Authorised Push Payment Fraud

Due to anti-fraud measures introduced over the past 15 years, the payment fraud landscape is shifting and fraudsters are now favouring authorised push payment fraud. This shift is confirmed in the types of fraud experienced by Ebury clients. With this fraud type, the genuine customer is tricked into making the payment by the fraudster, believing it to be a genuine transaction, making the victim complicit in the fraudulent payment.

The Importance of Email Security

To avoid becoming a victim of authorised push payment fraud, it is crucial to consider not just your own email security, but the email security of anyone that you do business with. Email hacks and email scams are increasingly common so a genuine-looking email from your supplier could easily be a fraudster communicating with you from a compromised email account.

If you are ever in doubt, we always recommend confirming important communication via telephone with your supplier. If not, a supplier’s lack of email security could easily become not just your problem, but your monetary loss.

When it comes to your supplier’s emails, we recommend looking out for red flags such as:

• An unexpected sense of urgency in an email
• A sudden change in an existing supplier’s bank details
• A change in the address or tone of email communication with your supplier
• Any change to the usual communication channel with a supplier
• A misspelt, or spoofed, email address that could be trying to mimic your genuine supplier’s email address
• Any contact from an email address with a recently created email domain – the age of an email domain can be checked for free online

Be Aware of Scams

Covid-19 has created the perfect storm for fraudsters, with Law Enforcement noting a sharp increase in the reporting of scams targeting individuals and businesses since the pandemic hit. When it comes to scams, fraudsters manipulate their victims making them complicit in the fraudulent payments, leaving their victims vulnerable to financial loss.
Scams can take many forms – at present, they may be Covid-19 related with websites claiming to sell medical equipment or they may take the form of investment schemes claiming returns that seem too good to be true.

We advise thoroughly checking your sources before making a payment to any new supplier. Ask yourself:

• Does the supplier have a professional website?
• Can you see genuine reviews of their services?
• Has the supplier provided legitimate invoices for any good to be purchased?
• Are the suppliers bank details located in the same country as their head office?

If in doubt, think twice about making a payment to an unverified source.

Phishing

Criminals will do whatever they can to try and convince you to do something which they can end up using to their advantage. The term ‘Phishing’ is often used when talking about emails however, there are similar techniques used with SMS messaging or via direct phone calls.

Phishing attacks using email or text message will contain a link, file or attachment and the end goal is to convince you to click on it. Once clicked, the file could contain malicious software or may redirect you to a fake website which could download viruses onto your computer, or steal password and personal information.

Criminals will also use direct communication and call you via phone. This is much more direct and they will be very convincing in pretending to be from a trusting source asking you for sensitive information such as bank details. Criminals may pretend to be from an organisation you trust, such as your Internet Service Provider (ISP), Bank or even a friend in need.

What to do if you’ve already clicked on something?

• In the event that you have already responded to an email, clicked on a link or opened a file, take the following steps:
• If the communication involved your bank details, contact your bank and let them know what has happened
• If you received the message on a business/work laptop or phone, contact your IT/Security department and let them know
• If you opened a link on your computer, or followed instructions to install something, open your antivirus (AV) software and run a full scan
• If you have disclosed your password, you should change the password on any of your accounts which use the same password
• If you’ve lost money, tell your bank and report it as a crime. By doing this, you’ll be helping the battle against criminal activity, and prevent others becoming victims of cyber crime

Spotting suspicious messages

Phishing emails and text messages may look like they are from a company (or individual) you know or trust. They may:

• say they have noticed some suspicious activity or log-in attempts
• claim that there is a problem with your account or your payment information
• request that you must confirm some personal information
• include a fake invoice
• want you to click on a link to make a payment
• say you are eligible to register for a refund (e.g. government reimbursement)
• offer a voucher or coupon for free items

How to protect yourself from phishing attacks

Your email spam filters may keep many phishing emails from reaching your inbox however criminals are always trying to outsmart these controls, so it’s a good idea to add extra layers of protection.

1. Keep your software and operating system up to date; allow automatic updates to ensure you are protected from new security threats.
2. Never trust alarming messages; most reputable companies will not request personal information or account details via email. If you receive an email of this type, immediately delete it and then call the company to inform them and confirm if there are any issues with your account.
3. Do not open attachments; any email which appears suspicious or strange and contains an attachment, avoid opening until you have verified if the email is genuine.
4. Avoid clicking on embedded links; be cautious of emails that contain these links and as a precaution, visit the site directly by typing in the correct URL address to verify the request.
5. Protect your social media accounts; attackers may search and collate details about you (including personal information) from social media sites that are ‘public’. Check your settings to ensure that your accounts are only visible to immediate contacts and be mindful of what information you ‘post’.

Password Management

Using the same password across different accounts can be risky, and in the event that a criminal steals one of your passwords, they could use this to access another account that belongs to you.

Best practice will always be to create different passwords for all of your accounts which are strong and are hard to guess. Yet it is understandable that there are many difficulties in trying to remember all of these passwords across a range of accounts.

The use of password managers provide help in generating strong passwords and helping to keep them secure. The majority of password managers will also automatically enter the appropriate password into a website and apps for you.

Types of password managers

The majority of internet browsers used (e.g. Firefox, Google Chrome or Microsoft Edge) have password managers built in. A password manager is also a common feature on many smartphones or tablets where the user is asked (prompt appears asking the user if you want the browser/device to remember your password).

Caution: If you are sharing a device with anyone else, it is not recommended that passwords are saved within the browser/device.

You could also consider the use of a standalone password manager which are applications available to download and have the features to assist users in creating good passwords. Do make sure you read some online reviews on the various types of apps to make sure you pick the right one for you.

Benefits of using a password manager

Password managers can protect you by creating strong, different passwords for every site/application you use and some will auto populate those passwords for you.

• Protect against password-reuse attacks; in the event criminals are able to gain access to a website and steal user credentials from it, they will try and use these across other websites. Password managers create different passwords so when the criminals attempt to use the stolen usernames and passwords across other sites, the password managers prevent this attack from happening.
• Imposter websites; in most phishing emails which contain a link, this will usually take the user to a fake website designed to steal your credentials. Password managers can protect you from these attacks because they will not enter the password on fake websites.
• Keep track of services and accounts; helps the user identify unused accounts and suggests whether you should consider closing or deleting to reduce your digital footprint and potential exposure.

Protect my password manager

If you want to use a password manager it is important that you keep this account secure because if it is accessed by an unauthorised person they could potentially have access to all of your passwords and associated accounts. Please consider the following recommendations;

• Two-factor authentication; Ensure that you have an additional layer of security when you login to the password manager. If there is an option to set up more than one type of second factor authentication this will ensure you have a backup in place to access your password manager account and reduce any threat of unauthorised access.
• Install updates; Make sure you keep on top of any updates available when you are notified by the browser/app to install them. Using the latest version helps protect against potential known vulnerabilities.
• Master Password; This will be the password used to access your password manager and you must ensure this has never been used for anything else. Guidelines from the UK National Cyber Security Centre suggest the use of three random words (e.g. moonyellowbasket) where numbers and symbols could also be added if needed (e.g. 3moonyellowbasket27*)

☝️ Be creative and avoid using names, places or anything which an attacker could potentially glean from any social media accounts linked to you. Keep it Random.