According to UK Finance, Authorised Push Payment (APP) fraud losses reached £485.2 million in 2022 alone just for the UK. As SMEs transition to being more digital and more global they are increasingly being targeted by these cyber threats which pose significant financial risk but also threaten the credibility and operational integrity of businesses. 

Understanding APP and BEC Fraud 

APP fraud involves tricking individuals or businesses into making payments to accounts controlled by fraudsters and often based on fraudulent representations. 

BEC fraud on the other hand typically involves hacking or spoofing business email accounts to request fraudulent transfers of funds. 

In my experience the following 3 scenarios is what you see happen to SMEs: 

1. BEC: The SME has their email compromised, often because they have no MFA implemented (see my previous post). Fraudsters then uses this to make what appears to be an authenticated and authorised transaction. 

2. Supplier compromise: An SME pays a supplier, but the supplier has been compromised. Usually this involves a change of bank account details and now the SME is paying a fraudster whilst believing to pay their legitimate supplier.

3. Scam: The SME makes a legitimate transaction but they have been scammed.

Both types of fraud (APP and BEC) exploit trust and procedural gaps in financial transactions. For SMEs, where processes may be less formal or security protocols not as robust, the risk is particularly high.

Protecting Your Business

Protection against these types of fraud requires a combination of tech solutions, education, and financial controls.

Don't trust - verify!

Establish clear procedures for verifying any requests for payment or changes to payment details. This could involve multiple verification methods such as phone calls to known numbers to confirm the legitimacy of requests.

Financial Controls 

Implement financial controls such as separation of duties, where the person who approves payments is different from the one who makes them. Additionally if possible, introduce dual authorisation for transactions especially for large amounts.

Tech

Use email filtering solutions to detect and block phishing attempts and spoofed emails. Speak to your IT Service provider if you outsource to make sure they have anomaly detection systems that flag unusual emails or unsolicited payment requests.

Response Plan

Have a clear response plan in place for suspected fraud cases. This plan should include immediate steps to prevent loss, such as contacting your bank and mechanisms for reporting the incident to relevant authorities.

By strengthening internal controls, leveraging technology, and fostering an environment where you question those little red flags, SMEs can create a more secure financial operating environment one step at a time.