Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023
with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers.
In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.
How does a remote access scam work?
A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials.
Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams.
Typically, a remote access takeover works in one of two ways:
1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access.
2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s).
In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated.
How big a problem are remote access takeovers?
As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023.
This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023.
So the problem is real, which begs the question, what can you do to protect your business?
How can you protect your business?
The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.
Don’t give out digital banking details
This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam.
Never install any remote access software as a result of a call
Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately.
Verify telephone numbers
If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.
However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.
Just hang up
Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up.
Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.
Put processes in place
Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier.
Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point.
Educate your staff
Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training.
What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket.
Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.
Want to know more about the threats faced by small businesses like yours? Check out our guide to SMEs and the cost of living crisis.