As head of the team tasked with educating the bank’s commercial customers about this growing threat, Allison Simon is at the forefront, tasked with managing the threat on behalf of the bank and its customers. She outlines how the bank is tackling fraud and scams and offers advice for business owners seeking to stay ahead of the fraudsters.

“Over the past few years, there have been many successful industry initiatives launched to help consumers avoid personal fraud, but there has been less activity in the commercial space. At NatWest, we want to do more to help our customers. Every week, I see savvy business people falling prey to fraud, scams and cybercrime. So we’re keen to see where they’re vulnerable and how we can respond.”

Did the research unearth any surprises?

“There were certainly some contradictions. Business owners believe they’re less vulnerable to scams than individuals, and sometimes businesses are less prepared than they should be. The research allowed us to walk a mile in our customers’ shoes and appreciate why they think this, when the reality is different.”

Allison Simon

Where do the knowledge gaps lie?

“Business owners seem to believe that if they have an anti-virus firewall, they’re protected against all threats. If only this were true. We see many criminals using social engineering to gain access to data and systems: no firewall in the world is capable of stopping a scammer calling your finance department and using deceit and manipulation to gain access to account information or convince staff to make fraudulent payments.”

Why are fraudsters so hard to spot?

“The professionalism and sophistication of some of these criminal groups is unprecedented. It’s big business for these online gangs, and the risk-reward ratio is very attractive for them. Business owners are used to ignoring phishing emails claiming to be from obscure banks, asking for a deposit in order to transfer over millions of dollars. They’re less aware that criminals may profile them and their business over many weeks, or even months, and can send invoices that look identical to the real thing. I don’t believe business owners are aware of how sophisticated these attacks can be and how quickly they’re evolving. Existing criminal methods are being tweaked and honed all the time, making them ever harder to spot.”

Are businesses more vulnerable to this kind of threat than consumers?

“In some ways, businesses are especially vulnerable because staff are trained to be helpful and offer great customer service. To avoid alienating a supplier or customer, staff may feel pressurised to put through transactions quickly or without making further checks. You just need one person in your organisation to make a mistake or be misled and the business is compromised. Small businesses also face a greater challenge than larger organisations because they’re often stretched for resources dedicated to this; one person will take on many roles within the company, including making payments.”

What is the impact of this type of security breach within an organisation?

“We see the same data used in many different ways in order to perpetrate several different kinds of fraud. This is the problem with a breach: the same information will be recycled over and over. Criminal gangs may exchange or combine data on individual companies in order to keep siphoning money from an account, for example, and the loss may not be spotted until months down the line. The cost to the business – both financial and to its reputation – could be monumental.”

Why are small businesses proving such an attractive target for criminals?

“Sadly, small business owners often believe they’re too small for fraudsters to go after, which means they fail to invest in the systems and processes to keep the criminals out. Yet small firms often feel the consequences of an attack far more keenly than larger companies because they may not have the cash to weather the storm. But investing in security needs to be seen as a cost of doing business, judged against the damage that fraud can do.”

How can entrepreneurs stay informed about the threat?

“We encourage every business owner to link up with trade bodies, industry groups, the police, fraud prevention organisations like Cifas and Friends Against Scams – and, of course, to speak to NatWest. Collectively, we have a finger on the pulse and are able to pass on up-to-date information about this fascinating topic.”

What can business owners do to fight back?

“We try to encourage our business customers to think twice. If you have any concerns about a request, take the time to make an independent check, using a trusted phone number. For example, if you receive an email asking to update account details, rather than emailing back – even when the address seems genuine – try calling direct. By shifting to a trusted method of communication, you’re ensuring the veracity of the request. Think twice and confirm: these simple actions have prevented some very large cases of fraud from taking place.”

What should a contingency plan involve?

“Ask yourself how much you can afford to lose. Do you have any cash buffers in place that could help the business survive in the event of a fraudster breaching your defences? Do you have the cash flow available to withstand an attack, a fraud or a scam? Unfortunately, there’s no one-size-fits-all approach because all businesses are different.”

What’s your final message to the nation’s business owners?

“We’re living in a digital era, and fraud, scams and cybercrime are only going to become more prevalent. We don’t want to be alarmist but the truth is that if you haven’t been affected by the threat already, you may well be targeted in future. We hope this report acts like a wake-up call to businesses across the UK and helps us all to guard against this very real danger. NatWest not only aims to support customers when they’ve fallen victim to a breach, we also want to work with them long before that happens, empowering them to be their own best first line of defence. We work hard on prevention and detection and have a sophisticated internal process to identify issues, but ideally it never reaches that stage because the customer has all the tools they need to combat fraud and scams in their own hands.”