‘Home alone’ execs more vulnerable to fraud scams

Editorial Type: News Date: 2020-11-04 Views: 1,242 Tags: bluedog Security Monitoring, Microsoft 365
A request for a £350,000 payment was approved by a finance executive – but it turned out to be a fraud scam

Insecure wifi networks and shared computers are not the only risks of working from home – employees including senior executives are also more vulnerable to fraud scams, a leading cybersecurity expert has warned.

Tim Thurlings of bluedog Security Monitoring says lone workers are more likely to miss warning signs and be fooled by user impersonations than when they are in the office, and is urging companies to ensure they have the right checks and procedures in place to manage the risks. He cites a recent case where a finance executive approved a £350,000 payment to criminals, despite the bank calling to verify the transaction. “The problem with working from home is you don’t have the same ‘social safety net’ as in the office, where there are others around who are watching your back and can hear what’s going on,” states Thurlings. “Therefore, mistakes happen much more easily – especially if you don’t have thorough procedures in place.”

Covid has made clear that companies without proper processes are wide open to attacks like CFO fraud schemes, he argues. “Attackers also recognise the vulnerability of lone workers and are trying new tactics – such as calling them and pretending to be someone from the IT helpdesk who wants to check their system.”

In the fraud case, it is believed the attackers gained access through a phishing email, which allowed them to see invoices being sent and received. They then set up an email address similar to that of a supplier and used it to submit a fake invoice. The executive failed to spot the difference and went on to authorise the payment, despite it being queried by the bank.

Phishing attacks designed to breach email accounts rose by 22% in the second quarter of the year, according to bluedog, which provides 24-hour security monitoring for company networks. Thurlings says companies who initially saw home working as a temporary measure now accept it is new reality and are seeking to improve security.

“Companies are adopting a range of solutions, with different degrees of success,” he explains. “We recommend that, where possible, home workers should operate within Microsoft 365, which allows IT departments to set security controls remotely. Better still, use a Microsoft 365 monitoring service – that will detect phishing emails entering someone’s inbox and also tell-tale signs, such as change of permissions or settings, which indicate if the system has been breached.”

However, businesses must always be aware that cybersecurity is never just about technology, but also about people. “They need proper systems in place to take account of human error.”