Wherever you look, fraud is on the rise. According to UK Finance, there were 1.4 million cases of fraud in the first half of 2023
with criminals stealing over £580 million. And worming its way into these figures, comes a growing threat – remote access takeovers.

In this blog, we’ll deal with the what and the how of remote access scams, including how to avoid falling foul of them. Read on to find out more.

How does a remote access scam work?

A remote access takeover is a form of identity theft. The principle is a simple one. Usually, the fraudster will pose as a legitimate contact, say a customer service agent from your bank. Like other social engineering attacks, the goal is to use psychology to get the victim to reveal their account details or login credentials.

Once in, the bad guys can seize control of your account and use it for their own nefarious ends. It could be making unauthorised payments from your bank account or using your profile to launch phishing scams.

Typically, a remote access takeover works in one of two ways:

1) The fraudster calls the victim and persuades them, through social engineering techniques, to provide account details and give them access.

2) The cybercriminal coerces their quarry into downloading malware that gives them control of the victim’s device or access to their account(s). 

In common with all cybercrime, these attacks can range from the downright laughable (think the much-mocked ‘distant relative’ scams of the noughties) to the highly sophisticated. 

Did you know that 49% of SME leaders feel more at risk of cyberattack since the beginning of the cost of living crisis? Read our new report to find out why.

How big a problem are remote access takeovers? 

As we mentioned in the introduction, remote access scams are something of a growth industry. Action Fraud – the UK’s national reporting centre for fraud and cybercrime – estimates that £3.8 million has been lost to remote access takeovers since June 2023. 

This fits with the broader trend towards social engineering or ‘human manipulation’ scams in cybercrime. Anti-virus provider, Norton approximates these kinds of scams were responsible for 75% of all threats in the first half of 2023. 

So the problem is real, which begs the question, what can you do to protect your business? 

How can you protect your business?

The good news about remote access scams is that they deploy psychological techniques as old as time. Why is that a good thing? Well, it means that they’re relatively easy to stop, here’s how.

Don’t give out digital banking details 

This one almost goes without saying, but never give out digital banking usernames, passwords, internet secure banking key codes or one-time passcodes (OTPs) during an unsolicited call. Whoever your business banks with won’t ask for this information over the phone. So, if someone does, it’s a sure sign of a scam. 

Never install any remote access software as a result of a call

Like the previous point, no bank will ever ask you to download a remote access tool so they can access your smartphone or computer. Again, if you’re asked to do this, it’s a good indicator that the person asking isn’t legitimate, so hang up immediately.

Verify telephone numbers

If you do receive a suspicious call, verify the number. There are plenty of free services just a Google away. Or, you could cut out the middleman and cross-reference the number with those listed on the provider’s website.

However, be aware that cybercriminals are getting better at this all the time, so the number may well look very similar.

Just hang up

Unleash the power of your phone’s end-call button. Seriously, if you receive a suspicious call from someone claiming to be your bank, there’s nothing stopping you from simply hanging up.

Cybercriminals rely on creating a sense of urgency. It’s in those vital few seconds before we’ve really thought about the request that they do their worst work. Don’t let them. Hang up, wait a few minutes, then call your bank yourself. If it was a legitimate call they’ll let you know and, if it wasn’t, you’ll have dodged a scam.

Put processes in place

Workplaces can be stressful and mistakes happen. Policies stop the little errors we all make in our day-to-day working lives from growing into something much bigger and uglier. 
Ensure your business has a proper due diligence culture for any payments that include a two-tier approval. On top of this, make sure everyone is aware of remote access takeover scams and have an escalation policy in place, which brings us nicely to our final point.

Educate your staff

Education is what ties all of the above points together. Ensure everyone in your business can recognise a suspicious call and is aware of the tactics cybercriminals employ. The simplest way to do this is through cybersecurity training.

What this looks like will depend on your business and its needs. For some businesses, this means starting with the fundamentals. Meanwhile, for others, training addressing specific weak spots in employee knowledge is just the ticket.

Whichever approach suits you, we recommend using a little and often approach. Little, because you want to keep staff engaged rather than overwhelm them. Often, so that thinking about cybersecurity becomes second nature. For more on cybersecurity training and why you need it, read this blog.

Want to know more about the threats faced by small businesses like yours? Check out our guide to SMEs and the cost of living crisis.

You’ve likely heard the term ‘cybersecurity policy’ before. But what is it? And why does your company need one? 

What do we mean by ‘policy’? 

A ‘policy’, in cybersecurity terms, is a set of principles that guide decisions within an organisation. These principles can inform the decisions senior management make or guide employees in their day-to-day activities. A great example of the latter is a password policy.

What is the purpose of a policy?

A well-crafted policy can help your organisation achieve its goals, say reducing the risk of phishing attacks or compliance with Cyber Essentials. Any policy worth its salt should outline what employees should or shouldn’t do, offer directions on best practices, and guidance for decision making. 

Why are policies so important? 

According to research,  90% of security breaches occur through human error. However, improving your cybersecurity isn’t about blaming employees for their all-too-human mistakes. It’s about giving your people the tools and knowledge to better protect themselves.

According to research,  90% of security breaches occur through human error

This is where policies come in. Policies and procedures provide a roadmap for day-to-day operations. They ensure compliance with laws and regulations, offer guidance,  and even help employees make better decisions. After all, if your people don’t know which behaviours are harmful, they can’t correct them.

But clear, readily available policies have benefits beyond merely reducing the likelihood of a successful security breach. Here are just a few.

Improved efficiency 

Sometimes clear policies are all that stand between a business and organised chaos. Sure, everyone’s working, but are they all pulling in the same direction? Or adhering to company values?

When everyone is following policies and procedures, a business will generally run smoothly. Management structures and teams operate as they’re meant to while mistakes and hiccups in processes can be quickly identified and addressed. 

What’s more, when everyone understands what’s expected of them and goals are clearly defined, time and resources are managed more efficiently. And this will ultimately help you meet targets and grow. 

Better customer service 

There’s nothing more frustrating than receiving wildly different service from two separate interactions with the same organisation. It could be your utility provider, GP surgery or bank, but we’ve all experienced the irritation it causes. 

Having clear, easy-to-follow policies in place is a sure-fire way to stop your business from providing erratic customer service. When policies are followed, tasks are performed correctly and every customer receives the same high level of service – enhancing your business’s reputation to boot. 

A safer workplace 

Workplace accidents and incidents are far less likely to happen if everyone’s working to the same standards and principles. This not only reduces liability risk for your business but also cuts downtime and disruption. And, even if the worst does happen, you’ll weather it much better with a clear procedure on how to deal with it. 

How can CyberSmart help? 

We’ve discussed why policies are important but now comes the tricky bit. How do you ensure that everyone in your business has access to the policies they need to work safely? And, more important still, how do you make sure they read them?

CyberSmart Policy Manager allows you to digitally upload and share policies straight to staff’s devices through our platform, CyberSmart Active Protect. Policies can easily be uploaded through the CyberSmart Dashboard and made available to your users instantly. 

What’s more, you can be sure your employees read them. Our Dashboard provides you with a digital audit trail of when policies have been read and agreed upon. 

But what if you’re unsure of where to start when creating a new policy? Well, we’ve got you covered there too. We’ve put together a handy set of templates to help you get started. These are free to download from your CyberSmart Dashboard and easily modified to suit your business. Our policy templates include: 

•  Data Classification policy 
•  Cyber Essentials policy 
•  Data Protection policy 
•  IT Access policy 
•  Security Awareness and Training Guidelines policy 
•  Work From Home Covid-19 policy

We also offer a GDPR policy pack as part of our IASME and GDPR certification.

And that’s all there is to know about policies. They’re a simple tool, but one that provides an important first line of defence for your business against cyber threats. Hopefully, this blog has armed you with all the knowledge you need, but if you have any questions please get in touch, our team are always happy to help.

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.