Cybersecurity: How to stay safe with your invoices and payments

Cybercrime is a growing issue for businesses in the UK and around the world. According to UK government figures, around 46% of businesses (approximately 2.5 million) have suffered a digital attack. Meanwhile, only one in four businesses in the UK undertake formal cybersecurity awareness training.

Businesses need to be aware that they can suffer attacks when it comes to the likes of dealing with invoices and payments, as well as other forms of data breaches. But there are ways to stay safe from online fraud and cybercrime.

Here are some answers to questions on cybercrime and cybersecurity that I come across on a regular basis.

Why are some businesses ill-prepared to deal with fraud and cybercrime?

The problem is many business owners consider cyber to be an IT problem and it really isn’t. I believe that the best defence is in building your human firewall.  I talk about this in my TEDx Talk – see below – this is far more effective than purely relying on technology solutions (which you need too!).

There’s a whaling/CEO crime attack every five minutes in the UK and someone’s identity is stolen online every three seconds. When a breach happens, it’s not unusual for the board to blame IT.

But investing in hardware firewalls, software protection, email and web filtering is similar to fitting your building with an alarm system, fitting bars to the windows and having five-lever mortice locks on all the doors.

If a criminal walks up to the front door and a member of your team opens it for them, the investment in security is worthless – therefore, we must invest in training and education too.

What are the worst cyber-attacks that businesses have suffered in the UK?

The NHS has clearly suffered: we had the Wannacry problems in 2017 and a third of NHS trusts have reportedly been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months.

Northern Lincolnshire and Goole NHS Foundation Trust said a ransomware variant was to blame for cancelling nearly 3,000 appointments.

Tesco Bank suffered a costly attack at the end of 2016 that resulted in it having to reimburse £2.5m to more than 9,000 customers. Hackers found a weakness in the bank’s mobile banking app. Tesco was forced to suspend online and contactless transactions, affecting almost all of its customers.

What are the latest cyber scams that businesses need to protect themselves from?

CEO crime is a huge problem. These so-called “whaling attacks” work on the principle of a spoofed email coming from the chief executive or managing director to the accounts department instructing them to move funds.

We need to ensure the culture in business is one where nobody acts on instructions to move money without proper verification and conversation (regardless of where the instruction came from).

What about invoice fraud?

Invoice fraud happens when an organisation is fooled into changing bank account payee details for a significant payment. Criminals pose as regular suppliers and make a formal request for bank account details to be changed.

I was giving a series of cyber training courses recently to a firm of accountants. It became apparent that they’d recently changed their bank account and so all their invoices now carried the new payment details. However, for all their clients, only one had contacted them to make sure this was legitimate.

How can businesses avoid invoice fraud?

Every company or organisation is vulnerable to invoice fraud. The key again is the human firewall and the awareness and vigilance of every member of staff within a company or organisation.

If there is a change to a normal payment, it has to be verified and for your own sake. You need to be able to prove you’ve verified it and taken all reasonable precautions to ensure the request is legitimate.

How can businesses stay safe when making payments?

Aside from making sure staff stay cautious and attentive, you should always check for irregularities including changes to supplier names and addresses and changes to invoiced amounts.

Modifications to supplier financial arrangements should be validated against any on-file supplier details. When a supplier invoice has been settled, best practice is to inform them, notifying them which account the payment was made to.

Your accounts team needs to check your bank statements carefully. Any suspicious debits should be reported to your bank as soon as possible.

Pay attention to your gut feelings too – if you’re uneasy about a request from a caller, say you’ll call them back and use your on-file contact details, not any number they might leave you with.

What about when receiving payments from customers?

A lot of business is now done online and this type of payment is another area of risk. If you accept payments via your website, make sure you’ve had your website independently checked with a proper Penetration (Pen) Test. This will tell you whether there are any known vulnerabilities you’re unaware of.

If you’re receiving credit card payments, you will also need to ensure you’re PCI compliant as this protects how your staff handle card details within the business, so they can’t be used fraudulently.

How can businesses keep their financial data safe from cyber criminals?

Start by assessing the internal and external vulnerabilities that can affect your business, and educate yourself and your team on how hackers can gain entry.

Make sure you have a security policy in place which is inherent in your culture. Make sure staff use complex, unique passwords (that aren’t shared) and maintain a clean desk environment to protect personal and confidential information.

Don’t trust emails – verify them, use the phone and talk to the right people. Make sure your systems and software are patched and up to date. Ransomware epidemics such as Wannacry only worked on unpatched systems.

Just like any other form of disaster recovery, you need to have an incident response plan in your business that is widely understood and regularly practiced.

Why is it bad for businesses to use paper cheques and paper invoices?

My first response is that it is highly inefficient – they waste time and add additional labour, while slowing down the invoice and payment process. But it is also easier to commit fraud with paper-based systems – paper invoices or the occasional cheque are far easier to misappropriate than a secure digital system.

What cybersecurity measures should businesses put in place to stay safe?

On the technology front, I recommend you get certified for CyberEssentials – this is a big step forward for peace of mind and will likely reduce your insurance costs too. On the people side, if you’re not already training your staff about cybersecurity and the risks that we all face, I encourage you to start doing so now.

But the training needs to go pretty deep and it needs to be sustained – it’s not a one-off exercise. An intelligent person needs to hear something six times before they get it – and not everyone you work with is intelligent! Build your human firewall strong, build it high and stay safe.