Identity theft has been a huge problem for a long time now, however fraudsters are now getting more sophisticated and trying to stay one step ahead.
In the unprecedented midst of a pandemic, we are seeing a sharp increase in all types of fraud. Experienced fraudsters are exploiting the current chaos and sadly we are seeing more people turn to fraud in an attempt to boost their income.
As well as personal identity theft there has been an increase in businesses falling victim to identity theft. This can be as simple as your website being spoofed or emails being intercepted and payment details amended.
As an SME, it is important to discuss the risks with your customers and suppliers to increase awareness of suspicious emails and cold calls claiming to be from your business.
All businesses are different and so your risks and exposure to identity theft will differ. Using some of the points below you should sit down and work out what risks you face, both as a business and on behalf of your customers. Where are the danger points and what can you do to stop them, or at least lessen the risk?
Ensure you’re GDPR compliant
Read the rules again and then make sure all your employees understand what it means. A data breach is the easiest way for fraudsters to get hold of your information and that of your customers.
Review your IT security
Ensure you have good antivirus software installed on all devices used by employees to access your systems, including mobile phones. If you’re in a higher risk business, you should consider using biometrics. Two-step authentication should be standard to access your server. Remind home-working employees regularly of the security basics, such as installing updates, having secure passwords and changing passwords on the internet hub. Ideally passwords should be automatically updated regularly on your e-mail system. There is no such thing as ‘unhackable’, but it is worth employing independent specialists to check, and follow their guidance. You can then demonstrate you’ve done your due diligence.
Have a crisis plan in place. The aim should be to limit the damage to your customers, and therefore to your business. The plan should ensure you are able to let customers know immediately of any breach (if you wait even a day you will increase their exposure to identify theft). This is also a GDPR requirement.
Consider the blackmail and bribery risks
Fraudsters will target and tempt (with money or blackmail) your employees to steal and sell your customer data. This is far more common that people realise. It is difficult to stop all the possibilities, but it will help if you have those ‘water cooler’ chats so that you’re aware of what is happening in the lives of your employees.
Be aware of internal fraud
Most internal theft is opportunistic rather than premeditated. You can mitigate this risk by ensuring you have internal controls with no one person having access to payment systems. Two-tier verification is important for paying invoices etc. to ensure nobody gets tempted to misdirect a payment or create fake invoices.
Keep control of your assets
Do you have a record of everyone who has access to your email system, your website and your social media? If you don’t it would be very easy for an ex-employee to pose as you. Keep records and change passwords as soon as anyone leaves the company.
If you suspect you have been targeted, or have received a phishing email, this should be shared so others can be alert to the threats. Keep an eye out for new scams by following police and other official bodies on social media.
Double-check by phone
One the most common and simplest forms of identity theft is where the fraudster poses, convincingly, as a supplier (or an employee) and asks you to change ‘their’ bank details. Never send money in response to an email or a text, even from someone you know well. Pick up the phone and check, every time.
Be wary of cold callers
Never give out any sensitive information to someone who has just called you, unless you recognise their voice. Always phone them back, on the ‘published’ number, from a different phone (so they can’t pretend to answer your call).
Don’t use public Wi-Fi
It is very easy to set up an account that looks official. The fraudster will then be able to steal enough personal information to pose as you. If you have to use public Wi-Fi, check with the server to ensure you access the right one, don’t check with another customer as they could be sitting there waiting for someone like you to ‘help’.
Francesca Dowling is Head of Compliance at Amaiz