These episodes aren’t designed to give you nightmares, but I just have to pass on the scariest story I’ve heard this week… Watch this to find out why you should be scared too!

Transcript:

Hi, and welcome to another episode of Baranov TV, designed to demystify the world of accounts and tax and to help your business grow.

I’d like today to talk about cyber security.

It’s not an appealing subject, and it’s something that we all know about, but there’s some information I heard on Monday at an event which has really made me sit up and take notice.

I really want to make sure that all of you are aware of some of the information that I heard because it’s really quite scary.

So on Monday, there was a panel of three IT business owners on the stage and they were talking about the current issues around cyber security. It was quite startling the ways that people are able to access our systems and our information and fool us into making payments, changing payment details, and obtaining money by deception.

So one of the situations, one of the stories that was given to highlight the issue, was that somebody was asked to amend a payment. It was an email from a known contact at an existing supplier, and they were asked to just please make that payment, but don’t make it to the bank details that are on the invoice. “Can you please use a different account number?” The sort code remained unchanged, just a different account number, on the understanding that the previous bank account had been compromised.

Consequently, the company didn’t want any payments to go in there. It was quite a chunky sum; it was in excess of £20,000. They didn’t want it to go to the compromised bank account. “Could you please send it to the other?” So when the company that received that email, who had the payment to make, said, “Okay, fine” and replied to the email. As I say, a known contact from a known email address, so they said, “Fine, no problem.” and the payment was set up.

Now, due to issues within that business, that payment wasn’t made on the day it was supposed to be made, and was delayed by 24 hours. When the invoice was due to be paid, when that payment was set up to go through, it rejected. It wouldn’t go. When they phoned the company, they said they knew nothing at all about it.

The bank account, it turned out, had been closed down with £85,000 in it.

• It was a fraudulent account.
• It had been set up on the same sort code.
• The emails had been coming from what looked like the same email address, but it was slightly different. There was an extra ‘e’ or something in the email address, but minimal enough that nobody noticed it.

But the scariest thing is that the people who’d been trying to defraud them from the money had been watching their email addresses.

They were getting copies of all of the emails that were going out so they understood who they were dealing with.

• They understood that they were used to making large payments to these people.
• They were able to convincingly communicate by email using the right language.

So lots of different things on there:

• First off, you need to make sure that your emails aren’t being copied anywhere. So that can be done: speak to your IT provider. You can make sure that you can check where emails are being forwarded to and have those sent to multiple people within the business so that you can see whether that’s happening, and you can stop it.
• You need to make sure that there are processes within the business that preclude anybody within your team from changing bank account details without verbally verifying them. Make sure that they can’t set up new payees, and if they get an email from you potentially asking them to make an urgent payment of however much to a new payee or to a different payee or just a big amount, that they’re not expecting, they need to have a process that they can follow.

One of the other stories that was being told was of an MD who was away. The crooks had been watching him on social media; they knew that they were going to be out of communication, and that’s the opportunity for them to send an email asking a PA to make a payment urgently to this other set of bank details.

So there’s lots of different ways that they’re being very, very clever.

How else can you get round it?

• Well, you need to make sure that your firewall is absolutely up-to-date. I heard on Monday that firewalls these days have only got a lifespan of between 12 and 18 months, and they need to be regularly upgraded. So that’s something else to think about.
• Also, make sure that your systems all force regular password changes. You need to make sure that these people can’t get into your system, and if they get in, they can’t stay in.
• Make sure that you use two factor authentication as often as possible across all your devices and across all the different software systems that use it, including Xero and QuickBooks.
• Never use the same password in two places. So make sure that you don’t repeat your favorite password: your dog’s name, your Mum’s name, whatever it might be.
• Make sure that you’re using strong passwords.
• Ideally, use a password manager. There are plenty out there. For example, Last Pass, that will record all of your passwords across all of your devices, but it’s very, very secure, so it means you don’t have to have a list of them written anywhere or saved anywhere or in your handbag, in your wallet.
• And make sure that you use, if you do use something like Last Pass, you use a separate email address to get into Last Pass, a separate email address to your email software so that they’re absolutely separate systems.

Eight out of ten businesses, evidently, have passwords available to their domains on the Dark Web, and the scariest point of the presentation on Monday was to see page after page after page of people that had registered for the course or for the event on Monday, their domains all coming up on a list of all of those that had been found on the Dark Web.

Thankfully, we weren’t there, but there were an awful lot of people that were.

Admittedly, I heard later that the information was quite out of date, but you need to make sure that if anybody else was looking around, that they’re not going to find anything to do with you on the Dark Web.

You need to make sure that you really do batten down the hatches and make sure that you’re as safe as you can possibly be. I’m sorry that this episode isn’t full of the joys of spring or festivities coming up as we approach Christmas, but I felt that this was really, really important!

They gave a figure, and I didn’t catch the time scale, but you don’t really need it when I tell you what the figures were. But within whatever time scale it was, £146 million was defrauded from small businesses, and of that, only £20 million was recoverable through the banks because the balance, the £126 million, had been given away effectively by those businesses because they had given away their email address or they’d given access somehow to their systems and their records to the people who took the money.

So the banks were able to say, “No, it’s not our responsibility. We’re not going to reimburse you.”

I don’t know of any business that wants to give money away so I would strongly recommend that you go away and put some of those things in place that I’ve just suggested.

I hope not to hear that anyone’s had any problems!

If anyone wants to give us a call, I’ve got the details of the three IT people that were actually on the stage on Monday, if anyone needs to speak to somebody that we know knows their stuff, then please feel free to get in touch.

In the meantime, I’ll leave you with all those cheery thoughts, and I’ll see you all very soon.