The Risk of Not Existing (on the Web)

I've just listened to an interesting BBC program (You and Yours) warning about a fraud currently being perpetrated in the UK. Note that there is nothing specifically British about this fraud.

The fraud works like this:

1. A business owner is called by a company and offered a cheap business improvement loan as part of a (genuine) government grant scheme. As part of the government scheme, the owner is required to place a security deposit into a Mastercard loan account.
2. The business owner checks out the company making the offer. They are legitimate, have been in business many years, and pass all the usual fraud checks. The business owner also checks with their friends, their accountant, and even the police. They confirm that the company is legitimate and that there is no reason to distrust them.
3. The business owner opens an account at the company, and checks the account on the company's website. The account has been credited with the amount of the government grant, with a note that the grant can only be withdrawn once the business owner has made the security deposit.
4. The business owner makes the security deposit, and it is shown as being credited to the account.
5. Shortly afterwards, the website stops working.

What happened?

The fraudsters identified a genuine company in a suitable business area which did not have a website. They created a website for that company, including mostly genuine details about the business. This website included the fake business loan account area. They then contacted potential victims masquerading as the company, fraudulently obtained security deposits, and then abandoned the fake website.

Shortly afterwards they were found to have repeated the process impersonating a different company.

The Risks?

There are two risks to be aware of here:

1. If you are a company without any web presence, you are open to this type of impersonation attack. Could someone obtain money, goods, or services by pretending to be you? This might damage your reputation and your ability to get clients in future even though you were in no way to blame.
2. What looks like a company's website may not in fact be the company's website. Even if the web site uses https and has a security certificate, the certificate generally only guarantees that the browser is talking to a website with a particular domain name, not that the domain name is owned by the company you think it is owned by.

What steps can you take to reduce these risks?

• Have a corporate website, even if it is just a single page giving basic contact information: otherwise impersonation is just too easy. You may also want to maintain basic (but inactive) social media accounts in the company's name too.
• Check that incoming callers are who they say they are. The simplest method is to call back using contact information that the caller cannot control easily, such as using a company's main switchboard number as listed in a phone directory or trade directory. Do not just do a simple web search for the company's contact information: you could just be directed to a fake website.
• Make sure you or your staff check that unfamiliar corporate websites (even if found by searching Google) have been around a while. Searching for the “whois” information for the company's domain name. This will tell you when the domain was first registered: if it was first registered in the last few months then it may be worth taking extra care. Note that the ownership information provided by “whois” is not verified and should therefore not be considered trustworthy.