Fraud update 1: current risks

Tuesday 7 June 2022

In this update we highlight emerging fraud threats to businesses (especially SMEs) and offer practical advice on prevention. It is based on pooled intelligence shared by members our Business Fraud Network which meets every six weeks.

We encourage all businesses – and everyone who works with them or otherwise supports them – to read, share and act on these updates.

Current risks

• So far this year Action Fraud has received 1,555 reports of cyber fraud from SMEs. Current threats include malware, supply chain attacks, ransomware, insiders, phishing emails and business compromise emails.
• Businesses providing ‘other service activities’ and the construction sector have reported the most cyber frauds to the police. Hacking (social media and email) is by far the most common crime, accounting for 60% of all reports.
• Smaller businesses are most at risk. Possible explanations include a lack of cyber security and/or staff awareness, availability of data to steal and connections to larger businesses.
• Ransomware attacks continue to rise. Ransomware-as-a-Service (where criminals lease out their malware to others) is also increasing. SMEs are most likely to report. Some victims have had their data published online or been threatened with this. Official advice is to not pay ransom demands to avoid repeat victimisation and because there is no guarantee that criminals will return or decrypt stolen data.
• Reports from business to law enforcement are dropping nationally and globally (for reasons not yet understood). Businesses are encouraged to report fraud to Action Fraud and phishing to the Suspicious Email Reporting Service to help warn and protect other businesses.

Coming up…

• The West Midlands Police and Crime Commissioner will be publishing new research on taking a public health approach to fraud prevention.
• The Chartered Institute of Internal Auditors (UK and Ireland) will be publishing a fraud research report at the end of June called ‘fraud is on the rise: step up to the challenge’.
• The NCSC is running the following free cyber sessions: cyber aware (13 June), cyber aware for small organisations (16 June), and cyber essentials (22 June).

Takeaways for business

1. Make staff aware of the cyber threats to your business (including how to spot spoof emails).
2. Use two-factor authentication for fund transfers and account access.
3. Always independently verify requests to change bank details.
4. Regularly back-up your servers, files and data. Also keep operating systems up to date.
5. Have a password policy that includes changing default passwords, switching on password protection and avoiding predictable password combinations. For passwords think ‘three random words’.
6. Sign up to the National Cyber Security Centre’s subscription service to receive real-time alerts, threat reports and advisories direct to your inbox. Also consider signing up to its free early warning service for notifications about potential cyber-attacks on your network.