This document provides an overview of fraud awareness and prevention strategies for businesses. It discusses common fraud risks such as social engineering, phishing, invoice fraud, and insider threats. It also outlines best practices for preventing data loss and recovering funds after a fraud occurs. Key recommendations include implementing strong authentication procedures, carefully vetting invoices and payment requests, and having plans in place to quickly deal with suspected fraud.
2. Fraud Awareness
1. Introduction
2. Social Engineering & Online Fraud Prevention
3. Cheque Fraud Prevention
4. Invoice Fraud Prevention
5. Insider Fraud Prevention
6. Data Loss Prevention
7. Governance
3. The ‘Business’ of Fraud
Cybercrime is a top
threat to UK national
security.
Information and money
obtained are used for trafficking,
terrorism and illegal trade
26/05/2015 3
International Professional
Organised Effective
5. ‘A multi-media message is available to view’
‘Confirmation of your hotel booking is attached’
‘We could not deliver a parcel to you’
‘A complaint has been filed against you’
‘Receipt of Online VAT Submission’
Phishing Hooks
6. 6
Infection via Attachments
• Word / excel document
contains a macro
• The macro calls out to the
fraudster’s website
• If macros are turned on by
default, a Trojan will be
downloaded
• Its recommend that within
MS Office, macros are
disabled by default
.co.uk is a legitimate company.
They are not sending these emails and their systems have not been hacked or compromised.
They have absolutely no control over these bogus messages.
7. Trojans in action (1)
If your browser is infected, the fraudster can divert you to a ‘look-a-like’ site
and harvest your log-in credentials in real time
Security warning
removed or fake
8. Trojans in action (2)
The fraudster keys a payment whilst keeping the customer in a holding pattern on the fake website
Running security check
9. Trojans in action (3)
The fraudster presents a screen stating that a smartcard code is needed to complete log-in.
If this is supplied it will be used to authorise the fraudulent payment
To complete this action you need to authorise the change with your Smartcard and reader
Enter smartcard code to complete
security check and log-in
10. Trojans in action (4)
Bankline is out of service
Do not attempt to log-in for at least
2 hours
The fraudster wants to buy time to withdraw the stolen money
Therefore, they inject a screen message claiming service issues and instructing that no log-in
attempt should be made for a specified period
11. Golden Security Rules: we will…
Never ask for your full PIN & password online:
only 3 random digits from each are needed to log-in
Never ask for your PIN & password or any
smartcard codes over the telephone: beware of imposters
Never ask for smartcard codes to log-in:
these codes are used to authorise payments
We strongly recommend you download specialist security software
Trusteer Rapport: free from www.rbs.co.uk/onlinesecurity
12. Online banking best practices
• Regularly change log-in passwords
• Don’t share log-in credentials
• Keep credentials in a secure place
• Force dual authorisation of payments
• Apply payment limits
• Disable unused functionality and payment
options
• Regularly review user roles and privileges
13. Complement Browser Solution
Specialist Financial
Anti-Virus Software
• Keeps computers clean of Man-
in-the-Browser malware
• Detects new Zero-day threats
• Stops phishing of login credentials
and payment card data
• Notifies fraud teams of threat
activity
14. • Large Corporate Client
• Received a call regarding
incoming payment
• Some information was
provided by caller
• Caller suggested all
payments are frozen
• Requested information
from the client to
‘unfreeze’
A Case Re-enacted
15. 15
Vishing – Remote Control Scam
• Fraudster asks you to log on to
Bankline to run a security check
• They ask you to download
“remote control” software to help
diagnose a problem
• The fraudster now has total
control over your PC
•They ask you to switch off the
screen whilst a “security scan” is
completed
• With the screen switched-off,
the fraudster will key payments
• Finally, smartcard codes are
requested to “restore access”
For the avoidance of doubt, TeamViewer is a legitimate
service, but it is being abused by criminals.
20. Call Re-Direct
Call re-direct
•Calls are diverted away from the business
•Can be achieved by contacting your telecoms
provider
•Purpose is to get the bank to complete payment ‘call
back’
24. From: smith henry [smithhenry2004@yahoo.com]
To: <correct address removed>
Subject: Yamaha XV535S Virago
Cotswold Business Park, Witney,
OX29 0YB, Dubai
HELLO.
I Am a dealer in bikes and cars resident in dubai am
interested in your (Yamaha XV535S Virago ) client has
just ordered for this model of (Yamaha XV535S Virago ) i
will want you to give me the price of the ( Yamaha XV535S
Virago ) so that i will instruct my client who is owing me
to effect payment immediately by a cashier check drawn
in united kingdom bank if that is ok by you get back to me
immediately.
Best regards
MR Smith
Overpayment Scam
25. Invoice Fraud and
Mandated Payments
Fraudulent
Supplier
or
Genuine Supplier
External Party
Internal / External
Party Collaborating
Internal Party
Employee
Fraud
26. Invoice Fraud
Supplier
Create
Invoice
Print Post
Lookup
missing
info
Re-key
Archive
invoice
Invoice
authorised /
matched
Open &
key in
Customer / Buyer
Payment
submitted
4. Payments
Invoices are not paid to genuine suppliers’
correct bank accounts
Authorisers of invoice payments do not follow
the agreed approval process
1. Checking
Invoices are not from
genuine suppliers
Bank account details
are not the same as on
file and / or finance
system
2. Processing
Manual processing of
invoices may missing
duplicate invoices
3. Matching
Invoices do not match against goods
received notes or purchase orders
27. Change of Details
• Source contact numbers
independently
• Confirm correct details
• Confirm payment – send £1?
• Review recent and pipeline requests
• Speak to colleagues
31. Data Loss Prevention
Key to reducing the risk is to classify all information and treat accordingly
Use labels on documentation – Protectively mark for appropriate
handling, for example:
Public, Internal, Confidential, Secret
• Post – name recipient, deliver by hand
• Printing – who, where
• Storage – clear desk, lock away
• Transmission - encrypt secret and confidential even if internal
• Destruction or disposal – lockable waste bin or shred
32. • Hard copy papers
• Unencrypted emails
• Encrypted emails
• Encrypted web uploads inc.
through social media
Preventing Data Loss
• Removable media inc. by authorised
users
• Mobile devices inc. phone cameras
• Back-up tapes
• Endpoint devices and hard disks inc.
desktop computers
Enforce policies to prevent accidental, malicious or non-malicious data loss
via:
33. Protect Your Identity
• Have post re-directed for a year
after moving
• Regularly review your credit
reference record for searches
done, and for accounts set up in
your name• How do you dispose of paperwork?
• Where is your public footprint?
• Is post delayed?
• Are documents filed away?
• Who should I contact about lost cards
or documents?
35. Useful Websites
NatWest Business Banking Fraud and Security Advice Centre
Trusteer Rapport - an extra layer of online security software
Action Fraud: www.actionfraud.police.uk
GetSafeOnline: www.getsafeonline.org
CyberPartnership: www.cyberpartnership.org
Cyberstreetwise: www.cyberstreetwise.com
38. Charity examples
Former RHS head of operations pleads guilty to
attempting to steal £700k from the charity (Third Sector 1
May 2015)
Grant Thornton assistant manager pleads guilty to
embezzling £726k of charity cash (30 April 2015)
The former chief executive of children's charity Together
4 All pleads guilty to stealing more than £50,000 to spend
on holidays, clothes and gambling. (Civil Society 5 May
2015)
26/05/2015 38
39. Charity examples
Founder and former chief executive of ShelterBox has
denied charges of attempted theft and fraud after being
accused of trying to steal over 1,000 tents from the
charity (Civil Society 30 March 2015)
26/05/2015 39
41. Charity Commission Press Release
Press release 20 May 2015
Commission issues warning about scams
From: The Charity Commission First published:20 May 2015
Part of: Regulatory alerts: Charity Commission and Community and society
Regulator issues alert about a scam that uses a fake charity name to obtain bank information.
The Charity Commission is reminding charities and the public to be vigilant and look out for scams used by fraudsters to obtain bank details.
The commission says that it is aware of a recent scam designed to trick religious foundations in the USA, and possibly this country too. The
foundations were contacted with news that they were due a large gift or donation from an organisation promoted as being a legitimate and
registered charity in the UK, which did not exist.
In this instance, in an attempt to make the scam appear more credible, the fraudster used false documentation showing parts of the
commission’s logo and a forged staff signature. The regulator was contacted by a number of concerned individuals.
Before giving out any information, particularly of a financial nature, to another charity, trustees can take the simple step of looking up the
registered charity number and the charity’s entry on the commission’s online charity search tool.
Trustees who receive correspondence falsely claiming to be from a genuine charity or from the commission should report this to the commission
and to Action Fraud, the UK’s national fraud and internet crime reporting centre. The commission has referred this matter to Action Fraud.
Ends
PR 30/15
26/05/2015 41
42. Why are charities vulnerable?
Handle cash and fluctuating income
Reliance on goodwill of supporters and volunteers
High levels of public trust and confidence
May have less formal financial controls
26/05/2015 42
43. Impact of fraud on the charity sector
Fraud is estimated to cost the charity sector in England
and Wales £147 million (National Fraud Authority’s 2013
Annual Fraud indicator)
1,280 serious incidents were reported to the Charity
Commission in 2013/14 and included fraud valued at
£13.5 million
Not just financial impact
Reputational damage
Cancelled projects
Detrimental effect on volunteers and supporters
26/05/2015 43
44. The role and responsibilities of charity
trustees
Charity trustees have a duty to protect the assets of the
charity and ensure that it is solvent, well run and delivers
its charitable purposes for the benefit of the public
Duty of care to safeguard the charity’s assets and act
prudently
Appropriate financial controls
Full financial records
Respond appropriately if there is a suspected fraud
Personal liability
44
45. Safeguarding against fraud
Risk assessment
Financial controls
Record keeping
Anti-fraud policy
Fraud training and awareness
Encourage reporting/whistleblowing
Have a plan for dealing with suspected fraud
45
46. How to deal with suspected fraud
Report to the trustees
Decide how the incident will be dealt with and by whom
Consider seriousness of the fraud and if appropriate
contact the police and/or HMRC
Take steps to prevent any further breach
Consider whether the assets can be recovered
Prepare for media interest
Serious incident report to the Charity Commission
Review procedures
26/05/2015 46
47. Further guidance
Charity Commission Guidance: Internal Financial controls
for Charities (CC8)
Charity Commission: Compliance toolkit – Protecting
Charities from Harm
Action Fraud Website:
www.actionfraud.police.uk/charities
26/05/2015 47
52. Fraud: What is it?
• Wrongful or criminal deception intended to result in
financial or personal gain;
• Deliberate deception, trickery or cheating intended to
gain an advantage.
52
55. The “Burial Rights Deed”
• Ethel is supposedly a party to the Deed.
• Molly to execute the Deed after Ethel’s death?
• The Deed states that Burial Co has already had £1M.
• Burial Co only own 1/3 of the land covered by the Deed.
• Burial Co charge Ethel’s estate for her funeral.
55
56. Burial Co: The Result
• Ethel’s property sold and sale proceeds secured;
• Letter of Claim: September 2014;
• Mr Smith Response Letter: November 2014;
• Burial Co Response Letter: January 2015;
• Mediation: January 2015;
• Circa £1million recovered.
56
57. Claim value Old Issue Fee New Issue Fee
>£10,000 - £15,000 £455 5% of the claim value
>£15,000 - £50,000 £610 5% of the claim value
>£50,000 - £100,000 £910 5% of the claim value
>£100,000 - £150,000 £1,115 5% of the claim value
>£150,000 - £200,000 £1,315 5% of the claim value
>£200,000 - £250,000 £1,515 £10,000
>£250,000 - £300,000 £1,720 £10,000
>£300,000 (or an unlimited amount) £1,920 £10,000
New Court Fees
57