If your process only works when things are slow it is going to fail every single time it encounters an actual hack.
Back in 2018 I wrote an article on how important it is to have processes around your bank account and making sure you have something in place to make sure that you protect changes to bank details which your accounting team or person would use to pay people. Having just read it again I would say it’s worth checking out, even if I do say so myself. A few things have caused me to revisit the topic with renewed vigour and trust me, you need to pay attention to this.
Why Should I Secure My Bank Account?
Everyone knows the cliché of Willie Sutton, who, when asked by a journalist why he robbed banks, responded, “That’s where all the money is!”. I always imagine it said with a “duh!” at the front but that’s just me.
In the same vein, we seem to have dropped into a mode where we view hacks as a cost of doing business and don’t overly worry about them, much to my chagrin. The problem as I see it with this mentality is that the bad actor always has his eye on one thing and one thing only – your bank account. Why? Well, if our cliché is to be believed, that’s were all the money is.
While every hack doesn’t end with a breach of the bank account there is no doubt that the bulk of them start out with that end point in mind. It is something you need to be constantly aware of.
In fact, my way of thinking of this seems to be somewhat counter intuitive. If the target of every hack is to attack my bank, then the simple thing is to place all the process around changes that target the exact same thing that the criminals go after. You just must make sure that the process always applies.
No Process, No Protection
I can hear some folks now. “You don’t know how high pressure my business is!” or “You don’t understand what I have to deal with!”. No, I do. I just don’t care. A good understanding of the art of hacking means that the folk who carry out all these attacks are absolute ninja masters of the urgent. This means that if your process only works when things are slow it is going to fail every single time it encounters an actual hack.
Your process needs, at the very least, to treat everything at the same speed and ideally slow down to a snail’s pace the second someone tries to speed up the process.
Bottom line, if you do not have a process that’s along the lines of those below then you are going to lose money and, depending on which supplier the attacker is targeting, that could be a life–changing amount of money. Let’s face it, most of us have main suppliers and it probably wouldn’t take Mystic Meg to work out who they are.
Scenario 1 (no process): HMRC ring to tell you they have not received your payment.
You check your bank account and can see that you already paid it. You tell the hacker and he takes a few minutes (probably making himself a cup of tea) and eventually comes back to say that he has found your payment but it’s in the wrong account and he can’t move it. Now to inject some urgency, “This is going to cause late fees and fines, potentially big fines. Can you pay it to the correct account ASAP to minimise the fines?” and then he will arrange for the money you have already paid to be refunded. You add the new bank account details and repay the “HMRC”. A week later, you call HMRC to see when you’ll get your money back. A sinking feeling overwhelms you as the person at HMRC says “I have no idea what you are talking about!”.
Scenario 2 (Process in place): After being asked to make the payment you put the phone down and do a quick web query for HMRC. You check the site is the legitimate HRMC site (using the little lock on the web page) to ensure you are at the right place. You call the number and ask to check the bank details given to you. A person confirms they have no clue whose bank account that is, but it isn’t HMRC. Smug feeling – you just rumbled some guy trying to empty your bank account. Pat yourself on the back and make a note to have an extra–large G&T tonight in celebration. The idea is that this doesn’t have to be you, the person who took the call. But someone, ideally the person (gatekeeper) who can change bank details on the bank’s website, for example, may be the best person to do the checking. You just cannot afford to change bank details without running checks.
You probably think this can’t happen to you. Trust me, if you think that, it absolutely can. You need this process and you need to make sure you apply it every single time.