Self Help

Act in Haste!

Lance Barclay AML/CTF, Compliance, Corporate Governance, Fraud, Guernsey, Self Help

Both regulators in Guernsey and Jersey have issued warnings regarding Fraudsters

Compliance monkey

targeting financial firms and their Customers. Coming back from a long weekend and back log of emails, the stresses that you are under in this unprecedented time, business objectives and customer expectations, this is the perfect storm for the Fraudster to exploit. In our isolation the use of malicious and fraudulent emails (Phishing) appears to be the current tool of choice and here are some tips, key indicators and red flags that and email may be malicious or fraudulent to keep your Firm, Customers and Yourself safe.

  • Is the email out of the blue or unsolicited with a time pressure to undertake some action?

  • Is the email address of the sender the same as your Customers in your records?
  • Is the spelling correct or have letters been substituted, do you even know the sender?
  • If there are links to respond to do not click them, hover your cursor over them and check the URL. Always go to the official site rather than click a link in an email especial if it requesting that you need to do so to undertake some action.
  • If the email is requesting that you need to download a file or attached document do not do this or click on it.
  • Are there grammatical or spelling errors in the email?
  • Does the email sound like client?
  • Does the email request some personal data or business data or security details?
  • Does the sender address you by name, is this usual? If the sender is unknown to you this could be an attempt to gain confidence, remember we all have personal details on the web that are easy to find.

If you see any red flags it is time to contact your IT department or provider and get them to check the email out and validate it.

When receiving requests to make transfers to accounts or pay invoices you need to be cautious, consider the following as red flags that either the email is a phishing attempt or that your customers email account has been compromised.

  • Is the request expected, in line with the known activity and business operation of the Customer?

fraud-1-630x420-770x4332624814175215932423.jpg

  • If the email asks to call them on a phone number to confirm the transaction, use the contact details that your firm has on file and not the ones in the email.
  • Check the transfer details, are they the same as the ones you have on the file for the customer or is this a new transaction? .
  • Is the transaction inline with the normal activity and known behaviour of the client?
  • Is the invoice for services that appear odd or from an unknown party?
  • Does the email request use any links or downloads such as an invoice or software? Always go to the main website and make payment from there as the link could be malicious. Any download may contain malicious software that will endanger your firm such as ransomware or can even spy on you.

Always confirm actions with the customer, using the details your firm has of the actions that are required to be undertaken. If you have any red flags then your IT department or provider needs to be informed and the email checked out.

Also beware that you may also be subject to telephone (Vishing) or SMS (Smishing) fraud attempts that will also seek to make you undertake an action or provide personal or business details in the same manner as with Phishing.Always call the customer back on the details that your firm has and confirm with them any requested action. Rather than seeing this as a hassle customers will be impressed that you are so diligent and have good security, it will reassure them that you are the firm to be with and that you are proactive in protecting them and their data and assets. It may also alert them to the fact that they have already been hacked and can take appropriate action to minimise any loss.

Reporting of these attacks.

These attacks must be reported to the Compliance and MLRO team and onwards after assessment to the Board.The Board is accountable for the safety of the firms clients and client data and must be seen to be ensuring that it has considered the risks posed, put in place effective mitigation, appropriate systems and controls. This assessment must be reassessed after an attempted fraud and consideration of appropriate actions undertaken. Does this change the risk profile of the firm in anyway? Is there any further mitigation that can be done to protect the firm and its customers? Remember the Regulator will be looking for documentary evidence of consideration whether there has been an attack or not and certainly on their onsite visits.

Compliance and MLRO teams with the IT department or service provider need to collate the data, assess the threat and any further systems or controls that may be required to be considered by the Board and implemented. They need to consider if this is just a random attack, or whether it is targeted, is there a specific group of customers this affects? This information with any recommendation needs to be provided to the Board. Consideration must be given to the threat and may also require the of warning, training or refreshing of the firms employees to the risks and the policies, procedures and the controls that must be followed.

Fraudsters can be identified from the details that they provide to you, be it a phone number, email address or website URL. This being the case they must be reported to the Fraud or Financial Intelligence Unit as you would with a normal Suspicious Activity Report, if you are unsure give the Police or the Financial Intelligence Unit a call, they are there to assist you and help you. This also allows them to collect the data and establish if the jurisdiction, specific firms or a set of clients is being targeted, allowing them to warn industry and protect clients of the jurisdiction. Financial Intelligence Units have a wealth of good advice on there websites for the prevention and detection as well as the dealing with fraud.

In conclusion;

  • Don’t open email from unknown senders and take time to assess an email for red flags that it may contain malicious software or attachments or a fraud attempt.
  • Undertake callbacks using the customer details the firm has collated to confirm any actions.
  • Don’t undertake actions or give out personal data or business data to anyone who is unknown no matter how much they pressure you.
  • Contact your IT department, service provider and/or compliance department if you have any concerns, links or requests to download documents or software.
  • If it is found to be fraudulent or malicious report it to your compliance and MLRO departments.

Don’t be pressured by emails, phone calls, SMS’s and time pressures in to undertaking an action in haste only to repent at leisure.

You are Important!

Lance Barclay Compliance, Guernsey, Self Help , , , , , , ,

Compliance monkey

Some times there are some things that are more important than Compliance, and that is now and it’s YOU.

We find ourselves in a reality that was unthinkable at the start of 2020 and our best laid plans for the year have disappeared in the tempest that is Covid 19. Many of us are now working from home which adds new stresses and strains that we were not prepared for, and that we are now having to deal with. As someone who has worked remotely for several years I wanted to share some tips to help you stay productive motivated and most importantly safe and well.

Firstly define your work and down time hours and try to stick to them. You need to be flexible but don’t let work take over from your need for down time and self care. Make sure that your colleagues know when you are working and when not to disturb you. Once you finish for the day turn your email off, it can wait till tomorrow and if urgent your firm will be able to contact you.

Ease yourself into your day, have a morning routine to prepare yourself for work. I take the time to make a cup of tea, have breakfast and catch up on the news, but be careful of the media overload and anxiety it can cause. I take my tea and either look or sit outside enjoying the dawn, breathing and just centring myself, sometimes with a quick yoga or Kayak session.

Make sure that you have a separate and dedicated workspace and that it doesn’t invade your personal space.

Have a plan for the day and stick to it but stay flexible and adaptive in your approach. I start by reading through emails and prioritising tasks and jobs to ensure that my plan for the day is as good as it can be. Once done I like to send an email to my colleagues letting them know I am online and can be contacted.

Make sure you schedule breaks throughout the day, I normally take 5 minute breaks every hour or so. This allows you to give your mind a break and recover and refocus. This is the same as any physical training where breaks from activity are needed to refresh the muscles and keep performance up. Your work space at home may not be conveniently designed for prolonged periods of computer work. Get up and move, stretch and get a drink or snack, lessen the strain on your body as well as your mind.

Have lunch, you need this to refuel and switch off completely, try to do this away from your work space to negate your work taking over this personal time. I often try to include an element of physical exercise outside as well as experimenting with recipes and varying my lunch from day to day. Lately I have got back in to sea swimming which is energising and refreshing, but do what makes you feel good and takes your mind off work and any negativity, it is about what is good for you and what is needed to leave your refreshed and motivated.

Have an end of the day routine to ease yourself in to your personal time. Try to finish your tasks and don’t start a new task if you won’t be able to complete it by the end of the day. I finish the day by catching up on emails and notifications and start to plan for tomorrow. Let your colleagues know that you have finished for the day. Review what you did during the day, try not to be overly self critical of your performance, you can’t change what has been, focus on tomorrow and be kind to yourself.

Then turn off, put your work away and start your personal time. By all means relax with a glass of wine or beer but don’t let it take over your personal time. Alcohol is a depressant and can lead to increasing your anxieties and worries, you also need to be fresh and motivated for tomorrow. If you do find that alcohol is starting to take over your life recognise that it is, take steps to regain control over it and seek help if needed.

Working from home is all about communication and as you are not in the office or able to see visual cues you need to over communicate. Communicating with your colleagues is not just to let them know when you are online but also let them know what you are working on and towards. If you need help or think you may need help ask for it, make time to understand what your colleagues have planned and are working on, and where you may be able to assist or help. We are remote and isolated but we have never been more electronically connected, use technology to interact, have video meetings and arrange team meetings where you can all interact.

Try to engage with your colleagues as you would normally do in the office. We all have that down time when we catch up on non-work related topics such as sports or television, remember keep things positive and try to avoid gossip, adding to anxieties and toxic conversations about colleagues, you may not have the whole picture and you won’t know how they are feeling or what they are dealing with. Try to schedule these conversations and interactions for your scheduled breaks as you are still on the firm’s time and should not abuse this.

You may find that a colleague uses this time to open up to you or leans on you for support. As you would do in the office make the time to hear your colleague but let others know you are unavailable and not to be contacted. Be empathetic to your colleague, what may seem trivial to you could be their whole world, support them and let them talk.

If you have concerns about a colleague let your Human Resources department know, they have the skills, training and resources to help and assist, try not to take the problems of others on your shoulders as that will also weigh you down and add to your stresses and strains. If you don’t have an Human Resources Department speak with a senior manger about your concerns, a problem shared is a problem halved, encourage and support your colleague to seek help that is out there.

Be aware of cues that may indicate someone is struggling such as them being withdrawn or making mistakes, maybe they just don’t seem like themselves. Ask them gently if there is something you can help with, strike up the conversation with them but respect their privacy, in some cases just let them know you are there and check in on them more regularly.

If you or anyone of your colleagues is struggling please know it is not a sign of weakness or failure. There are no prizes or bonuses for struggling through, you and your colleagues are part of team and together you are strong, can accomplish amazing feats and will succeed and get through this. Please remember that we are all in this together and it is OK and normal to have a bad day, feel down, anxious or frustrated. You are amazing, be kind to yourself and your colleagues, we can weather this storm together.

Stay safe, stay well and stay home.

I would be grateful to hear or have comments from readers for their tips on working from home or dealing with the day to day stresses and strains of our new day to day normality.