Kennedy Legg Fraud Guide

Kennedy Legg takes fraud & other financial crimes very seriously. We want you to be aware of the different ways criminals may try to steal not just your money but also your identity. Unfortunately, there will always be those who seek to take advantage of difficult times and there is an increasing threat from criminals using the COVID-19 pandemic as an opportunity to scam clients. Please take care to follow our anti-fraud advice, importantly:

1. Do not click on links or attachments until you have validated the source of an email or text message;
2. Do not respond to unsolicited telephone calls or messages. If we call you, please feel free to call us back on our published numbers;
3. Do not disclose your personal or financial details in open email; and,
4. Please use our secure Onvio portal for uploading and sharing documents with us;
5. Remember we will never ask you to move your money to a safe account.

Keep your finances and personal data safe

Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.

How social engineering works

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.

Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:

• Your 4-digit PIN
• Credit or debit cards, chequebooks or cash
• Online Banking codes or passwords
• Transfer of funds to a different account for "safekeeping"

Common Fraud Types

Identity Fraud

Using a variety of methods, criminals may obtain important pieces of personal and identity data such as credit card numbers, expiry dates, dates of birth or mothers’ maiden names. This information can be used to gain access to bank accounts or open new credit facilities. Help to minimise this risk by following these simple steps:

• Shred all receipts or any letters, which contain your name and address or personal information.
• Switch off your postal statements to prevent unnecessary documents being sent via the mail.

Vishing

This involves a fraudster making phone calls posing as bank staff, the Police, regular supplier / client or other officials in a position of trust. The call may be made to coerce a company financial controller into: 

• Sending their money to another account often purportedly for ‘safe keeping’ or ‘holding’;
• Withdrawing cash and handing it over to the fraudster for investigation;
• Giving personal financial information, which can then be used to gain access to your company bank accounts?.

Remember,

Be wary of unsolicited approaches by phone, especially if asked to provide any of your personal information. If you are suspicious, don’t be afraid to terminate the call and, say no to requests for information. It takes two people to terminate a call, so ensure the caller has also hung up and you have a clear line, you can use a different phone line to test the number. Fraudsters can use ‘call spoofing’ to deliberately falsify the telephone number relayed on the caller ID to show as a genuine number. Never share company security details beyond authorised staff. It is important to keep your account and security details safe.

Criminals may already have basic information about your company in their possession (i.e. name, address, account details), do not assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.

Business E-mail Compromise (BEC)

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.

There are two variations of this fraud type, which are as follows –

Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source. The fraudsters spoofs the vendors email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.

Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.

Remember,

Make sure staff are aware to check the email address the payment request is sent from, and have suitable checks in place to verify any new payment request received by way of email. Always regularly review your organisations controls to make sure that you have suitable payment controls in place to not fall victim to this type of fraud.

Phishing

This is where people receive e-mails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these e-mails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing. Do not reply or click on a link in an e-mail that warns you that your account may be shut down unless you confirm your personal information. Instead contact the company, in a way that you are sure is genuine such as an authenticated telephone number. 

You should delete these e-mails immediately.

Smishing (SMS Phishing)

Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).

It's important to remember:

• Your bank will never ask you for your full PIN or password
• Your bank will never text you a link that takes you directly to our login page
• Fraudsters can use 'text spoofing' to deliberately falsify the telephone number to appear like a genuine bank text
• Never share your security details with anyone else
• If you have suspicions regarding a text message from Kennedy Legg, call us on a known number to check before acting on it