Download our app
You can pay in cheques, transfer money, and do much more, all from your mobile.
Help and support
Supporting your banking needs
Online banking
Our online services
You can pay in cheques, transfer money, and do much more, all from your mobile.
Accounts and savings
Everyday banking and payments
Find out more
On top of great account features, there's no fee for a year and you can get an instant decision on credit.
Borrowing
Loans, cards and finance
Find out more
From pilates machines to pickups, spread the cost of assets over £15,000. For new and existing customers.
Take payments
Card readers and online
Existing customers
Accept card payments with our wide range of face-to-face solutions.
International trade
Business at home and abroad
Existing customers
Insurance
Find the right cover
Find out more
Help protect your business from legal fees and compensation costs if a customer, client or other third party makes a claim against you.
Business insights
Sector, start-up, run and grow
Useful resources
Discover products and services together with specialist insight to support your business sector.
Corporate solutions
For corporates & institutions
Useful resources
Find the latest insights, reports, expert commentary, client case studies, and economic and markets updates.
Hear from fraud prevention experts about the common scams in our videos and webcast replays.
Person 1 (Nigel): Hello, I'm Nigel Davis from the bank's Business Fraud Awareness team and I'm joined here today by Gareth Thomas from our cybersecurity team. So, Gareth, let's have a look at how fraudsters use compromised emails to target businesses. It does seem like this type of fraud has been around for some time now, but we're still hear about payments being sent to fraudsters because the business hadn't spotted that they received a fake email. Can you explain how these scams work?
Person 2 (Gareth): Yeah, I mean, with email, compromise scams, fraudsters target businesses by sending fake emails, which looks like it comes from either a genuine supplier which is known as invoice fraud, or it might be that the email appears to come from someone senior within the business itself which is known as CEO fraud.
Now the scam email will either be sent from a spoofed email domain which is almost identical to the genuine supplier or colleague, or sometimes it can actually come from their genuine email box. If their account has been compromised or hacked as we sometimes say.
Now, if businesses don't realise that fraudulent bank account numbers are included within these scam emails, they'll be sending invoice settlements or other payments to those fraudsters accounts.
Person 1 (Nigel): Yeah. And of course, it can be very easy to take these emails at face value, particularly when they appear to have come from a trusted regular business contact. And I guess a business may have excellent IT protection, fantastic antivirus controls themselves, but if their supply has been hacked, then it's going to be very difficult to spot.
OK. So other than an email, which appears to have come from a genuine supplier or a genuine colleague's email address. What are the tactics the fraudsters used to trick businesses with this scam?
Person 2 (Gareth): Yeah, with invoice scams, fraudsters can include a trail of previous email conversations between a business and the supplier which the business would recognise is genuine and also, the scam email may not be as obvious as actually requesting a business to change an account number. They may just simply and discreetly add a different account number within the PDF invoice attachment and everything else will look completely genuine.
With CEO frauds, emails which appear to come from senior colleagues, ask for urgent payment to be made to a bank account that perhaps has never been paid to before. We've even heard of cases where fraudsters introduce a fake third party like, I don't know, a solicitor or an accountant, to add that kind of credibility to the request. The emails will often demand that the colleague doesn't mention anything to others where they work, you know, even to the extent that they're sent a fake non-disclosure agreement or an NDA to sign and it's all aimed at encouraging the colleagues to act on the email quickly. Rather than to kind of stop and think and question it.
Person 1 (Nigel): Yeah, you can see how convincing that could be and how carefully planned these fraud attacks are. I guess we should also mention there's a slight variation to this type of scan where the fake email is sent to the payroll team within a business.
So, it's an email claiming to be from an employee asking for their salary to be paid into their new bank account number. But if HR or payroll teams don't take steps to verify these emails, they just update their backs, for example. Then at the end of when that employee doesn't get paid the business will realise that they've lost the money.
OK, so, what should businesses do to make sure they don't fall victim to this type of fraud?
Person 2 (Gareth): Well, I mean, my advice would always be don't rely on emails for receiving details that you use to make payments, particularly bank account details. If an email or an invoice attachment within an email contains a bank account number which the business hasn't previously checked and verified genuine, then stop.
Make those checks before amending any account details on your system and before making any payments, use a different secure method of communication to contact the supplier, such as, you know, phoning them on a number that you know is correct, not one from the email signature, or maybe that new one that they sent across a couple of weeks ago.
If it's a payment request from your boss or a colleague, go and check with them in the office or call them using a number from your internal directory and not from the email itself.
And it's really important to have clear procedures so that all staff know how to deal with emails that contain payment details and that they know how to properly verify them. But we often hear about cases where businesses do have procedures in place.
But the employee hasn't followed them, so embedding those procedures with the regular training and testing is equally important.
Person 1 (Nigel): Yeah, you're absolutely right that regular fraud awareness in the business is so, so important. I guess it's also worth reminding businesses at this point that confirmation of payee. Now, this is something that many will recognise as the on screen, check that beneficiary name matches the account number at the point the majority of single online payments are made. It's important that if those details don't match, this warning isn’t ignored. Investigate why that name and account number is not matching and call the genuine beneficiary on a trusted number to check the details. And as we said, as we said before, not using telephone number from the email. Ultimately fraudsters will want people to ignore these confirmation payee no much warnings.
Person 2 (Gareth): Yeah, of course. But confirmation of payee can actually be used by some businesses on their whole payee database if they use the API that the bank's developed. It can run on account numbers and payee names anytime on demand, which is great. Another tool is called DMARC, which is short for domain based message authentication, reporting and conformance, but probably just DMARC.
It's an email authentication protocol which in essence helps stop email domains from being spoofed. Now it's particularly effective if your suppliers also adopted for their systems as well. It sounds complex, but really all you need to do is ask your IT team or your IT provider is DMARC switched on for our business?
Person 1 (Nigel): OK. That's great. Thanks, Gareth. All very, very good advice there. I hope businesses have found this video useful and to find out more information about protecting your business from fraud, including access to a free 30-minute online fraud training course.
Please visit our website. Thanks for watching.
Watch the video (7m 12s)
Person 1 (Nigel): Hello, I'm Nigel Davis from the bank's Business Fraud Awareness team and I'm joined here today by Adam Chase from our Fraud Investigations team and we're going to talk about scam phone calls. So, Adam, what are the main common features of these scam calls?
Person 2 (Adam): So, I think that one of the most common features is the fact that they purport to be from the bank and more specifically the banks sort of fraud or security teams. However, it's not always the bank they look to impersonate. You know, we have seen other organisations such as internet service providers, debt collection agencies, or even the HMRC impersonated over phone.
We think the behaviour is really key for these fraudsters. They're generally looking to drive the open part of the conversation in order to magnify a problem which ultimately requires the support of the business and its user to rectify. The common themes we see are generally driven by sort of suspicious transactions on an account or payments that have been stopped for security and require additional verification.
They often use bank terminology to help support the legitimacy of their call. Yet the common aim is to influence and encourage the release of sensitive information, and that information can be things such as passwords, memorable information, card reader codes or guide you to undertaking actions which ultimately serve the purpose of stealing funds.
They can take you to fake online web pages that look to purport or look similar to that of the banks. Which in reverse is really ultimately there to steal your informational credentials. And the other thing is that they'll look to get you to access or download specific software such as remote access that allows them to take control of your device.
Person 1 (Nigel): OK, so some different approaches then and so how do fraudsters persuade their victim that it is the genuine bank or a genuine organisation calling? What are the main tactics that they use?
Person 2 (Adam): I think it's common for fraudsters to do their homework as much as anything, you know, to research the business and the organisation to which they're targeting, you know, understanding the business and what is out there in the public domain through sort of public information such as Companies House serves as an important purpose for them to effectively try and convince the person they're speaking to that they are from the bank because they have or understand information about your business that that is considered to be maybe slightly unique.
They will use bank or industry terminology on the call, persuading that you know, that they're acting on your best interests, using technology sometimes to create a background environment that may look to try and pass themselves off as a bank contact centre. One of the other common things we tend to see is telephone number spoofing. So, they're, you know, criminals using technological applications which disguise the source of the caller, yet present a caller ID that matches that of genuine banks numbers.
And the other thing is remote access, to which we discussed a moment ago. So, this allows, you know, once in your device or downloaded and access is provided to the caller. This allows them to have visibility to your device, resulting in the caller being able to use that information to their gain.
Person 1 (Nigel): OK, so all tactics that businesses should be alert to then. So, what should anyone working in the business do to spot or prevent these types of scam calls?
Person 2 (Adam): I think it's critical for the business to understand that the release of the information, sensitive information, information that is important to the login, or the access, or the application of creation, or approval of payments, should not be divulged it be through email, text or phone.
And what I mean by that is things such as passwords, memorable information, or even card reader codes. Stay in control of your device. Never log on to your computer or Internet banking for a random caller. Don't visit a web address or download anything or even click on a link they tell you to. Don't even tell a random caller what's on your computer screen. Disconnect the call and contact the bank on a number that is known from a trusted source, just such as the back of your card or the bank's website.
Person 1 (Nigel): OK, absolutely. Yeah. If anyone is called by someone claiming to be their bank and they're in any way suspicious, just end that call immediately and you can actually call your bank on 159. So whichever bank you're with, dialling 159 will route your call through to your particular bank for help with scam calls.
OK, so I hope businesses have found this video useful and to find out more information about protecting your business from fraud, including access to a free 30-minute online fraud training course, please visit our website. Thanks for watching.
Watch the video (5m 11s)
Person 1 (Nigel): I’m Nigel Davis, from the bank's business fraud awareness team and today I'm talking to Darren Morrissey from our Chief Security Office and we're going to take a look at ransomware. So, Darren, can you tell us what is ransomware?
Person 2 (Darren): Hi, ransomware is a type of malicious software, otherwise known as malware or a computer virus. Is most commonly used to target businesses or other organisations, and when it infects your IT system, it can allow criminals to lock down your files and data.
And that means you won't be able to access them, which can have a serious impact on your business operations. Ransomware attacks affect businesses in all sectors and geographic regions, and a number of reported attacks has more than doubled since we started tracking them in 2020.
Person 1 (Nigel): So definitely an escalating threat then. How does an IT system become infected with ransomware?
Person 2 (Darren): Most common infection method is through a phishing e-mail, so an unsuspecting employee might receive an e-mail containing an attachment or a link and when they click on those the ransomwares installed. Another route is through bugs or vulnerabilities in IT hardware or software criminals can exploit those to plant ransomware on your IT system.
Person 1 (Nigel): OK, useful to know. So, what happens when a business realises, they've been infected by ransomware? How does it unfold?
Person 2 (Darren): Often, they'll see a pop up message on their screens telling them they've been attacked and that their access has been blocked or restricted. The message will usually indicate the amount of the ransom demand and when and how
it should be paid. Criminals usually want to be paid in a digital currency which is more difficult for the authorities to trace.
For a business, the impact of not being able to use their IT system often means they have difficulty with day-to-day operations, which has a knock-on impact to their customers or suppliers, damaging their reputation. And it takes time and money to get back to normal operations.
And it's worth mentioning that what we call double extortion attacks are also on the increase. Not only are the criminals demanding money for the return of their victims data, but they're they also threaten to leak or sell the data they stole. At the same time as they encrypted it.
Person 1 (Nigel): Right, OK, all very stressful then. If a business finds itself in that situation. So, what should businesses do to protect themselves against ransomware or to prepare in case they are targeted?
Person 2 (Darren): Developing an effective ransomware defence plan is often complex and each plan will be unique to a business, but I'd say some key aspects would be to have effective antivirus software across your IT systems and run regular scans and update it regularly.
Make sure that any updates to your software and operating systems are done as quickly as possible. Configure your systems effectively. So that things like having effective firewalls, restricting software downloads limiting website access to trusted websites only. Think about securing access to your systems with things like using virtual private networks or VPNs when using Wi-Fi, enforcing the use of strong passwords and really important having multi factor authentication so you're not just relying on employees inputting passwords.
Making regular offline backups your key data and it's critical those backups are not left connected to your network so they can be trusted. If you need to rely on them. You should educate your employees on how to avoid letting ransomware onto your network and consider penetration testing, which includes testing employees with mock fishing phishing emails.
Finally, you should have a plan of what to do if an attack happens. How will you communicate if your Internet network isn't available? And who will you get help from? You might want to consider putting cyber insurance in place for your business. You should report ransomware attacks to law enforcement through the Action Fraud website.
There was a report by Microsoft recently that said. Costs are lower and recovery time is much quicker for businesses who report ransomware attacks to law enforcement. And if you do report it quickly, the National Crime Agency has experts who can help you respond to a ransomware incident.
Person 1 (Nigel): Thanks, Darren. Yes, have all that excellent advice there. OK. So, I hope businesses have found this video useful. There's more information about ransomware on our website, including links to action fraud and the national Cyber Security Centre that's mentioned by Darren. Where there's lots of detailed advice for organisations of all shapes, sizes and types. Thanks for watching.
Watch our video to learn more (4m 50s)
Person 1 (Vin): Good morning and welcome to today's fraud awareness webcast. My name's Vin Pandha, and I'm delighted to be your host today. Today's webcast is due to last around 50 to 55 minutes. And as we go through, please do submit any questions that you have using the online Q&A function, and our team will answer as many of those as we can during the live session.
If we can't get a quick response back to you, we will reply by email afterwards. So please do send as many questions as you can as we go through. The webcast today is being recorded, and it will be available to watch back via a link that will be sent out to everybody that registered and also on our online portal.
Now I'm delighted today to be joined by our guest speakers. Together, we're going to give you an insight into current fraud trends across fraud, cyber and financial crime with some guidance on what steps you can take to support your staff and your business with defending against those threats.
So, a big welcome to Steven and Garry from the Cyber Defence Alliance. They're going to tell us a little bit about who the CDA are, the work that they do and an insight into the current cyber trends that we're seeing impacting organisations. We'll then be joined by Niki Garcha-Davies, who heads up our financial crime teams here at the bank and she's going to talk you through what financial crime is and how it can affect your business.
Now before I hand over to our guest speakers, I wanted to just provide you with an update on the current fraud trends that we're seeing impacting businesses. Frauds being described as reaching epidemic levels and in this year's fraud report from UK finance, they reported authorised push payment fraud losses increasing from 39% from the last year. Authorised push payments being those scams where a person or a business is tricked into sending money to a fraudster who's posing as a genuine account holder.
The 39% is quite a staggering figure and a type of scam that we don't expect fraudsters to stop turning to anytime soon, and that's why it's really essential that you're all aware of how these scams work and what you can do to stay safe.
One way that these fraudsters are deceiving individuals at work is through what we call business email compromise.
Business email compromise accounts for over 80% of the losses suffered by our customers. email compromise can be in the form of CEO fraud, invoice fraud or payroll fraud, but ultimately what the fraudsters are doing is using email as a way of getting someone to make a payment to an account that's controlled by them.
Usually, the email address is either spoof to make it look like a genuine email address at a glance, or the system has actually been hacked into, making it really difficult to spot as it's come from a correct email address as far as you know.
Some recent research has found that only 14% of SMEs seek to confirm invoices are correct. So really think about whether your business is one of those organisations. Do you have it within your processes and all your staff generally taking the steps to verify account details or payment details when they come through by email? By using a different method of communication? Or are they just simply relying on those emails now? I'm sure many of you have heard of CEO and invoice fraud before, so I won't go into the details but ultimately, as you're all aware of, CEO fraud is where someone internally is being impersonated, whereas invoice fraud is when your supplier, so external compromise is taking place and your supplier is being impersonated to redirect that invoice payment to them, to the fraudsters.
The key to remember here is that really the compromise could take place at either end when it comes to invoice fraud, so it could be that your account details within your business have been compromised or your domain has been spoofed, or in the case of invoice fraud, it could actually be something that your suppliers end which would make it really difficult for you to spot unless you're having those conversations with your suppliers to verify those details.
And in the case of payroll fraud, this is where someone internally gets account details, emails over account details to be changed, and it isn't until they don't get paid at the end of the month that they realise something has gone wrong. So, an email is sent to HR. HR act upon that email, change the account details in the payroll system, and it's not until someone doesn't get paid that they realise that actually they've just relied on that email and thought that it was genuinely coming from that colleague.
So, a lot of things to bear in mind, but actually email compromise can be defended against. There's lots of things that you can do to try and protect yourselves. Ultimately, don't rely on email as being secure. Emails can be compromised, as I mentioned, they can be hacked, making it really difficult to spot that fraudster's actually there because it's coming from a genuine email account. All those email addresses can be spoofed.
So, take steps to verify those details using a different method of communication. Pick up the phone and talk to those individuals, and if it's internally and someone sending you an email with payment details, take the time to walk around the office and have that conversation with them.
Or if you're at home and you know you're working remotely, take some time to be able to verify those details using something other than email. These fraudsters will go to any extent to try and make this sound as genuine as they can, so often they'll use similar language and tricks to try and really make it sound genuine.
So, think about how you verify those details and also think around what your processes say when it comes to verifying details. Are you ensuring that your staff are actually taking those steps when it comes to changing account details for your suppliers and things that you hold on your systems to verify?
Also, are the things that you can think about using confirmation of payee so many of you will be aware of confirmation of payee currently available for UK domestic single payments. So, when you enter in a sort code and account number on your online system. It will usually come up with something to say that the sort code and account number matches the name on the account providing the bank that you're sending the payment to is signed up to confirmation of payee. The bank have actually introduced an API solution to allow you to make those cheques outside of your payment journey.
So if that's something that you'd like to know more about and it's definitely, you know, something that could benefit you if you've got lots of, you know, multiple accounts that you're sending payments to, perhaps on backs runs, please do get in touch with your relationship managers and they can provide you with some more details.
And one of the other things that we've talked about on these calls previously is thinking about DMARC. So DMARC is an email authentication protocol, but ultimately what it does is stops your Domains being spoofed so you want to bear that in mind for not only your business, but also your suppliers and other organisations And although it's quite complicated in explaining the key question for your IT teams is to ask them whether you've got DMARC switched on.
So, lots of things that you can do when it comes to thinking about what you can do to protect yourselves from email compromise. One of the other things that I just wanted to touch on briefly. We're all aware of phishing scams and it's kind of, I guess you know, in relate also related to email compromise but scans of those emails where you receive an email, I'm sure everybody at some point has had a phishing email, whether it's personally or whether it's at work but those are the ones where the fraudsters want you to click on a link or open up an attachment, which usually then captures your personal details or downloads malicious software onto your computer.
Now the new trend that we're seeing with phishing emails is where the fraudsters are breaking into email accounts and inserting dangerous links or documents into conversation. So, a bit like email compromise, actually hacking into someone's email account, but what they're doing is getting into a chain of emails where there's an option to reply to reply to all. There's a number of individuals that are connected on that email chain and once they insert that malicious link, they're hoping that when it's sent out to reply, all, you'll have lots of individuals that are then likely to click on that link or open up the attachment.
Now some of the key things that help this scam work really well for the fraudsters is that they take the time to identify who their target is, so they might use things like social media and LinkedIn to identify who those key individuals are.
They then get access to the business email account and that could be through email compromise as I say, so they might steal. We use passwords or weak passwords or trick people into giving their passwords away. As I say, the scam usually plays out by this reply, this reply or method and what's particularly dangerous is that that phishing link, so that malicious link that someone clicks on and opens up just as displayed here, is that they'll usually use a theme that they know that you're aware of and something that's relevant to your business at the time. So, in this example, that's on screen here, you know, this is in relation to some files that are being sent round. So, they're hoping that it will be familiar and you'll go ahead and click on the link and later on down the line. What can happen when you're clicking on these malicious links is you can be inviting something like malicious software like ransomware onto your devices and inviting that actually into your business and not just your device. So, do you think carefully about how often you're training your staff on phishing? You know, what steps are you taking to ensure that your staff won't be caught out?
Think about how easy it is for your staff to be able to report phishing and just remember that anybody could be caught out by this. It isn't only your senior management teams that get caught out by this sort of thing and can open that door to fraudsters.
It could be anyone from within your organisation that could click on that malicious link and that could potentially lead to something much more serious. So, lots to think about when it comes to current fraud scams and hopefully you've taken some guidance from those slides there just in relation to what you could be thinking about to better protect your business.
But I'm delighted now to hand over to the Cyber Defence Alliance to Steven and Garry. Over to you.
Person 2 (Steven): And thanks very much for that, ladies and gentlemen, good morning. I'm Steven Wilson. I'm the CEO at the Cyber Defence Alliance. Prior to joining the Cyber Defence Alliance, I was the head of the European Cyber Crime Centre at Europol, dealing with most of the major international law enforcement investigations in the cyber world. Prior to that, 30 years in law enforcement in Scotland and I'll pass to my colleague Garry Wilbur.
Speaker 3 (Garry): Thank you, Stevie. Yeah. Garry lubem. I like Stevie. I was 30 years in law enforcement working down in London.
Finished my career as a Detective Inspector running the investigation and intelligence functions within a Cyber investigation unit that led me to then leave and work now six years in the financial sector, Stevie.
Person 2 (Steven): OK, I'm looking at the Cyber Defence Alliance quickly. What are we? We work on behalf of the bank and 12 other major UK and international financial institutions to try and share the understanding of threat so we can collectively defend.
Our banks, our customers and the people we work for against cyber threat and how do we do this? Firstly, we break it into four pillars pillar one proactive network defence. We share all the information and all the challenges we're seeing in the cyber world across all of the banks. Millions of customers across the world. Pillar two, we deal with the incident response. An incident happens at the bank or somebody connected to the bank in the supply chain. We pull all the member banks together so we can jointly respond, understand that threat and then minimise the impact.
Pillar 3 is back to the old World, where Garry and I used to exist in law enforcement. We deal on behalf of all the banks to pull our information and intelligence together so we can put that in a package to law enforcement so they can act, and then we act as a point of contact.
For the banks to try and speed up the investigations and finally we do strategic assessment and innovation, we look to see what the problems, challenges and threats are that are coming over the hill. So we can prepare our defences and by default your defences to counter the cyber threat.
Next slide, please, Garry.
And as Wynn mentioned, one of the big problems we are seeing as ransomware and again for those who are not fully au fait with ransomware, what is it? It's basically if we're the bad guys, they put malware onto your computer or onto your network or organisation and basically encrypts every single file you have. Think of your customer records.
All of your sales, your financial side of things and how you can operate a business without that, it's practically impossible. And what they then do is extort you to pay potential an extremely large sum of money, most often by way of cryptocurrency.
If you don't pay that ransomware as a service is what's evolved over the last 18 months, they then will publicly disclose some of that information to try and force you and put more pressure on you to actually pay that money. And again, this happens to many companies across the whole of the UK and worldwide.
Will give you an understanding no off the level and how many are happening.
Speaker 3 (Garry): So as you can see on the screen guys, we monitor across 32 different ransomware families. So looking at that for the last quarter. So when we say quarter, that's July to September inclusive, we've seen 578, five, 7-8 different victims.
One of the most popular of the ransomware at the moment for victims is coming from lock bit. We believe a Russian gang and they're responsible for over a third. As you can see in the last quarter.
And we also look at the Variations month, month to month and as you can see, they do go up and down. However, each quarter tends to be very similar to the one before and looking at year on year figures again very, very similar. So this year looking very similar to last year.
We also look at the victims who have fallen foul to these ransomware. We want to check are they within the financial sector, supply chain, could bank information or even bank customers information be at risk? So we look for that. But we also look for themes. So an example of that is that we've seen more energy companies stand to be targeted and we believe that.
Sort of ongoing tensions with Russia.
Just a brief start from what we monitor, UK is the third highest targeted country in the world and if you ask me which sectors will hit the most, we find it's not really the sectors they go after as such, but it's the lowest protected companies so often now we're starting to see more schools.
Small retailers, the bigger organisations tend to have the better defences and therefore it's easier to go for these sort of small to medium enterprises.
Pretend protection considerations. If you're lucky enough to have a managed service provider, great, please use them. They know what they're doing. If you're a smaller company, you don't use an MSP, then at least ensure you've got antivirus protection or email security and email security should I say.
For your company, and as Vinay was saying earlier, if an email comes in, it could be a fraud, it could be ransomware. Don't click on those links if it's unexpected, even if it's from someone you know. Particularly if that reply email is quite old. Really check that out. Look at the display name of the email. Don't just see what's read, because that could be what's been displayed. But check.
Email address behind that you know, put your cursor on there and look at the email address and that.
Person 2 (Steven): Might.
Speaker 3 (Garry): Tell you something. If you see a domain on that email, you want to investigate it. You can use who is type tools. So there's one here shown as domain tools that allows you to look at that domain. When was it created? If it's purporting to be from a particular company, but that company was only created in that domain.
In recent days, then, that might tell you something. But again, it's been said earlier staff education, you know this great, make sure your staff does. Who's going to answer emails? Who could click on those links, that type of thing. But of course, if there was an attack, what's the best thing you could have done? And that's to have your data backed up off site.
Off your network in the cloud or somewhere else in the event of attack so you can back up your files.
Person 2 (Steven): And God, if I could just reinforce that part regarding staff education, I saw many, many innovative processes across Europe when I was working in The Hague and the companies that were doing best in this actually personalised that message to the staff. It was not just about protecting the organisation.
It was much more about listen to what we're telling you. This will protect you, your family, your loved ones and those companies we saw often up to a 35% improved take up and understanding of the security message. That would be my one big message to you.
Personalise it. Don't just make it about the company.
Speaker 3 (Garry): So just going to speak now about MFA fatigue. So the company you can see listed there, they've all had breaches in recent months. And one of the things that was used to help the attackers get in was doing a thing called MFA fatigue. So multi factor authentication, what's that?
You'll all use it. I'm sure you'll you'll log in somewhere. You're putting your username, your password. But there's an additional verification factor, so that might be a message that gets sent to you in a different channel.
However, if you do this a lot in some organisations, if you're forever having to do this sickened check, a message comes in, particularly if it's a message you just need to click on it. People get a fatigue, they just start clicking on whatever comes in because there's no, there's no real interaction with that message coming in, so the attackers rely on this.
You know, it's just too easy to keep.
Bombarding a person. So say you get credentials for a company you log into that account. It needs an MFA authority. They'll just keep doing it. Keep doing it until someone just gets so fed up with it. Continually coming in, they just tap on that requirement. So what can you do about this?
We've got certain suggested considerations, of course, as always, staff education, but that is proven not to be good enough. Therefore, we are also saying and security professionals are certainly saying that you should disable MFA push notifications where possible.
However, use enhanced security practises such as Microsoft MFA number matching. So it's not just a matter of tapping, but they have to respond by putting in a number or another version of that from a company called Duo. Is Duo's verified to push.
Others suggest that you should limit the number of push notifications that can be sent before an account is locked. So if rather than somebody continually just bombarding the real account holder with lots and lots of push notifications, it should, there should be a cut out and say after 5 attempts they can no longer do that.
One thing worth looking at, so we spoke about Microsoft, but there's another standard being developed by an alliance of corporations. They're known as Fido, and they've developed what's called the Fido 2 Framework, and it allows different ways of giving that MFA, such as fingerprint readers or cameras or security keys that are on the device from where they're trying to login. So it's another layer of security.
But much higher than what's currently available. Mainly problem with that is not widely adopted as of yet, but certainly one to think about. If you're that type of organisation.
Person 2 (Steven): OK. Thanks, Garry. Now just trying to explain what we do at the CDA with all of the member banks to try and make you safer and your journey in the cyber world. We work together to actually understand how the bad guys do this and how they actually take the cyber world.
Technical expertise and then migrate into the fraud world. So we look at how do the bad guys prepare to do this, what work are they doing in the dark web criminal forums. So we try to understand that and we try to put blocks in every single stage. We then look at how did I actually engage with the victim. Some of the areas that Garry's just spoken about in Venice spoken about.
We then try to say where can we stop them? Where can we be more effective and share that information across all of the banks. And again, the next stage is that engagement with the bank. How do they understand the processes? And again we try to put as many hurdles in their way as we possibly can.
And ultimately, often in many occasions the bad guys get money. They then try to put it into Bitcoin capital currency so they can hide from anti money laundering legislation. We try to identify all the different ways to identify that and then actually go to law enforcement with those packages.
The whole point is. Because of your engagement with the bank, you are supported by the CDA and another 12 major financial institutions across the UK.
Speaker 3 (Garry): Thank you, Stevie. Vince spoke earlier about a scam email. So phishing if you get a scam SMS that's known as smishing or certainly a word that we use in our industry, if you receive an SMS and I'm sure almost all of you will have received such a malicious SMS in the last couple of years because it's really.
Something that's very, very common. If you get that SMS, please check it out. There is some genuine ones out there. So who's addressed to? Has it got you by name or is it just clearly been sent to many, many people that should be a flag for you. Look at the spelling you can see in this example.
Authorised the spell in the US way that's coming from Auk Bank.
Again, should be a flag there. What was the sending number? It is a telephone number. Well, as you know, many big organisations will use alpha tags or the actual name of the company rather than an individual telephone number. And look at the links. What is it asking you to click on? Does it look right? Does it read, collect correctly? And remember, as I said, you can do that little.
Yourself. Go and do that. Who is Luke up? Use that domain tools. Go and check it. When was that website created? That's if you've got those doubts. And please be very suspicious with these. But any doubts at all, particularly if it's safe from your bank. Saying please contact us.
Rather than click on that link, consider calling 159 if you've got any suspicions or your established bank contacts should that be a relationship manager or anyone like that. If you did, click on the link you and it was malicious, you would see something like this. So on the left, that's what you would see that it would look just like whatever your bank is that the login would look the exact same.
Whatever you put in and say your username, password, that's what the attacker sees on the right hand side. They they get whatever you've put in. So we've put demo here. They can take that details. They can immediately log into your account and continue to go through those various processes and each time they're asked for a verification factor or an authentication factor such as the second, third, 4th memorable character.
You that question then put it into the bank. So that's how these type of attacks work. Another occasions might just take your credit card details and then use them to try to go shopping online. That type of thing. So please, just be wary of these texts when they come in.
And Garry?
Person 1 (Vin): Sorry, just to interject there. Am I right in saying that often those SMSS and the the username or the number that's being called from that can be spoofed because we've certainly seen some examples that have been reported us reported to us here at the bank.
That the number has actually been spoofed, so that can happen for anyone, right?
Speaker 3 (Garry): Absolutely. And I'll come on to that in a minute with telephone calls as well and spiffing of another fraud type. But yeah, absolutely. If you see that telephone number or even those alpha tags, it might look like it's coming from Lloyds Bank, it could be spoofed, it could be very similar to what it should be. So just be. Be suspicious and that that's a message really we're trying across here.
Person 2 (Steven): OK. Thanks, Garry. Again, really good advice there. The other work that we're doing to try and make you safer through the membership of the bank is actually identifying these bad domains being created literally on a daily basis by the criminals. We're searching out there to understand what's going on.
We liaise very closely with all of the UK telecom providers and also an Ireland to actually get these taken down at source. The bad guys are creating thousands of these on a daily basis and again we go into identify what is malicious to try and protect you.
And again, just as an illustration, there nearly 35,000 domains blocked so far this year. And again, we see these different layers and I'm quite sure all of you have received that delivery companies more recently, the cost of living issues, the Queen's passing, you've got to understand that criminals are entrepreneurs. They're looking for the next big thing.
And the best potential way that they can actually lure you in because of a fraud nextly, please, Garry. And again, just to get an understanding of what's actually there, here's the point. We've seen over the past quarter nearly 10,000 domains. But if you look at the different keywords there, secure, et cetera, that's the type of thing they're trying to do, because the banks look after.
Very well and respect of their brand. The bad guys sit in the middle to try and take the areas that nobody actually owns for its delivery, company payment, etcetera. That's what we're working out on behalf of the bank to try and take down to try and protect you.
Speaker 3 (Garry): So guys gonna move on to a particular fraud type of scene a lot. This is targeting business bank customers. It's coming from very organised criminal groups or ocgs as we call it and and then helps me out here because she mentioned already about spiffing. So they'll call you and the display number and that's not the number that's actually calling on.
But it's just what you see on your display will be spoofed. So straight away they'll maybe see a number that relates to a bank online. They'll use that, they'll spoof it, they'll put it as the display, and you'll receive that fraud, that phone call from the fraudsters. They'll say that they're from the Fraud department for your bank. Or they might say that security at the bank.
What's along that sort of way of sort of tricking you? Hopefully I've got your confidence, they hope and then social engineering you so continually tricking you and lying to you, they'll ask you to download a remote access tool. So a rap.
One of choice in a moment most commonly used is 1 called any desk and one that does. It gives the attackers the control of your laptop or your your computer. At home you'll just see a blank screen and they'll go into your banking. They'll go into your online banking, they will start setting up payments and of course with your bank. When you set up payments and start to get them paid out.
When that second sort of verification factor comes in, or authentication comes into a one time password or a code from your hardware reader, they will ask you for that. Of course, banks never ask you for that OTP to be read back to them or the code. So again, hopefully a flag there.
And as I say, if you get a call, since anything like this please please please, preferably from a different telephone number call 159 or a trusted number of your relationship manager or similar one to be aware of.
Person 2 (Steven): Yeah. Thanks very much. Garry, really important. I'm now just going to look at a few general threats that are affecting us all. Just know the cost of living crisis, something that's in the forefront of absolutely everybody's mind just now. Firstly, the threat that that presents to your organisation, the insider threat.
Staff cutbacks, financial difficulties, organised crime, realise that this is happening and they take that as an opportunity to lure people into working for them and again been old enough to have lived through previous financial crisis. We see that big uptake by organised crime and trying to do this and again.
We touched on Elrond this idea of social engineering. The lure examples are whatever it is most topical at the time. Energy, banking rates. I mean everybody just now is just terrified to see what the next mortgage rate hike is going to be. The bad guys will be putting out messages themed with this. I just understand that your organisation could be targeted.
A single time. But again, it's not all bad news because of your membership of the bank, your relationship managers are there to help you, and we are here to help the relationship managers to give that.
Overview.
Person 2 (Steven): From the UK, and indeed internationally, and can I now pass on to Niki?
Thank you very much for your attention. We'll be delighted to take questions at a later stage.
Person 4 (Niki): Thanks, Steve. Thanks, Garry. Really interesting session. I've picked up majority of hints and tips again really in terms of just all the opportunities in the day-to-day life.
That we can be exposed to these kind of threats and you know, I don't think any of us are are kind of free from this. It's it's something that we live and breathe with every day. And so hi everybody. My name is Niki and I work for the bank. I'm head of financial crime.
I face into the consumer, into the commercial businesses and today.
Talk to you about financial crime. I'm going to talk a little bit about what it is and most importantly, probably going to talk about the roles that we play in the bank and the roles that you play with your clients to to kind of help keep our community safe.
The bank works really closely with public sector works, closely with industry bodies such as the CDA and also with law enforcement agencies, and we play a vital part part in combating financial crime. I think it's safe to say that it is actually a collective effort.
And one of the reasons for doing this webcast today.
Is to help us all understand the the part that we play, but actually one of us weren't kind of stepping up and playing that part. I think our ability to combat financial crime and and and economic crime would be a lot more in a lot more trouble.
So it's really, really important that we help and understand what our roles are and and and what we can do to help.
We actually do have a legal and regulatory obligation to keep our customers and businesses safe. We also need to understand what our customers do, who they are, what they're anticipated activity is. And then if we spot something that doesn't feel quite right.
It allows us to help you and help your clients by looking into it further. Now, that's not to say that everything that we spot and everything that we see on a daily basis, we automatically think is suspicious and we report it 99.9% of activity is completely legitimate and fine.
But I think one of the things that I will keep reiterating in in the presentation that I'm doing today is how critical financial services and banks are for criminals to be successful in their activities. And so that means it's our.
And it's our services that are being exploited.
So you have a vital role to play, and I'm hoping that through the next few moments I can take you through how that shapes up and and give you some hints and tips along with the the helpful, you know, advice that Vin, Garry and Steve have given already.
So a little bit more about me. I've already covered this off, but essentially as I said I I headed the financial crime business financial crime team for the commercial businesses and what that means from a day-to-day basis is really kind of supporting relationship managers, frontline colleagues, anybody that you interact with on a day-to-day basis.
To essentially make sure that we are understanding if there's a risk and the kind of questions we need to ask you or the kind of information that we might need from you and to determine if there's.
If the activity is OK or whether there's something else that we need to do, we provide support. We should provide guidance and we provide direction on matters relating to financial crime. There's a whole heap of legislation and regulatory.
Requirements that we need to fulfil as a bank, so sometimes interpreting those for relationship managers so that they can then ask you a question is really, really important. And so we help to decipher that and kind of turn it into a bit of a language that makes sense for us to understand what we're asking for.
That's why we're asking for it. So talking about financial crime and what that actually means, I'm just going to talk a little bit more about kind of how that all comes together. So you've heard lots of different phrases today. You've heard Cyber, you've heard fraud, you've heard money laundering, you know, and corruption potentially as well.
There are so many different elements of criminal activity, but I think the reality is that they all fall under a banner of financial crime. So some of these are offensive.
In terms of gaining access to your data, some of this is about gaining access to your funds and some of this is about using your facilities to to actually facilitate moving money through. So there's lots of different types of financial crime, but ultimately we're interested in every single one, and we want to make sure that.
That we can keep your bank, your account safe. We can keep your customers safe as well. I'm just going to share a headline from the Home Secretary's 20/20/21 and 2022 strategic priorities.
So in the latest report by the Home Secretary, they set out three key strategic priorities and actually one of those 3 priorities was to reduce the harm to individuals, the UK and the economy and institutions from economic crimes.
The main threats of these are fraud, financial exploitation, money laundering and cyber crime. So actually thinking about this in terms of a government agenda, it's right up there alongside human trafficking and alongside, obviously.
General economy.
Person 4 (Niki): Priorities as well. So we need to make sure that we're playing our part in that as well. You may have heard of some of these in isolation on their own, but from the diagram that you can see here, they are all connected. Criminals will not just think about one of these activities in isolation. They are opportunists. And so that what they will do.
Is essentially look at as much activity as they can, and plus there are different threats out there as well, and we all need to be aware of what those threats are to our business.
Before I go in a little bit more into what we would kind of want from yourselves and what we do as a bank, I just wanted to talk a bit more about the facts around financial crime. So, there's some interesting stats here on the slide. I'm not going to go through all of them, but I wanted to call out a couple.
Just to bring to life, really the sheer kind of, I suppose, emphasis of what we're dealing with. So firstly, £14 billion worth of.
Is estimated revenue lost to fraud every year the tax revenue to businesses every year?
That's huge and I think actually I read recently that the actual attempted fraud is somewhere nearer to 190 billion fraud. So, this is, you know, day-to-day jobs for us as banks for law enforcement, for government agencies, for industry bodies.
To actually make sure that we prevent the UK from being the economy that's easy to facilitate this criminal activity.
We also talked some talk about something called SARS and I will talk about this through the next few slides that I share with you. So suspicious activity reports are the way that we provide information to law enforcement. You may have heard of the National Crime Agency.
And the National Crime Agency is the is the predominant agency that we refer, these suspicious activity reports or SARS 2. So actually in 2020, 480,000.
Reported by banks to National Crime Agency. And that's actually an increasing figure, as is the fraud figure that I shared earlier.
So, I just want to take a moment really to kind of think about what that means. That's 480,000 separate suspicions of intelligence being shared with law enforcement. Now behind the scenes, law enforcement has.
A very sophisticated system where they can use all that intelligence and actually make up some active investigations. And in fact, Steve and Garry earlier talked about some of the packages that they put together for law enforcement, which is very much kind of the, you know, the same.
Type of packaging something up for law enforcement to see if they can to take that forward. But banks do this on an individual basis. Now, sometimes we would also package up some investigations and in fact we do. If we actually have multiple attempts and suspicions and intelligence to share.
But on a day-to-day basis, every colleague from within the bank has a duty to report suspicious activity. So, if it is a relationship manager dealing with a client.
It is a agent on the contact centre talking to a client wherever something doesn't look right into account. We have the ability to report that, to investigate it and if needed, report it to the National Crime Agency. And I just wanted to emphasise that point because most of the time.
Clients may not be aware of actually the things that we do in the bank and the questions that we're asking for clients and how that's connected to actually tangibly kind of that statement around keeping our community safe.
So that's our that's our kind of main lever for reporting our suspicious activity.
I talked earlier about laundering the funds through business. It's actually increasing in scale of diversity and diversity in scale of fraud is is actually becoming more and more of a significant challenge. The guys earlier have talked about so many different examples.
Of the types of attacks, and actually these challenges are across most sectors and most communities. So again scams, impersonation, theft, no business and no client is actually exempt from that. If the if a criminal sees an opportunity, they will go for that, they will not look at.
What type of business you are, how much your revenue is, what you turn over, how big or big or small it is?
An opportunity to the criminal is an opportunity, just as individuals can be targeted in the same way.
So some of these activities can actually be domestic. Some of these activities can be international. And again the OCG that the guys shared earlier shows that the variety of some of the sophistication of these scams and these organised criminal gangs as well.
So, this could affect your clients. This could affect your suppliers. This could affect your international and your domestic transactions. So, what we're asking today is for you to be kind of more actually be vigilant around everything across your business.
So how about protecting ourselves from financial crime? What could you do?
So we talked earlier and I absolutely emphasise the comment that Steve said about training and making it personal. It is actually proven and we can, we can also evidence it from within the bank that the type of training that we do.
And how we tailor that training for our clients and for our colleagues can really make an impact. What we're doing for you guys today in terms of this webcast is another excellent example of keeping the topic alive, being able to interpret what the threat is so that it becomes relevant to yourself.
And relevant to your clients and your suppliers and actually then being able to think about what to do with it.
I think in terms of some of the things that are good practise to do here, I think there is a serious side to this, so I talked earlier about the legal and regulatory obligation we as a bank have to make sure that we have the right systems, processes and controls in place.
To detect financial crime activity, but also to report it if we see it and the way that I would describe that is that I also extend that obligation.
Yourselves as clients as well. I think it's really, really important. And as I said earlier, it's really important that everybody plays their part here. So, whether it's training your staff, whether it's having best practise of an AML policy and anti-money laundering policy in place.
Whether it's about appointing somebody and having a tone from the top around, the messaging around how your businesses take this seriously and will take the right measures in place to detect and prevent financial crime, it all really does have a significant impact.
And you yourself could make a suspicious activity report to the National Crime Agency if you wanted to as well.
So these are some of the things that we would encourage you to have a think about and really kind of think about that tone from the top. It's really powerful message.
How about looking out for suspicious activity? I just want to take a few moments here actually to talk about the kind of examples of the of activity that may not be quite right at first glance that you could see on a day-to-day basis.
And again, I was I was interested earlier to hear about some of the examples that VIN gave in her introduction about looking at things like invoices. Does it make sense taking that time to review it, to challenge it just going to bring a couple of those types of examples to life now to see.
If we can think about how to think about the activity that you see on your day-to-day basis, so sharing these insights hopefully will just get yourselves to think about how you could train colleagues, how you could think about this yourselves.
And how you could just adopt A culture of actually feeling like you're playing your part in in protecting our economy, our communities and people around you. So, for example, does it make sense?
The paperwork matched the agreement, for example, so if somebody sells watches, but the invoice that you have in front of you is for sales of cars, it's not unreasonable to ask questions. It's not unreasonable to clarify.
Why? What you see in front of you is different to what you are expecting to.
See.
Person 4 (Niki): And I think in most instances where we deal with questions and we do our financial crime investigation.
Most of the time when you ask the questions, it can really clarify a lot of information and so I would really encourage you to act, not be afraid to ask those questions. If you have a legitimate customer, then they will have no problem answering your questions. If you have a legitimate supplier, they will have no problem in telling you a little bit more about what they've provided to you.
How about if the customer isn't open to the questions that you're asking? What would you do? So, you need to make sure that the person that you're dealing with a you know who they are and B you know what it is that they are they are doing and what they are intending to do.
In relation to your business, we call that know your customer and we also have something called know your business. Those two areas know your customer and know your business. I would say at the foundation upon how to build your relationships with your suppliers and your customers.
Do you know who your customers are? If you don't know who, what your supplies are intending to provide, then how do you know what you're receiving from them in terms of payments, paperwork or anything else is legitimate, so don't be afraid to ask those questions.
And if a customer or a supplier isn't open, then don't feel free to. Don't be afraid to take action to protect your business.
Do you know where money's coming from? It's also a really interesting one that we look at all the time. And again, we would encourage you to look at as well. We work in terms of generating revenue. We operate as a business and we don't want to, you know, deter that in any way.
But sometimes knowing where the money comes from, and in fact in all occasions, knowing where the money's coming from and the trailer funds is really, really important, especially if third parties are involved that aren't attached to your business. So, money launderers or criminals.
Will quite often attach themselves onto transactions that look legitimate, and they'll be part of that chain. So again, asking questions, knowing where that money's coming from, knowing if other parties are involved, and then knowing you know, and again being able to ask questions about parties.
Is completely reasonable to do, and then finally last minute requests to refund. It's actually quite a simple but effective response for criminals having a.
And then refunding it with no legitimate reason whatsoever. Now these obviously would be for higher value purchases, cars maybe making a transaction and then kind of refunding it at the last minute. It's the easiest way in some instances for criminals to to kind of move their money through the system.
And so it could be an indication of money laundering. Again, if there is not a legitimate reason and the example that I would give there is if it was a car being purchased on lease finance that's over a three or five year deal.
But then actually it the settlement happens within a few months, that could be legitimate. Somebody's moving from company A to Company B, and it's absolutely legitimate. And those companies are well known. But actually, what if that money there is no legitimate reason why? What if it is just as cash buy sell out. So again, you don't have to be afraid of asking.
Questions to just understand a bit more.
So hopefully that's provided a little bit more insight into the kind of questions and the kind of scenarios that you can ask. And then finally, one of the things that I wanted to focus on just thinking about our legal and regulatory obligation and how we could work better well together.
We already do this with all of our clients, but it's the emphasis on the point in terms of keeping information up to date and providing that information now as much as you know about your clients and you know about your business. We also would like to know that information.
It's really, really important that we keep your information up to date. Now we do this through a couple of different ways. The first way is that if we see a change in your business or your account activity, we might reach out to you on an ad hoc basis and ask a bit more information about that. So, say for example.
You had some change in your ownership structure and your directors or kind of your people in significant control. We would like maybe identify that from Companies House records and we would reach out to you and ask for the information to verify those new parties.
That just means that we know that those are the up to date records that we have for you and also ultimately we know who's making the controlling decisions around your organisation. The other way that you could do this if you could reach out to us proactively and tell us through your relationship managers or your contact channels.
If you have a change in something to do with your business, maybe you have a new supplier. Maybe you're trading in new countries and you can proactively call out and reach out to us and let us know as well.
And again, we would just ask some more information and we would just make sure that we have the information that's required to update our records. The more up to date your records are, the more the controls that we have in place to monitor and protect your accounts will work effectively.
And that's basically the bottom line. If we can keep your records up to date, it makes a huge difference in when we identify a trigger for a potential concern, we can eliminate that without maybe even having to contact you. It's quite often when we don't have up to date records.
A trigger then leads us to ask multiple additional questions to just re update the the records that we have on file for you. So if we could work together, we could understand how your business is evolving. We can understand the changes within your business and we can understand.
A bit more about how that changes over time. That means that with your up to date records, we can get on with update, keeping your records safe. Also keeping your account safe and keeping your activities safe and making sure that all of the all the reports and alerts that we have to.
To manage things like fraud, et cetera. And we have those up to date.
So I wanted to thank you for your time today. I hope you found that in useful. I'm really happy to have spent some time talking to you all about this today, because this is something that we do actively reach out to you and ask about on a regular basis.
So hopefully that brings a little bit more light to sometimes why we ask these questions and but thank you very much. And then I will hand over to Vin, who's going to close out for us. Thanks, vin.
Person 1 (Vin): Thanks very much, Nicky. And yeah, as you say, I think hopefully that's given everybody some answers into, you know, a background around why the bank reach out to you and ask you for that information about director changes, changes to turnover, whatever it might be.
Ultimately, we're trying to keep you and the bank safe and really we want to identify those criminals and stop anti money laundering, stop money laundering and those sorts of threats across the economy and the wider country so.
Hopefully you found today's session useful. Lots of great information that's come across.
From the Cyber Defence Alliance, so Stevie and Garry and then also from Niki, particularly on those elements around financial crime. So, I just wanted to summarise really in in three kinds of three buckets that I would like you to consider and take away from today.
Thinking about technology firstly, you know I started right at the top talking about business email compromise and how much reliance we all place on emails and ultimately, we all trust emails as being secure.
Especially when it comes to making payments, receiving invoices from our suppliers. So, what are you doing as a company to ensure that your technology safe, you know, are you actually, you know, are your staff within your company and your organisation?
Trusting emails as being secure. Are they aware of those threats? Are they aware of how emails can be hacked? How someone can get into a reply chain, how domains can be spoofed? All of those things that focus around this element of technology?
And technology is something that we all can't live without, right. So, we all need it in order to be able to function and work. But how do we stay safe when and use technology safely to our advantage?
Stevie and Garry also talked about using managed service providers or at the bare minimum, having antivirus software. And when it comes to things like ransomware, you know having that antivirus software protecting your applications, updating those applications regularly to give you the selves, the best protection, and also backing up your data regularly.
Is so important to build those key defences and using technology to your advantage to help prevent those sorts of crimes from affecting your business, but also thinking about strong passwords and the guys talked about multi factor authentication.
They're in a bit of fatigue around it, but you know, really ask yourself the questions around what your policy is around. Passwords, authentication. You know, how easy would it be for someone to hack into email systems or, you know, overcome some of that multi factor authentication to impersonate someone within your organisation?
And also just on email compromise, again, I mentioned confirmation of payee and also DMARC. Again those elements of technology that are being built in order to help defend against some of these threats.
And when we think about processes, you know, again thinking going back to email compromise, how are you ensuring that your staff are verifying details when they come through by email? Is it something that's built into your processes? Are you ensuring that your staff is following those processes?
And also some of the points that Niki was talking about, you know, if you've got some changes that are occurring from within your business, you've got changes to leadership, key account parties, signatories you know is your responsibility to talk to the bank and and tell us about those changes.
So just think about how again you can build that into your processes.
And also going back to what the the Cyber Defence Alliance was saying there around ransomware, I think they mentioned that the UK is the third highest targeted country when it comes to ransomware. So I think you've got to assume that at some point, unfortunately your organisation will be targeted by something like ransomware. So, have you got a contingency plan in place?
What does that look like? How easy is it for you to evoke that, you know, really think about the processes that you've got in place? And do your staff know what to do? Would they be aware of what to do if they had a screen that appeared on their computer telling them that they were due to pay a ransom and that all their files had been encrypted?
How would they respond to that and also the anti-money laundering element that Niki talked about adopting an anti-money laundering policy for your organisation? You know what does that look like? What sort of questions do you ask?
Of your suppliers, when you first perhaps onboard them.
And also, the final thing, I guess that always comes together and bringing all of these elements together is your people, your staff, everyone that works from within your organisation. How are you really creating that culture of awareness and asking questions? You know, Niki talked about that culture of asking questions and being proactive.
And playing your part when it comes to broad and financial crime, everybody's got a responsibility. And if we can all portray all the right sorts of elements around it together, I think we can build a much better community to fight fraud and financial crime.
So really think about the culture that's embedded across your organisation.
And the guys also talked about education. You know how a culture of awareness and educating your staff is so important. But Stevie said that, you know, often it can be quite difficult to get people to engage with some of that training. So, it's really important that it is relevant to everybody. It's not just relevant to your business, it's something that people.
People can relate to and understand and easily interpret, and that's something that you know, I personally have been really passionate about and have been trying to incorporate into the interactive training that we've launched for you to use as customers of the back.
There's some of the topics that are covered within our interactive training are listed there on screen, but this is something that can be used by anyone, so you as individuals and staff of the businesses that we work with. But you know there's no reason why you can't share this with friends and family.
It's all relevant. You know there's modules within that training that are based around passwords, which is relevant to everybody, social media, you know, do's and don'ts around social media and social engineering, lots of elements that you can really relate to on a personal level and hopefully if that embeds, you can then bring that to work as well and protect.
Your your work life as well as your personal life. The training is interactive, so we've tried to make it interesting and not just something that you're reading on screen or just watching and playing back and perhaps carrying on with some other work in the background.
So please do take a look, the links will be provided if you haven't received them already. It's available to access on our publicly available sites, so please do take a look. It'd be great to hear your feedback when you have completed that training or perhaps it's something that you could incorporate into your organisation. Fraud and cyber awareness training.
In terms of other resources where you can find out more if you're interested in building on some of the knowledge that you might have gained from today's session.
As I say, we've got our fraud hub, which you can access from the top link there, and we've also got some of the helpful links that are listed there. So, action fraud, the police is reporting site NCSC, the National Cybersecurity Centre, Cyber Aware and also the Global Cyber Alliance. So, I mentioned D Mark on the call earlier.
Global cyber reliance have actually got a whole host of toolkits around DMARC in particular that can talk you through how to set that up if you're if you're not aware. Lots of other great tool kits that are available on both their sites and also the National Cybersecurity Centre.
So please do link into those and save them as favourites and periodically check out some of the content that's on there.
So that brings today's session to a close and I'd just like to take the time to thank our wonderful speakers for joining us today. So, thank you to Steven and Garry from CDA and thank you Niki, for joining us from our financial crime team. Hopefully today's session has been interesting for you all and hopefully you've all learned something and something to take away back to your businesses.
So, thanks again for joining us and goodbye from me.
Watch the webcast (57m 14s)