- Implement a multi-signature mechanism. Establish a review procedure for payment requests submitted to the company via email. This could be a so-called four eyes principle, where when approving payments, it is necessary to make a review call to an authorised contact person; distributing the right of transaction sign-off to several authorised staff members. Decide, which means or combination of means is best for you and train your colleagues.
- Establish specific payment limits. Every company and sector has its specifics and typical sizes of typical transactions to suppliers and other partners. Establish a typical limit for your organisation and for payments in excess of it, establish a further account number and recipient review procedure.
- Discuss potential situations of fraud within the company with your staff.
- Do not share excess information. Many businesses seek visibility and recognition. However, when advertising your company’s work, in certain areas it is nevertheless advisable to avoid excess detail – do not share information about internal procedures and processes.
- Use legal software. Update your anti-virus programmes and similar technical security measures in your company computers.
- Report to protect others. You suspect you face fraudsters, but your caution helped you avoid mistakes? Inform your bank and the police about a fraud attempt even if you did not fall for it. This could help protect others.
The Europol European Cybercrime Centre (EC3) and the European Banking Federation, together with numerous partners, including the Lithuanian Police and the LBA, have formed a list of typical fraud cases. Among them there are ones that are mostly associated with attacks against businesses: it is fraud by pretending to be the company’s head and the use of fabricated invoices.
However, it is easy to attribute fraud to a certain type after the fact. The preparedness and nature of fraudsters’ work is such that the victim by far not immediately understands it has fallen victim. And when it turns out that a payment approved by authorised individuals has been submitted to what turns out to be a fraud’s account, it is then necessary to prove this action was a mistake.
“Emotional pressure is almost always a part of such attacks – victims are asked to perform a transfer as soon as possible, they may be told that it is a secret request of the head that colleagues should not be aware of because it apparently resolves the company’s problems or perhaps would mean the victim being promoted. Disregard the promises of recompense from the caller, their urging and threats,” M. Zalatorius emphasises.
The association head reminds that in an effort to pretend they are the company head or when fabricating invoices, fraudsters often look into the company’s structure and processes ahead of time, typically seek opportunities to access internal correspondence so that their letters and communication would be as convincing as possible. Preventative measures help recognise fraud and avoid losses.
