According to the FBI, US businesses lost $660 million to online fraud last year. With reputational damage and investor relations to consider, online fraud is one of the most dangerous threats to businesses today. It’s time to learn how to spot the main types of online fraud, and how to protect your business against it.
Trustpair stops the financial effects of online fraud by continuously monitoring payments and blocking transactions with suspicious third parties. Contact an expert to learn more!
What is online fraud?
Online fraud encapsulates all types of cybercrime with the aim of deception. It takes place over the internet, rather than physically in person. Online fraud is umbrella phrase. It could cover a single false chargeback to a huge and organized ransomware attack, a phishing email to BEC (business email compromise)
The common element that links all of these types of fraud is that the perpetrator lies and someone inside the company believes that lie. This opens up the door for exploitation.
So just how big is the threat of online fraud?
Astonishingly, it costs businesses an average of $4.5 million per year. However, even the industry professionals surveyed underestimated this figure by at least a few million. Moreover, 64% of business leaders are finding it more difficult to fight against fraud in 2023, compared to other years – even diverting other resources toward the fight.
This revelation highlights two key concerns:
- The threat of online fraud is large and businesses need to consider how they approach detection and prevention.
- Even those who are clued into online fraud are underestimating its danger, meaning that many businesses that already have an anti-fraud system in place might need to rethink their strategy.
As fraud techniques continue to evolve, many organizations might find vulnerabilities in their strategies that criminals can exploit. So, it’s important to know about the most common online fraud and how to prevent this threat from damaging your business.
What are the main types of online fraud?
The most common types of online fraud are as follows:
- Phishing
- Identity theft
- Business email compromise
- Ransomware attacks
Phishing
Phishing is one of the most well-known types of online fraud, taking many different forms. The cybercriminals could:
- Spoof an email address to impersonate someone over email channels.
- Use social engineering tricks like language mimicking or urgency to place pressure on the victim.
- Do extra research to learn more about the real suppliers and make their ruse more legitimate (known as spear phishing).
- Include malicious links within their email, redirecting victims to a fake website to harvest their data (known as pharming).
Phishing is now so common that we can all recognize some of the spam emails in our personal and work accounts. But worryingly, the high volume of attacks means they’re not all spotted. 1 in 8 employees shared their information with phishing fraudsters last year.
Unfortunately, a case of phishing happened in 2016 to a German company, Leoni AG. In an act of In an act of CEO fraud, the Chief Financial Officer received a cloned email, appearing to be from the CEO. It requested a wire transfer in compliance with the company’s existing protocol. It’s clear that the scammers were familiar with the company’s internal control measures, and this led to very little suspicion about the email.
Within minutes, $40 million was transferred and lost.
Identity theft
Identity theft is another common type of online fraud, affecting one third of all Americans at some point in their lifetime. Here, the perpetrator’s goal is to gain credentials and then use them for financial gain or to access another account.
In 2012, Facebook users experienced a huge spike in identity theft attempts through a new scam. Scammers hijacked an account and sent out socially engineered messages to every single connection, threatening to suspend accounts that did not re-confirm their details. The message included a link to a form where users could submit their Facebook log-in information.
The perpetrators later used the identity information of the victims to impersonate them, make purchases in their name, and use their credit card information to take out loans that would never be repaid.
Business email compromise
Business email compromise (BEC) is one of the most dangerous methods of online fraud, causing over $4.2 billion in losses in 2021 alone. In fact, BEC attacks are 9 times more expensive than the next type of attack on our list, ransomware, due to the huge volume of perpetrators.
BEC works by the online fraud attackers creating a deception. They sometimes hack into a real supplier’s email accounts, or sometimes mimick the real address.Then, they fire off emails asking for a change in bank account details, hoping that the next invoice will be paid into their account instead of the actual supplier account.
So while phishing fraudsters use social engineering techniques and spoofing to impersonate a known target, BEC fraudsters use technical computer skills to actually hack into the accounts of the target they are impersonating.
Famously, an example of business email compromise (read about other examples right here) occurred at one of the Top 50 Companies for Innovation. The attack, which happened in 2020, targeted a senior employee at the company with an email containing a malicious link. The email was sent from a financial reporting software company that the business really used, making it look legitimate.
Once clicked on, the fraudsters redirected the executive to a fake website to gain his Microsoft365 credentials and then used the credentials themselves to access the employee’s internal account.
Ransomware
Finally, ransomware attacks are a complex type of online fraud – and 72% of all businesses reported at least one ransomware attempt in 2022.
The cyberattackers behind these attacks aim to install malware into the network or a specific device at the target organization, in order to bring operations to a halt. By locking or encrypting the files, the perpetrators will ask for a one-time payment in order to grant access back to the company and give back their unauthorized access.
This type of online fraud could be considered more dangerous than others since it means that the fraudsters actually get inside your business systems. Once inside, they have the power to do as they choose, including accessing information about your employees, suppliers, and operations. That is compared to phishing, for example, which only relies on an internal member of staff giving away sensitive information.
A ransomware attack exploited a vulnerability in the Microsoft PC system in 2017. Known as WannaCry, it affected at least 250,000 users and caused significant reputational damage for Microsoft. After the attack, the system was widely perceived as insecure and many users switched over to different operating systems.
How can you protect your business against online fraud?
It doesn’t have to be expensive to take the relevant steps against online fraudsters. Instead, applying security measures with a clear strategy is the best way to prevent cybercriminals from exploiting your business. This includes:
- Fraud awareness training
- Internal controls
- Third party monitoring
Fraud awareness training
Fraud awareness training enables employees to stay ahead of emerging fraud trends as they remain up-to-date when techniques and tools change. Moreover, awareness training helps to instill the right response mechanisms when suspicious activities occur.
Regular fraud awareness training can help reduce the success of fraud attempts, but the Association of Certified Fraud Examiners reports that it’s important to install fraud awareness at all levels of the business. In 2022, only 14% of board members received this type of training – when these are some of the top candidates for targeting.
Internal Controls
Implementing internal controls means the creation of rules for your employees to follow. For example, setting the standard for how to make a payment transfer. Abnormal requests to send money will then raise suspicions.
Moreover, the segregation of duties can set a precedent for sharing information. It means no single individual can approve a money transfer by themself. This creates a culture of collaboration and encourages open communication between team members.
Both of these features should help to raise red flags if unknown perpetrators are accessing the systems, or if suspicious transfers are requested, for example.
Third party monitoring
Due diligence is a great way to validate your potential suppliers, vendors and collaborators before beginning a partnership. Organizations can apply Ultimate Beneficial Ownership checks to determine whether their international partners are associated with fraudsters, for example.
However, continued third-party monitoring is a stronger way to prevent fraudsters from accessing systems and finances. Platforms like Trustpair work in real-time to verify vendor data and automatically block transactions to unknown or suspicious third parties.
Are you looking to implement anti-fraud software but don’t know how or where to start? Download our ultimate fraud guidebook for expert advice and tips!
To recap:
Online fraud often leads to security breaches, data leaks and financial losses. Prevent perpetrators from getting your business bank account numbers or unauthorized confidential information and detect online fraud. Fraud prevention includes internal controls and due diligence and the use of Trustpair to continuously monitor third parties.