We would all like to think that it will never happen to us. Our email will never be compromised, our business will never be embezzled by someone we know, our accounting software will never be hacked and our identity will never be stolen.
Unfortunately, fraud and security breaches are a reality of doing business in today’s online world. Business owners and operators need to take responsibility for minimising the risk of having this experience thrust upon them.
Good practices within your business systems and accounting software will assist you in reducing the risk of such incidents.
So what can you do?
Best Practices to Implement in Your Business Systems
- If you are not already performing bookkeeping as a proactive part of business management, look at the systems and software in place. You should have bank feeds and automated rules in place, which allow you to allocate and reconcile banking transactions on a daily basis. Having access to accurate and current reports is one way to stay aware of what is going on in your business. You will also be more likely to pick up patterns of suspicious behaviour or unusual activity in your accounts, and assess whether the matters are innocent mistakes or deliberate acts of fraud.
- Make sure you know which staff have access to what parts of your business systems and applications. Keep a log. Remove access immediately if a staff member leaves and consider changing global passwords at this point.
- Check that all staff have unique logins that are never shared. Never allow generic email addresses (such as admin@ or sales@), to be used as logins for websites or applications that contain business or identity information.
- Consider implementing a business policy that requires all payments over an agreed amount to be verified and authorised by a second manager or director of the business. This would be relevant to the size and nature of the business but, for example, you may have a policy that any purchase over $1,000 requires an approved purchase order and double authorisation. Talk to your bank about how to set this up.
- Educate your staff in how to handle unsolicited phone calls from suspicious people. If you receive unsolicited calls, even if they seem to be from entities you regularly deal with or know of, be wary. If such a phone call asks you to verify your identity, do not do it. They need to verify themselves first, and you need to be satisfied that the call is legitimate. Ask for their name and role, a website, phone number and email address you can use to verify who the caller is. Only if you are satisfied that the call is legitimate do you volunteer sensitive identity-related information.
Areas of Vulnerability
Business fraud can happen in just about any aspect of your enterprise. As the owner-operator, you need to be aware of what is expected and usual, and keep an eye out for unusual activity or reported figures. Believe the best of people, but keep a ‘weather eye’ on all business activity.
The reality is that most business fraud is actually committed by people within or connected to the business, although as we all know, remote online scams are becoming more frequent.
Sales fraud: Invoices can be altered, voided or ‘written off’, while customers actually paid the money to the swindler. Bank details on the invoices can be altered, so money can be paid into a bank account that is not connected to the business. Refunds owed to customers can be paid into an external bank. Cash payments can be pocketed
Purchases fraud: Purchase orders and invoices can be fabricated or duplicated and the money paid into an external account. Supplier invoices can be altered, with payments being split between the supplier and the fraudster. Suppliers can charge GST on invoices without being registered, and keep the GST amount for themselves.
Payroll fraud: Employees may submit false or fabricated expense claims, commit timesheet deception, add ghost employees and receive that ‘employee’s’ pay, falsify leave records, and create fictitious travel or professional development events that are paid for.
Stock fraud: In a business with large or poorly managed stock, it is very common that the stock can be stolen, or fictitious stock paid for. Employees may siphon off stock or have it delivered to an outside address for their own personal use or even sell the stock as part of their own business operation on the side.
If you suspect something is not as it should be within the business, investigate first before jumping to conclusions. Sometimes mistakes and errors do happen, and these can be fixed and learned from.
Online Fraud, Scams and Security Breaches
Online fraud can occur via email, websites and social media. Some scams are malicious and intend damage, some are designed to acquire personal details for identity theft, but most scams and frauds are designed to simply get money.
Any business that uses email, uses online technology and conducts business via the internet needs to be aware of the potential for getting hoodwinked by scammers.
Implementing the best practices in your business systems outlined above will definitely reduce the chance of you inadvertently handing over money to a fraudster.
You should also be using technology to your advantage. There are many tools available to assist in staying safe and secure while conducting online business.
Practical Steps and Tools for Security—Technology You Can Quickly and Easily Implement Now
- Use a secure encrypted password manager for all your logins and passwords. If you have staff, get an account for the whole team. Do not use the free options—pay for a worthwhile solution.
- Use your password manager to generate random passwords; you can also use the application to log in to other applications, software, banking and so on. Consider implementing a policy of changing passwords regularly, for example, monthly or quarterly.
- Use Two Factor Authentication, (2FA), for any application that allows it, for example, Xero, Google Suite or Dropbox. If you are a Xero user and have not already activated it, this two-step authentication link will take you through the process. We know of businesses that have had their login hacked by an unauthorised party, who then changed all bank accounts of suppliers to being an untraceable overseas bank. Using 2FA effectively stops this from happening.
- Use the Australian Business Register ABN Lookup for all new suppliers, and consider checking existing suppliers annually. New suppliers must be checked to ensure the correct ABN and GST status is being used for the business entity you are paying.
- Make sure your virus protection is current and the most appropriate level for the type of information you deal with. If your solution does not already include anti-malware, upgrade the level of protection so it addresses both viruses and malware.
- Consider paying for a secure email gateway, which reduces spam and actively filters email-based security threats. Never click on links in emails that are suspicious or that require you to verify with a password.
- Never email credit card numbers either directly in an email or in an attachment, unless encrypted. Vendors should never accept credit card details via email either, as credit card numbers can be extracted (or skimmed) from emails and this would constitute a breach of privacy law. There are many secure and encrypted payment gateways that will handle credit card security—make sure the website has a security certificate (i.e. the website should start with https). If you’re not sure, provide details over the phone.
- Never email driver licence numbers or any other form of identification that can be used to personally identify you and therefore may be used in identity fraud, unless this information is encrypted.
- If you are not already paying suppliers by ABA file uploaded to your bank for batch payments, start doing it. See the Xero help on this topic. Making payments this way is best practice for managing your accounts payable process. Not only is it more efficient to make multiple payments this way, it is safer and more accurate due to Xero alerting you to duplicate invoice numbers or changed supplier details. (We will explore more on Suppliers and Accounts Payable management in a future article).
- Do you have a secure and full backup process? Backup of all business data is essential. If you are still doing it manually pay for an offsite, remote or cloud solution which allows you to set the frequency and automate the process.
- Sign up for Scamwatch and check the ATO scam alert
- Use an authenticated digital signature solution. Not all electronic and digital solutions are equal—make sure it is encrypted and validated.
- Consider whether cyber risk insurance is relevant for your business.
Essential Principles to Remember
Do what you can, with best business practices and by using technology to your benefit, to minimise the risks of identity theft and business embezzlement. Analyse your current processes and assess whether you can implement some changes for improved security. Consider getting the advice of a dedicated IT professional and potentially delegating aspects of your security management to the expert. Get as many of your systems and processes automated as possible.
Being in business today does mean taking care of so many important aspects, and not all of them are within your control. We all know that small business owners have to understand and manage the whole spectrum of business from setup, to finance, to marketing, to sales, to staff management and government compliance obligations. If you take the time to implement some security measures now, the less time you will spend on managing unexpected disasters.
Taking these steps will free up your energy and time so you can continue focusing on what you are good at, what you love doing and the reasons you are in business.
What if you do have a breach of security in your business?
If your business information is compromised, check the Notifiable Data Breaches Scheme to see if you need to formally report the event. This is part of the Privacy Act 1988 and is enforceable from February 2018.