Businesses are increasingly being targeted by cyber criminals who assume ‘the identities’ of unwary businesses, often making them pay dearly due to lack of diligence and governance, warns Standard Bank.
Although it is difficult to pinpoint how much cyber-crime costs South African business, various authorities estimate corporate losses at more than R1-billion in the last three years. Indications are that it is a problem that is growing exponentially due to the increasing sophistication of the thieves and the techniques they use to initiate cyber-attacks, says Ethel Nyembe, Head of Transactional Products and Services Business Banking at Standard Bank.
“Identity theft is not a problem that is restricted to individuals, who may find that their personal details are being used to make transactions they are unaware of. It is also becoming an issue confronting companies that find their corporate information, both in the public domain and internally, being targeted and misused by cyber criminals. In these cases it is most common for a company’s identity to be compromised and used as a mechanism for perpetrating fraud.”
“This becomes even more serious when the fraudsters have accomplices in key departments within a targeted company who advise them and actively assist with perpetrating fraud.”
What to watch out for
Typically, says Nyembe, the most common techniques used by corporate identity thieves involve ‘phishing’ for, and then using information. Examples of this are:
- People impersonating officers of the company by using information found in the public domain, namely the company’s brand and electronic letterheads.
- Criminals who operate in the e-commerce space who copy elements of a company’s identity. They then establish false websites and use these to defraud customers or suppliers.
- Those who register a company with a name that is almost identical to that of the targeted company. They then set up bank accounts in this name to funnel money into their own accounts after advising unwary suppliers about ‘a change’ in banking details.
- By altering a company’s correspondence, invoices or instructions after hacking a company’s records – generally, payment terms are changed and the recipient is requested to pay money into bogus accounts.
- By creating false invoices with fraudulent banking details so that funds can be easily diverted. For example, a clerk acting in good faith, accepts the invoice and issues a payment instruction – including the ‘new’ account details in the payment instruction.
- Thieves who pretend to be a company’s bankers and use disguised correspondence and sites to gather information on customer and supplier accounts.
- Criminals who access a company’s IT systems and infiltrate pathways, copy data and undertake transactions.
- Cyber criminals who recruit employees within a company to assist them as accomplices in undertaking fraud.
“With business’ growing reliance on technology, networks and the internet, so the dangers of cyber-crime will increase, with fraudsters and hackers adopting more sophisticated techniques for exploitation” says Nyembe who stresses that South Africa is just one country facing what is a universal, global threat.
Reduce the risk
Companies can reduce the risks associated with staff colluding with criminals to perpetrate fraud by:
- Regularly reviewing internal controls and tightening them where required.
- Recognising that it is often trusted senior employees who perpetrate fraud as they can bypass controls, and countering this through, informal audits and approval procedures that require more than a single authorisation is recommended.
- Creating a security-culture regarding the use of computers and policies to safeguard information.
Avoid cyber-crime by:
- Allocating responsibility for dealing with cyber-crime with a senior official.
- Ensuring that staff are adequately trained and aware of procedures to safeguard their documents, data and systems.
- Using monitoring and data mining techniques to strengthen technological detection measures by identifying changes in patterns within data traffic.
- Having the ability to deactivate and isolate all affected technology when it has been ascertained that a cyber-attack has taken place.
- Segmenting networks so that it is more difficult to access one network through another.
- Educating customers and suppliers about phishing scams.
- Checking all details on invoices carefully if a supplier requests that payments are made to a new account number.
It is essential that companies remain vigilant at all times to ensure that any irregularities are picked up as soon as possible.
“We understand that when fraud is perpetrated, it is imperative that the bank responds quickly to a customer’s request for assistance. As South Africa’s leading business bank, Standard Bank is committed to assisting our customers by providing the necessary information about reporting and tracking incidents of this nature.”
“We also urge our customers to report incidents involving cyber-crime to the police. It is only when the prevalence of these acts become known that steps can be taken to stamp this out,” says Nyembe.