Steven Cole, Ansuka


A couple of years ago I was asked by our accounts department whether an IT project had been finished because an invoice had come through to pay it. It was around £11,000 for some cabling.


I told them we hadn’t even started the project only to be told we had paid £6,000 of the invoice two weeks earlier. I then asked who had authorised it because I hadn’t.


It was one of the directors. I went back, had a look and spoke to the director, who said they hadn’t a clue about it. After investigating it turned out someone had logged into his 365 emails. They had basically been pretending to be him, authorising invoices from the background.


The incident helped us put processes in place to make sure people signing off projects are involved in them.


We’ve reinforced that need for vigilance when it comes to emails, with our accounts department especially. It was simply an email that came in and they just actioned it.


Part of it is fact checking, making sure the person that is authorising things is contacted. We’ve also put a training programme in place that we are building on. Authorisation processes are key, that is what we took away from our experience.


Jamie Griffin, Alexander Grace Law Paula Ardron-Gemmell, Pink Tree Parties


My business is balloon décor and balloon training for private events and corporates. Last year when I was on holiday my site was cloned, someone was selling ‘invisible cars’ and taking money off customers.


The listings had our address and our registered details, but it wasn’t us. Someone sent me screenshots with the person’s email address and the bank account that he wanted the deposits sent to, so he’d hold the car for her. He wanted £1,500 for it, which was below book value.


People serving in my shop received numerous calls about the car. We reported it to the online selling site as a fraudulent listing, every time someone called we told them to do same and we reported it to the police.


One listing got closed but then another one immediately popped up. We’d have a quiet day and then the calls would start again about the sale of a van or Land Rover. The money they wanted rose to around £9,000.


I know of at least six people who only did their due diligence after paying their deposit. It broke my heart that people had parted with money. If a deal is too good to be true, it’s usually not true, it’s usually wrong.


The worry was my staff were getting distracted an awful lot by this and also what it was doing to our reputation.


Lee Church, Oldham Engineering


Our business carries out manufacturing work for the nuclear industry primarily as well as defence and rail. We deal with a lot of MoD stuff, sensitive and classified information.


We have all the expected controls in place and we receive the usual stuff, phishing emails and the like. A lot of emails are blocked at source. You have to run Cyber Essentials to make sure that you can bid for projects and work on the MoD level work.


We’re looking at extra ISO qualifications and things like that, extra controls. There can be a level of complacency so training, cascaded out to the team, is really important. We’ve been well guided. We’re all normal people working in manufacturing. Nobody in our company is really strong in IT to this level. We know how to control our own documentation, that we can’t leave drawings lying around or that certain things have to be locked overnight.


We don’t discuss this issue a lot in our management meetings but I’ve been thinking that we could have some sort of visual card that people can have at their desk station reinforcing things they need to look out for.


We’ve got a huge number of clients and we hold all sorts of information on them because of the anti-money laundering regulations and the details we need to collect when we’re doing a property transaction on their behalf.


One of the big things in our industry that


we’ve seen and had near misses on is invoice redirection or deposit redirection fraud.


An attacker will send an email with what looks like a legitimate invoice attached to it, but they’ll have changed the bank details. It might be a regular supplier or, as in our case, it might be one from us and then the client will pay the funds to the wrong account.


One near miss concerned an invoice that got sent to a client from what looked like one of our email addresses, but it wasn’t. The domain name was slightly different, different bank details on it, saying, ‘Can you pay this?’


They’d already paid their bill, so they contacted us. We checked at our end, asking them to send us a copy of the email and it turned out it was a spoofed email.


Multi factor authentication really helps to secure the user accounts. Education, both internally and among clients is also important, and if bank details change, you should have a process in place where someone rings up the supplier and checks.


Get accredited: 01282 500770


LANCASHIREBUSINESSVIEW.CO.UK


23


DEBATE


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72  |  Page 73  |  Page 74  |  Page 75  |  Page 76  |  Page 77  |  Page 78  |  Page 79  |  Page 80