The high-profile and high value transactions in the sport sector make it a key target for both domestic and international fraudsters. 70 per cent of sports organisations have experienced fraud in the last 12 months, and 30 per cent of fraud incidents incur financial damage. What should you do to protect your organisation? Tom Wilson, partner at haysmacinyre, covers key measures to prevent fraud and how to respond to it if you’re subject to an attack.
A recent report prepared by the National Cyber Security Centre (NCSC) highlighted the rising risk of cyber security attacks on organisations in the sports sector. The NCSC notes the cyber threat as significant, suggesting 70 per cent of organisations in the sector have experienced an incident in the last 12 months with 30 per cent of organisations recording five or more incidents. The high-profile and, in many cases, high value transactions means it will continue to be a target, from both domestic and international fraudsters.
The report also highlights the financial risk – 30 per cent of incidents caused direct financial damage with an average of £10,000 lost per incident and the largest loss noted at over £4 million. The incidents have affected organisations across of the sector, some specific incidents include:
· During a transfer negotiation with an overseas football team, the email address of the managing director of a Premier League club was hacked by cyber criminals. Only a late intervention by the bank prevented the club from losing almost £1 million.
· An employee at an organisation which holds athlete performance data had their email address compromised, allowing the hackers to access sensitive information over several months.
· An English Football League club suffered a significant ransomware attack which crippled their corporate and security systems. As a result of the attack the CCTV and turnstiles at the arena were unable to operate, nearly leading to a fixture cancellation.
· A member of staff at a UK racecourse found groundskeeping equipment for sale on eBay and agreed to a price of £15,000. The sale turned out to be fraudulent – a spoofed version of eBay had been created and the staff member was unable to recover the funds.
With the move to more remote ways of working during the COVID-19 pandemic, fraudsters will, and are, trying to take advantage of new working environments to defraud sports organisations. There has been an enormous increase in fraud since the arrival of COVID-19. Over 160,000 messages have been flagged by the public since the launch of the NCSC’s new suspicious email reporting service.
Protecting your organisation during remote working requires careful consideration. It is important to analyse how the existing control framework and compliance with policy and procedures are being applied throughout the organisation and at an operational level. Many organisations have furloughed staff who were key to operating controls, which means these controls are no longer functioning or allocated to others creating potential lack of segregation of duties. Individuals working from home also means reduced physical contact time with colleagues and certain processes and control work-arounds being introduced to limit business interruption. Some of the common fraud risks that we see include:
• Phishing emails and data security – file sharing platforms are being used more frequently throughout lockdown and fraudsters have been quick to exploit vulnerabilities with phishing emails. The emails look genuine and trick organisation users or members to click the link. The link then directs the user to a page harvesting personal and organisation credentials.
• Email compromise scams – these are emails that appear to come from within the business, for example from the CEO, requesting urgent payment to be made. The email header is spoofed and appears to be from within the company.
• Changes to bank details – this has been a well-known scam by fraudsters where supplier bank detail changes are requested by email or letter. Any change request to standing data requires validating and this should be done using contact details available in the database or public domain to verify the change.
• New supplier fraud – setting up new suppliers remains a key control where appropriate due diligence checks are essential before a supplier is set up on the ledger.
• Payroll fraud – fraudsters go a long way to learn about an organisation, its members, and key individuals who process changes to employee data. Change requests to HR regarding employee’s payroll bank details should be validated and not just completed based on email communication or phone numbers given in the email requesting the change.
• Internal fraud – as people work remotely and staff members are being furloughed, the segregation of duties requires careful consideration. The situation gives rise to risk of internal fraud around payments and financial reporting or failure to spot an external fraud attempt.
• Impersonation of HMRC or other regulators – there have been several instances where fraudsters impersonate regulators. Organisations should be vigilant and contact regulators using contact information available in the public domain or from a reliable source.
While the risk for fraud is high and there are so many different ways to be targeted, there are simple preventative measures all organisations can take:
• Provide guidelines to reinforce existing policy and procedures and raise awareness over fraud matters.
• Regular communication with employees and contractors on fraud awareness and guidance on what information the organisation would (or wouldn’t) ask from them.
• Monitor the current situation and keep up to speed with common fraud themes and alerts given by Action Fraud.
• Contact your bank immediately if you think you or one of your colleagues have fallen for a scam.
• Do not click on links or attachments in unexpected or suspicious emails.
• Implement additional verification checks and procedures before making changes to standing data ie supplier bank details or employee bank details.
• Implement additional verification checks and procedures before making large payments to a new supplier.
• Report all fraud instances to Action Fraud and key regulators where appropriate.
The report prepared by the NCSC can be read here.
Words: Tom Wilson, Partner at haysmacintyre