name and the email address. Compare it with any existing correpondence to ensure minute details like a .com has not been replaced with a or .org. These very slight changes could be the difference between genuine and fake. 
  • It's been said a million times but it is very true here as well: if it sounds too good to be true, it probably is. 

Tip 4: Report attacks

Your staff must be comfortable in asking for help if they suspect they have fallen victim to a phishing attack. They should know what the right steps to take are so that any damage can be minimized.

You must not punish staff if they get caught out. Any such action will discourage people from reporting incidents in the future, and can make them excessively cautious to the point where excessive work time is spent checking every single email they receive. 

If you believe that your business has been the victim of online fraud, you must report this to Action Fraud in the the UK and to the FBI in the US. 

Our advice is to ensure you have a set process in place to processing and delaing with any requests involving sensitive company information and financial data. To further protect your company, you should only work with secure and updated software. Keep in mind cyber criminals are always perfecting their craft so the more encrypted your data is, the safer you are.

Free eBook

Guide to Invoice Fraud Safety

Fill out the following form to access the guide.