3 ways to protect your business and clients from cybercrime

• Human-initiated and bot attacks have significantly increased.

• Identity theft and invoice fraud are key areas of vulnerability for accountancy firms and their small business clients. 

• Robust security protocols, regularly updated, are the best way to reduce cybercrime risk.

Human-initiated cybercrimes in the United Kingdom increased 92% in 2022 while bot attacks increased 81%.

The first category includes investment and romance scams, while the second captures large-scale automated cyber-attacks with increasingly sophisticated cybercriminals employing automated scripts and algorithms to steal valuable data for financial gain.

“Fraudsters are getting smarter,” says Rob Woods, UK-based Director of International Market Planning and Financial Services at LexisNexis Risk Solutions. “Education and awareness are essential – we’re not as vigilant as we should be.”

According to The National Crime Agency the UK has seen marked growth in high-profile ransomware campaigns that involve hijacking files and holding them to ransom. The instigators are mainly Russian-language criminals operating ransomware as a service, it says.

But it also warns that tactics are shifting, with targets more likely to be businesses than individuals. 'Off the shelf' tools are now allowing less technically proficient criminals to commit cyber-crime, while evolving malware as well as hacking, phishing and malicious software is also on the rise.

Typical attack patterns and specific challenges

As cybercrime evolves, new fraud types are emerging.

• First-party fraud is now a significant problem in the UK. This involves individuals knowingly misrepresenting their own identity or providing false information to obtain money. Woods gives the example of individuals pretending to their bank that they have been scammed, or to an online store that they have never received goods. This is a potential risk for businesses that operate online.
• Synthetic identity fraud is a lesser but growing issue. It entails criminals creating a false identity to take out a loan, for example, or to impersonate someone and access their finances. Typically, cybercriminals steal personal information through hacking unprotected data. This type of cybercrime can affect anyone and good security, including two-factor authentication and strong, regularly updated passwords, is key.
• Invoice fraud, while not new, is one of the easiest and most lucrative crimes. It can affect both accountancy firms and their clients. “Cybercriminals can easily copy logos or stationery and send fake bills to busy accounts departments,” he says. “It is easy to add another invoice with a genuine looking logo to the pile. Onboarding new suppliers can also be a point of weakness.”

The Cyber Security Government Strategy (2022 to 2030) also acknowledges the growing risk within supply chain attacks that are usually linked to vendors with poor security practices.
Not only do small businesses need to prioritise supply chain security but they should ensure all third-party partners, including data storage providers, adhere to robust cybersecurity practices.

The weakest link

The weakest link is most likely to be the target of cybercriminals, says Woods. The adoption of more secure channels such as mobile and app-based online banking solutions as well as hi-tech, anti-fraud solutions has shored up defences for banks and credit card companies.

According to LexisNexis Risk Solutions, this tactic prevented £1.2 billion of unauthorised fraud in 2022.

Yet while banks may be highly regulated, and provide mandatory training for staff, this may not be the case across other businesses that handle financial data, says Woods.

“Fraudsters are looking to get the maximum return for the least effort,” he says.

Cloud data storage without protection is an obvious but common area of vulnerability – it can lead to synthetic identity fraud and other scams.

“Some people even make it super easy for criminals by putting all the data in a spreadsheet,” Woods says.

To keep clients safe, and to help them protect their own records, provide training to help your staff and clients encrypt data before it is stored within a potentially accessible domain.

Encryption alters data so that it is no longer readable by a human – it needs to be decrypted with an authorisation key first.

Stay safe online

Cybercrime currently costs the UK £27 billion a year. To avoid falling victim to cyber threats, Woods advises accountancy and small business firms to:

Invest in and install robust online security measures: “Seek advice from an expert, engage the right people and allocate the necessary resources.”
Conduct regular audits of information and security: “Keep looking at your eco system to see whether it has been breached.”
Prioritise customers’ trust by safeguarding their personal and financial details: “Consult cybersecurity experts and avoid taking shortcuts when it comes to data protection.”

For more advice, visit Cyber Aware or the National Cyber Security Centre.