Types of fraud your business
is exposed to

Phishing and Smishing are fake emails and text messages that try to trick the recipient into giving access to accounts or disclosing usernames, passwords or other confidential information. The fake emails or text messages often appear to have been sent from a legitimate source or business, such as Danske Bank. The message often contains an invitation to click on a link or open an attachment.

• Danske Bank or any other trusted public authority or organisation will only ever ask you to send confidential information through a secure channel, for example at Danske Bank we always recommend communication via eBanking or District.
• Banks and other trusted public authorities or organisations never ask for PINs, passwords or request control over your computer or mobile device.
• If you receive an unexpected email or text message, never click on links or open files without having read the email thoroughly to verify its authenticity.
• The language in fake emails and text messages can be direct and impersonal, and there can be slight deviations in the sender’s domain name (for example, danskkebank.dk instead of danskebank.dk).
• Some fraudsters use a technique called spoofing – they falsify the sender information that you see on your computer or mobile device to disguise their own identity, thereby giving the impression that the fake email or text message is genuine.
• If you have any doubts about the authenticity of an email or text message, contact the sender directly on the phone number you would normally use – do not use the number given in the email or text message.

If you suspect that you have received a fake email or text message, please forward it to falskemails@danskebank.dk. 

One day, Martin from the marketing department in GreatCampaigns Ltd receives a text message that appears to be from DHL. Martin is expecting delivery of a package for an upcoming campaign, and the message tells him to click on a link and pay DKK 1 to receive the package. By opening the malicious link, Martin has given the fraudster access to make several transfers from the business’s account. GreatCampaigns Ltd is now a victim of a smishing attack.

Vishing usually involves fraudsters making a phone call and impersonating a trusted person, such as a financial adviser or police officer. The fraudster’s goal is to obtain confidential information to take control of a computer or mobile device so they can make transfers from the victim’s bank account and steal money.

• Danske Bank or any other trusted public authority or organisation will only ever ask you to send confidential information through secure channels, such as eBanking or District.
• Be wary of unsolicited phone calls that ask you to provide confidential information or ask you to make hasty decisions.
• Take a moment and ask yourself where the person has got your number from and whether it is usual for that person to contact you by phone – and always listen to the wording and language for any red flags.
• Some fraudsters use spoofing to disguise their own number and make the call look like it is coming from the genuine number.
• Never assume a call is genuine just because the caller has information about your business.

Susan works in the finance department at NordicFlowers Ltd. One day, Susan received a call claiming to be from a bank informing her about suspicious activity in the bank account of NordicFlowers Ltd. To get assistance, Susan was told she needed to download a remote access app onto her laptop and then log on to the company’s online banking system. Because Susan had allowed remote access to her laptop, the fraudster was able to track the business’s confidential online banking information, which was later used by the fraudster to make payments and transfers from the business’s account.

CEO fraud occurs when an employee is tricked into paying a fake invoice or making an unauthorised transfer from the business’s account by a person impersonating a person with a trusted position in the business (such as a CEO). The fraudsters already have a lot of knowledge about the business, and they use words and phrasing such as ‘confidentiality’, ‘The business trusts you’, and ‘I am currently unavailable’.

The requests are often about making international payments to banks outside Europe, and employees are asked to bypass the normal approval procedures.

• Avoid CEO fraud by introducing money transfer procedures to be followed when the manager or other senior employees are away.
• Be wary if you are contacted by a person in senior management who you are not normally in contact with – this is often a sign of CEO fraud.
• Be wary of urgent and highly confidential requests you receive from anyone in the business.
• Be aware of unusual requests that violate standard internal procedures, such as request for you to make international transactions in an unusual way.
• If you have any doubts about a requested payment or transfer, always involve a competent colleague.
• Stay particularly vigilant during holiday seasons and when managers are away.
• Be on the lookout for wording such as ‘confidential’ and ‘the business trusts you’.
  
  

Patrick works in a government health authority. One day, Patrick received a text message from the health authority’s CEO requesting him to make an urgent transfer to a new account. Patrick initiated the payment as requested, but when he later spoke to the CEO he was told that no such requests had ever been made. Patrick checked with his IT department and found out that the health authority’s internal systems were hacked.

Beneficiary account change is a fraud type that targets businesses whereby fraudsters send an email or make a phone call that appears to come from a known source making a legitimate request. This could be a request to add new account information or to change the beneficiary account details for the vendor your business deals with.

• Always validate new or changed beneficiary account details by making a phone call to a trusted contact (single point of contact (SPOC)) or from the official website.
• Check and verify the email address the payment or transfer request is sent from.
• Look for slight deviations such as misspellings or new domain names in the email address.
• Ensure that there is a clear control procedure in place to be followed whenever a request to change account details is received.

Emily from the accounting department in ComputerEquipments Ltd received an email from the company’s known supplier requesting that a payment be made to a new account. Because the email came from their supplier’s email address, Emily initiated the payment without question. Later, the supplier informed ComputerEquipments Ltd that they did not receive any payment and had discovered that their email address had been hacked. The payment Emily initiated had been redirected to the fraudster’s account.

Invoice fraud is when a business is contacted by a person who claims to represent a supplier, service provider or creditor. The fraud type is a broad-spectrum attack whereby numerous small-amount invoices for goods that a business has in reality never purchased are sent to several different businesses. Because the amounts are small and the goods are often something many businesses would buy, such as office supplies, the invoices seem plausible for many, and therefore they are easily accepted and paid in a busy workday without ever being validated.

• Have clear procedures in place for handling manual processes, such as invoice payments.
• Keep an overview of suppliers, creditors, and vendors with whom your business has an open invoice so that everyone can check the invoice to see that it is correct and as expected.
• Be alert for invoices for small amounts, especially invoices for small everyday goods.
• Check that what you have received actually is an invoice and not an offer for a product – fraudster can be tricky and try to cheat you.
• Call the supplier on a trusted phone number, such as the number listed on the supplier’s  trusted website, before paying the invoice, and check with them the amount and account details.
• Be aware of this type of fraud, and educate any employees in the business who work with invoices.

Victor works at Entrepreneurs Ltd and received a DKK 50 invoice from a web host supplier. Victor knows that his company has recently changed its website address and finds the invoice plausible. So he initiates the payment, adding a few extra requested details. The fraudster has now swindled money from Entrepreneurs Aps, making the company a victim of invoice fraud.

Malware is a program that gets installed on your computer or mobile device without you realising it. You can unintentionally infect your computer or mobile device with malware by opening an infected file or from a link that downloads an unknown program. Some types of malware can spy on your behaviour and intercept your personal information. Other forms create an ‘invisible’ page over the logon page of your eBanking and copy your logon information.

Ransomware is a type of malware that threatens to publish or blocks access to your data or computer. Scammers usually encrypt your data and ask for a ransom fee. In many cases, the ransom demand comes with a deadline. If you do not pay in time, the data is gone forever or the ransom increases.

Tips to avoid being a victim of malware and ransomware:

• Never click on any suspicious links or download an attachment. Email phishing and spam are the main ways that ransomware attacks are distributed.
• Read more about phishing and smishing to make sure that you know what you need to be aware of.
• Be extra careful when you download files from the internet and make sure that the source is trustworthy.
• Make backups regularly and ensure that you store your backups offline and in a secure environment.

One of your employees, Michael, received an email urging him to download a new program to complete a work task. The email was fraudulent, and Michael’s computer was blocked by hackers who then demanded a ransom fee. Michael got hacked. It only takes one person to be hacked for your whole business to be hacked.

Internal fraud can be defined as wrongful or unlawful action committed by an employee in a business, with an intention of direct or indirect financial gain that is damaging to the business or its customers.

Although businesses trust their employees and colleagues, some employees may feel personally justified in their fraudulent actions or they may not know where a certain line is drawn in the business.

• Consider if team tasks include a sufficient level of segregation of duties. For example, is the same employee responsible for both performing a task and the procedural controls checking the task?
• Ensure that access rights are assigned to colleagues based on their individual responsibilities, rather than on the overall team task. Always ensure that you understand any authorisations you approve for your employees – what they contain and why they are required.
• Review corporate card transactions regularly to check if there are any suspicious activities.
• Educate employees in internal policies and procedures.
• Establish a zero-tolerance policy of internal fraud.
• Have a whisteblower policy or ensure that you create a culture where all employees can raise concerns anonymously.

Lucas works in Insurances Ltd and was responsible for buying new keyboards for all employees when they worked from home during the coronavirus lockdown. Lucas’s own computer screen was broken recently, so while he was buying the required IT equipment, he bought a new screen for himself as well. The fraud was discovered by a colleague who received the package when it was delivered to the office. The colleague raised the concern anonymously and with management, who, in line with their zero-tolerance policy, took this incident of internal fraud very seriously.