A meeting at NatWest’s Thames Gateway Commercial Office in Dartford brought together senior bank staff and customers to discuss the latest threats to business from online fraud.
Representatives of three businesses were invited to the office overlooking the Dartford Crossing on a bright January morning, to share their experiences of cybercrime and hear what can be done to combat it.
Steve Hilton is director of Hilton Abbey building maintenance contractors. With him was accounts manager Gill Flaherty. Adrian Loughman is a director of T Loughman and Co building contractors and Tom Friend is operations manager for Beaumont Beds.
NatWest representatives listening to their issues were Warren Mulvihill regional director of corporate and commercial banking, Lee Fitzgerald head of fraud for commercial and private banking, Lee Murphy of digital fraud prevention for commercial and private banking and Doug Hartley from NatWest’s fraud investigation team.
Warren Mulvihill opened the discussions saying he had been in banking for 35 years and that the industry had changed enormously, especially in the last five years.
Tom Friend acknowledged there were many threats to business today, adding: “We get phishing emails on a daily basis, but so far we have been very lucky. We have had threats to our ID, but so far the instances have been only low level.” He said the company was large enough to employ an independent contractor to monitor its servers, but knew that many smaller businesses could not afford it and were therefore more vulnerable.
“We have about 30 sales staff and we meet every month,” Tom said. “Fraud is regularly on the agenda. We constantly need to sharpen our minds, the complexities of fraud can surprise us.”
Warren agreed: “Businesses can never be too cautious. The next big phishing attack can come at any time. We’d far rather you checked with us than your security was compromised.”
Lee Murphy added: “Phishing missions are becoming very sophisticated. The operators use quality software and quote the names of real company employees to apply pressure, or to shock the recipient. The name of Companies House is regularly used fraudulently, with an email sent saying ‘someone has complained about you…’ It’s natural you want to click on it. Sometimes an email will be sent about parking fines, naming a member of staff and including an attachment. That’s how the bad stuff gets into an organisation’s systems. It’s becoming harder and harder to distinguish what’s real. Criminals are that sophisticated. And so many industries are susceptible.”
Lee pointed out that one of the downsides of the internet was that a lot of information about a company was now in the public domain and easy for the criminal sector to get hold of. “Some of the criminal fraternity are now making cybercrime their main focus. This is a high-reward/low-risk business for them,” he warned.
Adrian Loughman asked what happened to any perpetrators who were caught and Doug agreed there were not many reports in the press naming online fraudsters. “We report any issues to the police, but they don’t have the resources to follow up every lead and sometimes the crime isn’t solved. Imprisonment is, of course, an option for the criminal, especially when many cases are linked.”
Lee Fitzerald said the national police force had dedicated cybercrime units, but local forces frequently did not have the manpower to investigate. Action Fraud, the national fraud and cybercrime reporting centre had been set up for victims to report crime, but she said it was difficult for the organisation to investigate every scam.
Gill Flaherty, of Hilton Abbey, said it would help businesses to hear what happened in cases they were involved in. “We always tell NatWest when we think we have a problem, but that’s where the story ends. It would be good to hear what happened.”
Warren replied: “I know it can be frustrating, but it’s not always possible for the police and security forces to follow up because of the sheer volume of cases.”
He highlighted a number of statistics that showed the rise in cybercrime over the past couple of years: “30% of reported crime from July 2016 to July 2017 involved cybercrime. A total of £2.5 billion was lost in debit and credit card fraud. This is a dark art and we rely on reports to police and the authorities. We ultimately rely on companies to ensure they have protection in place and we have an ongoing programme of activities designed to educate and update our customers on the latest scams.”
Adrian asked if the bank could send updates of any threats known about, to which Doug replied: “We put all necessary information on our Bankline system and update it regularly.” He also said the bank held regular webinars about current topics and urged customers to take part.
Lee Murphy said scam-related messages were sent out monthly, but warned that the sophistication of the assaults changed constantly. “We all need to stay current, to be informed,” he said.
Lee also warned of the dangers of passing sensitive data between companies particularly when a member of staff leaves. He quoted a case from 2017 in which an employee left to join a competitor, but could still get into his former employer’s system and stole information which was valuable to his new employer. He was tracked, prosecuted and jailed.
“This could have been prevented if companies were more diligent in their housekeeping, in operating good ‘hygiene’ systems when people leave. It is impossible to underplay the value of data to competitive companies, or the danger of hacking into accounting packages. By the time this is done, your company is compromised.”
Lee Fitzgerald understood the cost of updating computer security for smaller businesses, but warned of the dangers of “patching” – where there are loopholes between older software which can allow an outsider to hack in. She warned of the dangers in the retail sector when a company calls to “test your refund system”. “They are very credible and helpful and will spend ages walking your staff through the actions they need to do, while the member of staff unwittingly gives away lots of information,” she said.
Businesses were warned that fraudsters will go through LinkedIn entries, to find the names and titles of company staff, which they use to contact companies and sound plausible.
Lee Fitzgerald advised: “If you are contacted by someone you’re not sure of, tell them you’ll call back and check with the bank. This is a fast-moving environment.”
Lee Murphy agreed, adding: “A second, independent, pair of eyes checking a potentially suspect transaction can make all the difference. People say cybercrime is an IT issue, but it’s ultimately a people issue.”
Thanking the company representatives for attending, Warren summed up his advice for businesses in trying to overcome cybercrime threats:
- Exercise healthy paranoia
- If it looks too good to be true, it probably is
- The best lie is the one that is closest to the truth.
He ended by pointing out that fraudsters could often be spotted by their courtesy, saying: “You’ll never get a grumpy or unhelpful fraudster!”