September 4th 2018
Half a million businesses impacted by 'fake boss' scams: legal sector most at risk. New video shows how fraudsters operate.
– Impersonation fraud is on the rise, with small and medium businesses losing an average of £27,000 to fraudsters1
– One in five victims have had to make employees redundant due to the financial impact
– The average loss of £27,000 is nearly equivalent to the average salary in the UK2
– Law firms most susceptible to falling victim (19%), followed by HR professionals (17%), IT workers (17%) and finance companies (16%)
– These scams occur when a fraudster uses the information and personal data of suppliers, bosses or business contacts and impersonates them, in an attempt to defraud a company out of money
– Get Safe Online and Lloyds Bank have published a video showing a team of CEO impersonators dubbed the ‘Fraudstars’ to demonstrate the ways in which scammers can dupe companies into making payments, based on real-life scams
With one in twelve (8%) of respondents having fallen victim to impersonation fraud, it is likely that nearly half a million (454,9603) SME businesses in the UK have been impacted by these scams.
According to data from Lloyds Bank there has been a 58% rise in this type of crime in the year to date4, however as this is only reported fraud, the true scale of the problem is likely to be much larger.
To raise awareness and educate workers on how to stop scammers, the bank has teamed up with us here at Get Safe Online, the UK’s leading source of online safety information.
This comes as only 20% of victims say they now think twice when receiving a request at work – and the research reveals that a lack of precautions around online safety could be assisting impersonation fraudsters. Over a third (37%) of employees don’t know what to look out for or don’t have any security precautions in place – leaving them vulnerable.
Gareth Oakley, Managing Director of Business Banking at Lloyds Bank comments: "The rise of impersonation fraud is a very concerning issue for small and medium-sized businesses. We know that falling victim to these types of scams can be serious as the impact extends beyond just the financial implications. This is why we’ve teamed up with Get Safe Online – to help educate business owners and employees on how to recognise these scams and take the right precautions to protect themselves."
Impact on employee wellbeing
The fallout from fraud is not just financial. Respondents revealed that the attacks caused emotional upset too. Fifteen% felt angry that they were targeted, with one in twelve (8%) saying they couldn’t trust people close to them.
The research also found that one in 20 (5%) victims of impersonation fraud were so ashamed that they hid their mistake from their team, potentially with the fear of being fired on their mind. However, hiding a mistake like this may only cause further problems: if the systems have been compromised, then fraudsters may be able to get access to other critical information, or make additional payment requests meaning that losses will increase.
Victims of impersonation fraud often face financial consequences: seven% of companies affected said they had experienced financial hardship, with over one in twenty (six%) having to make employees redundant due to the financial impact of the scams.
Over half (53%) of respondents say they have experienced scammers posing as their boss, demonstrating a rise in popularity of CEO impersonation fraud. A similar number (52%) say they have suffered fraudsters posing as suppliers, with invoice fraud – where a false change in bank account details is sent from a legitimate-looking supplier – another common scam.
Business email compromise, where scammers intercept a legitimate email trail and change the beneficiary bank account details, is an increasingly common method of impersonation fraud, according to Lloyds Bank. This is especially dangerous as fraudsters can change information in a genuine email thread, therefore there are no other warning signs. As email is not a secure method of communication, so any change of details or financial information should always be double checked with a trusted contact.
Legal sector most at risk
Of those affected by the crime, individuals working in legal roles are the most likely to fall victim and be caught out (19%) due to the high quantity of financial transactions they are involved in, followed by HR professionals (17%), IT workers (17%) and finance companies (16%). However, finance workers are the scammers’ primary targets, with nearly one in five (19%) of respondents saying they, or someone else in the finance team had been targeted by the scammers.
To raise awareness and educate workers on how to stop scammers, Lloyds Bank has teamed up with Get Safe Online, the UK’s leading source of online safety information. They have created a video where a team of CEO lookalikes pretend to be the real deal to scam unsuspecting staff out of money. These fraudsters attempt both CEO fraud and invoice fraud. In doing so they demonstrate some of the most common techniques used in impersonation fraud, including:
– Changing bank account details – where scammers pose as suppliers or other contacts and notify victims that their bank details have changed and get businesses to make payments to the fraudsters bank account (commonly known as invoice fraud)
– Phishing – sending emails, texts or voicemails purporting to be from a reputable company to get individuals to reveal personal information
– Fake emails pretending to be your boss or other senior colleagues – emails set up to look very similar to legitimate emails, which are sent to try and trick the recipient into paying funds to a fraudulent account
– Social engineering – the act of manipulating or tricking people into certain actions including divulging personal information or financial information
Speaking on how businesses and employees can avoid falling victim to impersonation fraud, Tony Neate, CEO of Get Safe Online, comments: "The most effective way to ward against these fraudsters is to double check the details. Verify any requests for amended payments to an organisation directly using established contact details. If you’ve received a suspicious email, always check with the person you believe sent it by asking in person, phoning them or using a different trusted communication method."
The poll of 1,500 SME workers further reveals that tech savvy millennials face the highest risk of being targeted – with more than 1 in 10 (12%) falling victim or knowing someone who has fallen victim to impersonation fraud.
Data sources
1. Data from Lloyds Bank: average loss to a commercial customer for impersonation fraud is £27,000. This is the average loss per CEO and Invoice Fraud case during the time period 1st January 2016 and 30th June 2018
2. https://www.ons.gov.uk/employmentandlabourmarket/peopleinwork/earningsandworkinghours/datasets/allemployeesashetable1 Average salary is taken from Total Table 1.1a Weekly Pay – Gross, Tab: all, Mean weekly pay multiplied by 52 for the average annual pay.
3. Assuming 8% of SMEs (from omnibus research) have been victims and there are 5,687,000 SMEs in the UK. Statistic taken from: page 5, House of Commons Library, Briefing Paper, Number 06152, 28th December 2017, Business Statistics
4. from Lloyds Bank: number of impersonation fraud (Invoice and CEO Fraud) attacks since 2017 (pro-rata)