How susceptible to crime is your organisation?

Cyber Attack

The risk of internal or external crime to businesses or charities has seemingly never been greater. We take a look at different types of crime – and how to prevent your organisation becoming a victim.

There are many opportunities these days for thieves to take physical goods, intellectual property, company funds, client information and other people’s identities – and with increasingly instant access to the resources needed, it is often the case that theft goes undetected for considerable periods of time.

In fact, the average time taken to detect such crime in a business is 18 months – long after the damage has been done.

A broad understanding is needed of the types of crime that can be committed in order to address them. While it’s not possible to cover every risk that may ever happen – the nature of the beast is always evolving – with some high-level knowledge of internal and external threats, it is possible to help contain your exposure.

Internal crime threats

Think that your staff are all honest and can be trusted? You might be surprised. This recent high-profile fraud case involving a judge and his assistant is a prime example of how somebody in a senior, respected position can still be tempted to partake in criminal activity.

They are not alone, either – here’s another story of an ex-judge and her husband forging a will.

While the majority of people may remain honest, there is always a temptation to ‘fix the system’ for personal gain – especially as those with ‘insider knowledge’ are likely to be fully aware of the internal processes and procedures in operation.

And with a recent Ernst & Young report suggesting 28% of executives believe that bribery is rife in the UK, it is right for business and charity leaders to be naturally cautious and risk averse when it comes to managing the threat of internal crime.

The insidious nature of internal crime makes it dangerous and often difficult to detect – so constantly scrutinising and refining your processes is important.

Internal crime can take various forms.  Some of the more common types of internal crime include:

  • Stealing money – either physically from a point of sale, or electronically
  • Charging dormant/inactive accounts
  • Stealing equipment, material goods or other physical property
  • Stealing intellectual property of the organisation for personal gain
  • Making illegitimate bonus payments
  • Increasing the payment amounts on cheques/invoices after payment has been made
  • Padding payroll/cash expenditures
  • Not accounting for cash payments
  • Invoicing goods below the sale price and receiving the difference from a client

External crime threats

External crime can arguably be even more difficult to monitor, as there is often no internal check or control that can counter the shifting nature of general criminal activity. Fraudsters often think up new or different ways of perpetrating their scams, which can catch people unaware if they have never encountered such a threat before.

It is worth considering the various ways that those outside your organisation can look to break down your defences, especially in an era of instant communication and online activity.

Risks that you need to watch out for include:

  • Computers being used to hack into your systems, to steal sensitive data or perform fund transfers
  • Identity theft, including the perpetration of card fraud
  • Counterfeit money being used to purchase goods
  • Money laundering – e.g. customers paying too much for items on a credit card and requesting repayment of the difference in cash

The above threats take various forms.  Here are some recent examples of external fraud coming into play.

A commonly witnessed threat to businesses and charities is when an external party purports to be an internal party – that is, sending emails to you as a member of staff that appear to be from someone else working within your organisation. This type of email is often used to request that an urgent payment is made.

Variously labelled ‘the CEO email fraud’, ‘whale phishing’, ‘bogus boss email’, ‘insider spoofing’, ‘company exec spam’ or ‘business email compromise’, external scammers will often go to great lengths to make the email request look as genuine as possible, down to replicating the email signature of the genuine staff member and making the spoof email address look very similar to the original email address (e.g. instead of, they use – making it difficult to distinguish at a glance, while maintaining the original sender's name).

The fraud is executed simply – and unfortunately, often effectively.  If a member of staff in accounts or finance, for example, receives an email that looks as if it has come from a business director (particularly an MD or CEO) requesting that a payment is made – and the email recipient has a whole lot of other requests and work to deal with – then it is easy to see how many people fall for the scam.

Each month, over 8,000 people or businesses reported being the target of phishing emails in 2015, according to Action Fraud.  The ‘insider spoofing’ email led to an average loss of £35,000 to UK businesses – though amazingly, companies have reported losses of up to £18.5m through this scam.

Another scam to watch out for is a fraudster offering an opportunity that requires immediate payment – e.g. an advertising opportunity in a magazine with a pressing deadline.  Some fraudsters have been known to steal online content and re-brand it with their own logo and contact details, to make the opportunity seem realistic and tangible.

You should look for social evidence of a company in these instances – for example, is the editor of the magazine on LinkedIn, and how many connections do they have?  Can you find their website on Google?  What else can you find out about them online?

Furthermore, do not pay for services of this nature upfront – if you walk in a shop, would you go to the till first before picking up what you want, in the hope that the shop has it in stock?  Of course not. Treat business finances as you would treat your own - you need to see the goods before you pay!

The old adage applies – if somebody is offering you an opportunity that seems too good to be true, then it likely is!

What can be done to protect your organisation against criminal activity?

There are various ways in which you can look to protect your organisation against the risk of criminal activity – whether that be physical or electronic deterrents, surveillance, risk management or staff training. Some methods are more obvious than others; often, it’s determining where the risk lies that can make a difference between preventing or detecting crime, or crimes being committed and going unpunished.

Bollington’s crime and fraud exposure scorecard is a 30-point checklist of issues that could affect your business, giving you an opportunity to simply assess where your company might be exposed and to shore up your defences against the threat of crime being perpetrated.

Access your copy of our scorecard here.  It could potentially save your organisation from financial or reputational peril by helping you put the right controls in place to assess and monitor crime threats.

Having evaluated the risks faced by your company, you can contact Bollington for further information regarding crime and cybercrime insurance covers, including advice from our risk management team. We can help businesses, care and charity organisations or even individuals protect themselves against the threats they may encounter.

You can speak to us – without obligation – about covering your crime risks, regardless of whether you hold your insurance with us at present or not.  Call us on 01625 400205 to discuss the covers your organisation may need.