Businesses are often exposed to the same threats as individuals are (Getty Images/FG Trade)
Just as scammers are always finding new and more sophisticated ways to trick unsuspecting individuals, they do the same with businesses. According to a recent KPMG survey of more than 500 Canadian small and medium-sized organizations, three-quarters of respondents experienced internal fraud (by an employee) or external fraud (false invoices, fraudulent cheques, credit card fraud or identity fraud through bank account hijacking) in the past year.
Whether targeting individuals or businesses, scammers often rely on psychological manipulation to achieve their ends. As the Government of Canada mentions in its Get Cyber Safe campaign, developed in partnership with the Canadian Bankers Association, “Even the strongest security systems can be vulnerable when people are tricked into giving away sensitive information like login credentials or account details.”
Here are some of current business scams and how to protect yourself and your business.
SPEAR PHISHING IS ON THE RISE
Spear phishing is the most common type of corporate fraud, accounting for $46.9 million in losses in 2022 (up from $263,000 five years earlier), says Sgt. Guy Paul Larocque, CPA, acting officer in charge of the Canadian Anti-Fraud Centre (CAFC).
The business executive fraud, where a fraudster posing as a company executive convinces an employee to transfer a large sum of money to their account, is still making the rounds but it now takes different forms and is much more sophisticated. For example, scammers can use artificial intelligence to mimic the voices of callers.
Scammers may also make the request appear to come from a supplier or colleague, informing them of a change in bill payment or direct deposit arrangements. The employee may also be asked to purchase gift cards.
- “If you get the feeling that something is not right, trust your instincts and stop communicating with that person,” says Larocque. Don't give out personal or financial information in response to a request you weren't expecting, he adds.
- When in doubt, change the channel of communication, says CPA Myriam Duguay, forensic accounting partner and national leader of KPMG's fraud prevention and investigation services. “Validate the information by contacting the person or company with the contact information you have.”
- Remain vigilant at all times, says the CBA in its cyber security toolkit for small businesses. “A major red flag for BEC [Business Email Compromise] is a wire transfer request that includes pressure to act or a sense of urgency,” it says.
PHISHING STILL USED TO BAIT VICTIMS
Unsurprisingly, phishing is still taking its toll. Here, Sscammers send an email or text message (often appearing to be from a bank, company or government agency), with the goal being to convince victims to provide personal information or click on links. Once they do, the scammers will be able access their data, which they encrypt before demanding a ransom payment.
- Train your employees, says Duguay. “After holding training sessions, many organizations conduct phishing tests with their employees to see who can and can’t be tricked. The results of these tests are sometimes even included in employees' performance evaluations.”
- Be wary of unsolicited e-mail and always do your research before downloading applications or software from the Internet, says the CAFC. Also, make sure you have a plan to back up your data systematically and frequently.
- Don't assume a message is legitimate just because the e-mail address appears to be correct.
INSIDER THREATS CAN TAKE SEVERAL FORMS
Although less publicized, internal fraud (also known as occupational or employee fraud) should not be underestimated, says Duguay. According to Occupational Fraud 2022: A report to the Nations, published by the Association of Certified Fraud Examiners (ACFE), this type of fraud is responsible for a 5 per cent loss in annual revenue for businesses. It most often takes the form of asset misappropriation (86 per cent of cases), bribery (50 per cent) and falsification of financial statements (9 per cent).
“Small and medium-sized enterprises are particularly at risk when there is one employee with two incompatible functions, such as authorizing a transaction and executing it. If this employee is dishonest and there is a deficiency in internal controls, they can have free rein,” Duguay says.
- Conduct a fraud risk assessment that will determine how likely an incident is to occur and what controls need to be put in place to identify the associated risk. The threat could also come from one of your suppliers who has been attacked.
- Communicate. According to Duguay, prevention starts with senior management, who should include all stakeholders in the organization because frauds often affect different departments, such as IT and finance.
- Set up a whistleblower line, both for employees and external parties (vendors, customers, etc.). “In addition to providing an extra communication channel and showing that the organization is adopting sound practices, it has been associated with lower fraud losses and quicker fraud detection,” Duguay says.
- Adopt rigorous access management (who has access to what) and review it frequently. If necessary, set up alerts to monitor whether data is being sent to Gmail, Hotmail or Yahoo emails, for example.
- Protect personal data. As the ACFE report points out, continuous data monitoring (financial data included) ensures that any anomalies are identified more quickly.
- If you have been a victim of fraud or cybercrime, report it to your local police or the CAFC (1-888-495-8501).
STAY CYBER-SECURE AND FRAUD-WARY
Dive deeper into CPA Canada’s annual fraud survey, and find out why Canadians may not be doing everything they can to protect themselves. Refer to this guide on how to protect yourself against fraud and identity theft, and learn how to protect yourself when buying property.