Preventing fraud

Fraud can happen to any type of business and in many different ways. Luckily there are steps you can take to help protect your business against fraud and cybercrime. Here’s a round up of some top tips and useful checklists you can utilize to help mitigate fraud risk within your business.

Tips

• Create and embed clear security procedures for payment team.

  Ensuring all payments are properly validated is the most important action in fraud prevention. Create a procedure to prevent payment teams authorising new or amended payments without proper validation. Following this procedure should mean that payment teams never move money based solely on unverified email or telephone instructions, even when they appear trustworthy. Best practice is to consider two-factor authentication where possible and encourage staff to contact payees directly to confirm new or amended payment requests.

• Encourage all staff to think before they click

  It’s fine to click on links when you’re on trusted websites. However, avoid clicking on links that appear in unverified emails and instant messages. If you hover over a link, you will be able to see the hidden URL and verify its legitimacy. Double check email addresses, and look out for poor spelling and grammar before clicking on any links or downloading any attachments.

• Raise employee awareness

  Provide employees with adequate training. Fraud awareness is everybody’s responsibility within an organisation. Create a risk-based culture and have a procedure for staff to escalate concerns to management. Staff should feel able to challenge and query instructions.

• Strengthen your passwords

  Consider password managers or using a passphrase – a string of words that is typically longer than a traditional password. Passphrases are easy to remember but very difficult to crack. Encourage employees to choose three random words and to select a mixture of alpha-numeric characters and symbols.

• Know what do in an event of a fraud/cyber-attack

  If you or your company fall victim, it’s important to act quickly. Reporting known or suspected security incidents helps protect the workplace. Contact your financial institution.

Checklist

• Check that the email address is legitimate

  If the name attached to the email is familiar (someone you know or regularly correspond with), check to be sure the email address matches. Fraudsters will pretend to be reputable individuals. If it’s a co-worker, the email address should be listed in the company email directory (if you have one). Also, be sure the domain name is spelt correctly. Often, fraudsters will create fake domains that closely resemble the real one but will alter a letter or two so that the recipients don’t notice. E.g., J@rnbusiness.com vs J@mbusiness.com. Be aware that the displayed name can be hiding the actual sender’s email address.

• Check the email thoroughly

  Any email relating to payments or accounts that uses urgent language or provides excuses for the lack of a call back option should be treated as extremely suspicious. Some phishing emails are poorly written. Even if the spelling is correct, they often contain poor grammar. External emails should be treated with extreme caution, especially those that contain links or attachments. If you are not expecting the communication and/or do not recognise the sender, do not click any links or open any attachments.

• Verify all new payees and all requests to change account details

  Check with the instructing party using known contact details. Where possible, try to speak to someone you know. For example, if the change request is coming from someone within the business, try and confirm it directly with that individual by telephone. If it is from a supplier, speak to your normal contact by telephone. Don’t reply to the email or use contact details within the email. Often, cybercriminals have gained access to someone else’s account and are sending phishing emails to individuals in their contact lists. As such, you may recognise the sender because the email address is accurate, though the message itself is suspicious. Calling your contact verifies the request in the email and may also alert them that their email account has been compromised.

Act immediately to minimize the damage from fraud and to ensure the best chance of recovering funds

• Stop all communication with the scammer.
• Alert any relevant parties (employees, customers, and financial institutions). It is extremely important to contact the bank with a view to initiating a payment recall as soon as possible. Funds move very quickly and it can be very difficult to get funds returned once they have gone.
• Report the scam to the appropriate authorities.
• Review your financial records to identify any unauthorised transactions or suspicious activity.
• Keep all documentation related to the scam, including emails, invoices and any other correspondence.
• Review and update your security policies and procedures.

• Disconnect the affected devices from the internet to prevent the spread of malware or further unauthorized access.
• Change the passwords for all affected accounts, including email, network, and any other accounts that may have been compromised.
• Use a reputable security firm to conduct a full audit of your systems to identify any other vulnerabilities or breaches.
• Alert any relevant parties, such as employees, customers, and regulatory authorities, and provide them with any necessary information.
• Determine the source of the attack and take steps to prevent similar attacks in the future.

If you believe that a bank transfer or bill payment that you haven’t authorised is fraudulent, or you suspect that your company’s security has been compromised in any way, please call our 24-hour Service Commercial Banking Service Hotline on +852 2748 8288. We recommend that you also report fraud to the Hong Kong Police Force – you can visit their e-Report Centre at https://www.police.gov.hk/ppp_en/contact_us.html

If you are HSBCnet customer, please immediately email your Relationship Manager with the pertinent information and the fraudulent transaction details;

• HSBCnet Customer ID
• Customer Name
• HSBCnet User ID
• IRN(Instruction Reference Number for HSBCnet payment)

Follow up the email with a telephone call to your Relationship Manager or the HSBCnet Fraud Operations Team to ensure that the incident is being managed:

• International +1 778 452 2774
• Toll free in US/Canada only 1 866 979 4722
• Toll fee in UK only 0800 169 9903

You may find the full version of HSBC Fraud Prevention Guide below.