Opinion

Business owners must wise up to the new digital fraud threat

6 min read

18 March 2019

As fraudsters try to perpetuate crimes from the comfort of their bedroom, SMEs must ensure they don’t leave the digital front door open for criminals to charge their way through.

When I founded Pimlico Plumbers 40 years ago, it was reasonably straightforward to spot a villain.

They may not have worn masks, stripy shirts or carry a sack bearing the word “swag”, but criminal activity tended to be a little more unsubtle.

But in the 21st century, most of them have swapped a crowbar for a keyboard. In this digital age of instant money transfers, it’s much tougher to twig that you’ve even fallen victim to the bad guys until it’s far too late.

These scams are far from obvious – we’re not talking an out-of-the-blue email to say you’ve scooped the Peruvian lottery or that you’ve been left a wad of cash by an unknown relative on some far-away continent.

The latest weapon of choice being used against small businesses involves fraudsters issuing bogus invoices on behalf of legitimate suppliers.

This follows a long list of criminality unleashed in recent years, including fake telemarketing, credit card fraud, business identity theft and a host of “phishing” scams.

“Here at Pimlico, we may be a family-run business dedicated to delivering a friendly, quality service – but that doesn’t mean I’m a mug.”

And it’s not just individuals who are targeted, SME businesses are also in the cross-hairs of these crooks. Bank transfer fraud – so-called Authorised Push Payment (APP) scams – persuade companies to pay out on what looks like a legitimate bill which often uses genuine invoice and payment details.

These days email addresses are easy to spoof, people’s details are freely available online or fraudsters simply resort to using malware to harvest genuine details directly from your computer.

In such cases, the fraud might only be discovered once the legitimate supplier gets in touch to chase up their long-diverted payment.

Recent statistics published by UK Finance show that there were 43,875 victims of APP scams in 2017, involving £236m.

And according to new figures released by Barclays, a shocking one in seven SMEs have fallen victim to a scam in the past 12 months and that more than a quarter of those have suffered significant losses.

It says that 28% of SMEs scammed in this way waved goodbye to sums in excess of £5,000. Obviously, any monetary loss has the potential to devastate a small business and the report says one in five SME leaders end up having to covering the full cost of the loss.

Small businesses are often more open to this kind of attack. By their very nature they may be more trusting, while resources to keep an eye on this sort of thing may be wanting, including investment in online security and staff training.

Here at Pimlico, we may be a family-run business dedicated to delivering a friendly, quality service – but that doesn’t mean I’m a mug.

This business, like many others, has invested in the digital world and our accounts department is no different. However, our people have been well-trained to follow our carefully-crafted processes and to be alert to anything that doesn’t look quite right or where details have been altered.

According to Barclays, only 24% of SMEs they surveyed said they would call a supplier to check an invoice request was legitimate, while one in ten staff said they would not know how to spot a fake invoice.

Over the years, Pimlico has built up a strong relationship with our suppliers and I know any legitimate firm won’t mind a call to double check an invoice is the real deal.

Traditionally APP victims have received short shrift from banks when it comes to trying to claim a refund, the typical response being that the business was the one to authorise the payment and/or were careless with their banking details.

Last month the APP Scams Steering Group, established by the Payment Systems Regulator, agreed a voluntary code which comes into force at the end of May this year that aims to better protect customers and reduce the amount of APP fraud.

Any customer of a bank or Payment Services Provider (PSP) which has signed up to the code who is the victim of an APP scam, will be refunded IF their bank fails to meet the standards set out in the code, provided the customer did everything expected of them.

Still sounds like there’s a fair amount of wriggle room, but anything that focuses the mind on improving procedures to detect, prevent and respond to this virulent form of fraud is a step in the right direction.

In the past, a CCTV system and a burglar alarm were the tools to stop crooks getting into a business. Now, as they try to perpetuate the crime from the comfort of their bedroom, SMEs must ensure they don’t leave the digital front door open for criminals to charge their way through.