Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
Fraudsters use stolen credit card details to target online retailers. Online business appeals to them because there’s no physical contact with the business or the legitimate cardholder.
Make sure you’re fully aware of the risks, otherwise your business is more likely to be targeted.
When payments are accepted over the internet and processed, your business asks for authorisation from the card issuer. But even this doesn’t confirm or authenticate the customer as the genuine cardholder. The standard authorisation only confirms that:
If it turns out to be a fraudulent sale and your company didn’t get authorisation from the issuer, the full amount may be charged back to your business if the genuine cardholder says they were not part of the transaction.
It’s important to maintain chargeback records. Get as much information as possible and give it to your acquirer. If you suspect a fraudulent transaction report it to your authorisation centre.
Businesses are responsible for protecting cardholder data at the point of sale and as it flows into the payment system. Get more information at PCI Security Standards.
Consider using:
Treat high-value items and overseas transactions with extra caution. Always verify the delivery address. If it’s overseas ask a third-party service to give you the details.
Watch out for changes to the details they gave you, a change to the delivery address, for example. Insist that you’ll only deliver to the customer’s permanent address.
If you use a courier, tell them to:
Make sure you store your customers’ card payment information securely. This data is prone to hacking, so comply with data security requirements.
Keep records of any fraudulent activity: it’s a good way to find patterns and areas of potential risk. Many businesses use this process to predict higher-risk transactions.
For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.
As the number of channels and markets we operate in rises, so does the risk of fraud. Cybercrime is more sophisticated and fraud is increasingly difficult to detect. As a result, the standard fraud verification tools may not be good enough.
Fraudsters may target your online business to get customer information, such as names, addresses and payment details, to commit crime.
When using public WiFi networks, many don’t secure their connection when they send personal and business emails, banking or credit card details. These networks are open to hacking, identity theft and fraud. Lots of simple tools and free apps can hack public WiFi networks, a process called ‘sniffing’.
Employees can be targeted by ‘spear phishing’, when a fraudster sends an email to a particular person. They pose as someone else within the company, usually someone important or in a position of trust, and ask for information like login IDs and passwords. They may ask the employee to update their username and passwords.
Once the fraudster has this information, they can access your secured networks to get confidential information and customer data.
Other methods include asking the employee to click on a link in the email, which deploys malware that takes personal or confidential data from your business.
Be wary of where you store your information. If you use a third-party hosting company, find out:
A recent computer threat to businesses is called Cryptolocker, ransomware that’s usually disguised within a legitimate-looking email attachment.
When the attachment is opened, the malware encrypts files in your computer. You then get a message asking for money to decrypt the data, usually via bitcoin or pre-paid vouchers.
There’s not much you can do in this situation, which is why you must back up your data on a regular basis.
It’s essential that you back up data; if you don’t, it may have a huge effect on your business.
Make your passwords robust by using a mixture of upper- and lower-case letters, numbers and symbols.
Don’t use obvious passwords, like your mother’s maiden name, as fraudsters can easily get this information.
Challenge anyone who asks for your personal or financial details.
Test all your security systems to make sure they’re working and you’re not vulnerable to invasion. This includes your website.
If your bank offers it, consider using dual authentication. This can reduce your fraud risk from malware and insider threats.
Visit Cyber Aware for step-by-step instructions on keeping your devices up-to-date with the latest security updates, and for further online security advice.
For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.
Payment fraud attempts to get a business to transfer money to a bank account operated by a criminal.
There are two main types of payment fraud, CEO fraud and Mandate fraud. Both target staff in a company's accounts department using email.
In CEO fraud, the email appears to be from the Chief Executive Officer or another senior member of staff. It asks the receiver to make a payment or transfer funds for an ongoing or new business transaction. Often the request is urgent and asks for payment as soon as possible.
Mandate fraud involves an email which appears to come from a known supplier. It will request future payments for products or services go to a new bank account. It will also give a reason for the account change. In both cases, the new account will be under the control of the cyber criminal.
You should verify any emails about a change of bank details on an account or a one-off payment. Contact the person using established contact details. Don't be pressurised by any email, or follow up phone call, as this may be the criminal. Always double check.
If fraudsters hack into your business phone lines they can get personal or confidential information. Make sure you have the right security systems to protect you.
Some businesses regularly use conference or video calls to talk to other businesses. But fraudsters can access them and overhear conversations to get passwords and codes.
Call centres and other businesses and organisations use private automated branch exchange (PABX) phone networks. A PABX is a single-access number with multiple lines to outside callers, which also gives external callers or staff a range of external lines.
Fraudsters use vulnerabilities to:
They also use your PABX system to make international or long distance calls, often to premium rate numbers that the fraudster has set up. Your business unknowingly lets the fraudster sell on the access and use of your system, which could increase your phone bills by thousands of pounds.
Remember, your business is responsible for any fraudulent use of your system, not the phone provider.
These frauds often occur over the weekend or bank holidays where staff are out of the office for long periods: it gives fraudsters the chance to rack up huge bills on behalf of your company.
‘Vishing’ is the phone equivalent of phishing. Criminals call you, pretending to be from a legitimate business, and persuade you to give them private information that they use to make money.
Be wary of cold-callers who suggest you hang up the phone and call them back to check they’re genuine. Fraudsters can keep your phone line open by not putting down the receiver at their end.
Unless you’re absolutely sure who you’re talking to, never give your company’s:
Your bank, the police or a legitimate organisation will never:
Remember to wait at least five minutes after a potentially fraudulent phone call before using that phone again, as the person may have left the line open.
If you’re unsure about providing information a caller asks for, check company policy on what you can and can’t disclose.
If you’re suspicious or feel pressured or vulnerable, don’t be afraid to say no to any requests for information and end the call.
Criminals may already have basic information about your organisation, such as the name, address and account details. Even if a caller has this information, don’t assume they’re genuine.
Make sure you know your business systems so you can detect suspicious activity.
Keep your systems in a secure place. If you have a multiple-occupancy office, you should use locked areas.
Always use strong passwords, manage access to them and never use default password settings.
Consider using settings that restrict international or long distance calls. You can also ask your phone provider for this restriction.
If you’re using Skype or something similar to videoconference, use up-to-date antivirus and firewalls. This will also help protect you from PABX hacking.
Always keep your software up to date, especially if you’re using PABX.
Make sure you know your business call patterns and consider monitoring them, especially if there are calls out of hours, weekends and bank holidays.
For more information and help or to report this and many other types of fraud, go to Action Fraud, the UK’s national fraud and cybercrime reporting centre.
Read the Little Book of Big Scams Business Edition (below), produced by the Metropolitan Police, to find out more about fraud.