Charlie: Hello, and welcome to this Wired briefing on next-gen payment fraud. I'm Charlie Burton, head of content at Wired's consulting division, and I'm thrilled to be here for what promises to be a fascinating discussion about how advances in technology are creating new fraud threats and what businesses can do to protect themselves.
We're bringing you this session today in partnership with Eftsure, which is a global leader in protecting businesses against payment fraud. So, firstly, a thank you to them. Before we meet our panel, let's set the scene a little. I think it's striking how dramatically the payments fraud landscape has shifted in recent years. Financial scams have become more sophisticated, more cost-effective, and more challenging to prevent. With emerging AI tools like large language models and deepfake generators, criminals can craft more persuasive phishing emails, impersonate trusted individuals more effectively, and exploit real-time payment rails to carry out fraud in ways that leave little time for recovery.
And while we often think about payments fraud targeting everyday consumers, and certainly here in the UK, push payment fraud is all over the news, businesses are increasingly finding themselves in the crosshairs and losing billions as a result. I'm joined today by two people who are perfectly positioned to help us understand these challenges and think about what we can do about them. We've got Robert Thorpe, who's managing director at Allegro Funds and has been a finance professional for more than 27 years, and he brings invaluable firsthand experience of navigating some of these threats. And we have Jenny Radcliffe, known professionally as the People Hacker. She's an expert in social engineering and has spent a lifetime talking her way into secure locations to expose vulnerabilities, of course, protecting clients from scammers, and leading simulated criminal attacks on organizations of all sizes.
So, to get into the discussion, I'd like to kick us off with a case study that really stopped me in my tracks when I first heard about it. A couple of years ago, a CEO at a UK energy firm got a phone call from their boss at their German parent company, or at least that's who they thought it was on the phone. The voice was perfect, same German accent, same speech patterns, and the caller said they needed a transfer of $243,000 to be made urgently to a supplier. The UK CEO complied, and you can probably guess where this is going. It wasn't their boss on the phone at all. It was an AI-generated deepfake of their voice, probably trained on public recordings of how he talked.
So I wanna hand over to you guys. When you look at a case like this, what does it tell us about how payments fraud is evolving and the current state of the art? Maybe let's start with Jenny. What strikes you as particularly notable about that instance?
Jenny: Well, hi. Do you know, I think when I first looked at this case study, what struck me first of all was how nothing ever changes and yet everything evolves, right? So here it is, a typical example of the type of fraud that we see all the time: someone who is subject to some social engineering, being given a plausible story, supposedly from someone that the target trusts, and some urgency behind it. It involves red flags like money, like you say, like urgency, even a little bit of emotion in there, some authority principles at play. And so from that point of view, it's like, this is the same old playbook, right, for social engineering.
But what made it so interesting was the way that it used that technology to give what we call a deepener. So everything's in place, and in the past, we might have seen that through an email, so it would have been one-dimensional: some text that may or may not be very convincing. But the clincher, the thing that really convinced that target, was the fact that they could hear the voice of someone that they thought they recognized, that they thought they trusted. Very convincing.
And so it's just such a great example of the same kind of targets, the same kind of tactics, but just enhanced, and made all the more dangerous by AI and the capabilities of it. That's really what struck me.
Charlie: And, Rob, what about you? What struck you about it? I mean, it's a huge amount of money involved, isn't it?
Robert: It is, Charlie. And look, I'm gonna call out pretty much the same things that Jenny has mentioned as well, but some of the characteristics of that particular example just stick out to me. It's someone of authority asking for a payment to be made. Now, that is not the norm. You wouldn't have the CEO of a company calling the finance team asking for a payment to be made. That would normally go through the normal accounts payable channels.
It's an out-of-the-ordinary payment, so anything that's out of the ordinary does need to be challenged. Unfortunately, in today's environment, in today's world, you cannot trust (and this goes across most finance teams) people asking for things that are out of the ordinary. You've really got to test them.
And then anything with urgency attached to it always starts to ring alarm bells. So, you know, we are on the receiving end of an increasing number of these sorts of threats. The improvement in the technologies that allow people to impersonate others is making it increasingly hard. And for us to be able to protect ourselves, we've had to go back to basics, which is not trusting phone calls that we receive. It's calling them back, calling back using a number that we know, and finding people that we know to test whether or not a request is valid.
Charlie: Exactly. As you say, it was an out-of-the-ordinary request, but it's the fact that technology made it so convincing that even someone really senior in a company could be taken in by it, perhaps because they weren't aware that technology was out there. Jenny, could you give us a sense of what the rest of the technological landscape looks like at the moment? Obviously, there's deepfakes. What other new innovations, new tools, are giving scammers new ways to defraud people? Can you sketch out some of the main areas of innovation that you're seeing?
Jenny: Sure. I mean, the progression, the evolution of AI technology now means that the research element for scams and hacks is so quick and so thorough. In the past, you know, it would take a long time to gather information for a personalized attack, to do that research, that open-source intelligence. But now, because of the capabilities of artificial intelligence, that kind of information is very easily gathered and tailored to a target. So we see it manifest in all sorts of ways, everything from phishing campaigns, which are no longer as clunky as some of the, we call them spray and pray, campaigns that hit thousands of targets looking for someone to bite, and then zoom in on the people who have clicked and layer the con on top, layers of that con on top of each other. So we see that, and I think those are the types of things that we're really talking about. I mean, this is voice cloning, but even the video, the deepfake videos, all of this stuff, it's so sophisticated.
What's happened is it's learning all the time, artificial intelligence. So it's a brilliant tool for business and the world in the main. But can you imagine: if something goes out and someone spots some of the little quirks... I remember a few years ago, you could see those videos and see little things in the eye movement, a sort of jerkiness, and the language patterns, the linguistics, weren't so sophisticated. But because of that continuous improvement, it's just smoother and smoother and smoother. So we see the research being done much quicker, and at scale. You know, the speed that these things can be done and corrected and done again, and just hit and hit and hit targets. I think really that's what it is.
As opposed to any single mode of attack, it's more the speed of all of it now. The data collection, the polishing of that data, the targeting of individuals or organizations. I think that's really what we're seeing as the big shift, and it's so quick and so exponential. It's really hard to keep up with from the defense side.
Charlie: And these kinds of advanced AI-based scams are the ones that really hit the news. Like, I remember there were lots of stories when it was discovered that there was a large language model-driven tool called FraudGPT, which could help people rustle up really good phishing emails really quickly. And, of course, everyone wrote about that. But I wonder, in practice, what form do most payments scams take? I would imagine that the ones that get all the headlines aren't necessarily the norm. Rob, you've had a lot of experience in this space. Could you sketch out the main forms of attack that CFOs need to be particularly aware of? Are there any particularly commonplace ones in your experience?
Robert: Yeah, Charlie. I'd say the most common form of attack that we've experienced, and we've experienced them multiple times, is email fraud. So somebody breaking into your email system. They do that typically by sending an email with a link that plants some sort of code or program inside of your email system that then allows them to sit there and watch the email traffic going back and forth, and learn how you speak to each other inside an organization. They learn who the people in authority are. They learn who has approval, and they watch what kind of payments are being made, what kind of payments are being received, and then they'll decide just the right time to hit. Christmas time is a great time to hit a business, because it's so busy. It's frantic. People are trying to get their payments in before the end of the calendar year, so there are typically some large end-of-year payments.
And what they will do is they will intercept an email, typically with an invoice attached that has bank account details on it, and simply change the recipient bank account on that invoice, and then send that email from somebody who's in a position of authority, for it to be processed by one of the parties in this relationship. And as a result, that invoice gets paid to a bank account that is not the correct bank account.
The way it's set up, and this is how we've experienced it, is the moment the money has left your bank account and gone to the recipient bank account, it will immediately bounce from that bank account to another one, to another one. It will be split many different ways, and in a matter of minutes will become untraceable.
So for us, the most frequent form of attack has been simple email impersonation. Very easy to fall prey to, but the way to protect against it, there are no fancy tools. It's taking it back to simple processes, simple training, simple awareness, and simply talking to people.
Charlie: Thank you. Jenny, do you wanna comment on that too?
Jenny: Sure. I mean, I completely agree with Rob. Like, before you even said it, I was sitting there going, it's emails, it's emails. And I actually have friends in the security industry who practically say the best thing we can do for security is just get rid of email. And it's like, okay, that won't happen. But, of course, it's because it works, because it's difficult to trace. Because, actually, once you start distributing those funds on receipt in the way that Rob's described, the digital footprint's difficult to track. You know, those things are the most effective things. And I couldn't agree more with what Rob's just said about the solutions.
Honestly, I think we get confused. The technology that's being used to attack seems to be very sophisticated sometimes, but it is the basics in companies that we need to be aware of and keep up to date. It's very difficult if someone's on your system and is intent on intercepting emails. The dwell time for intruders on someone's network is around about 45 days, I think, at the moment. You hear different amounts of time, but that's a lot of time for someone to observe things like language patterns and frequency of communications. So it's really the very basic things that people need to keep up to date and look out for. And apart from things like good tech that we can afford within organizations, kept up to date, with people knowing where to use it, one of the big things is the human side: having people, from a cultural point of view, able to say, I think this looks a bit strange. Not being afraid to challenge, not being scared that they'll get the blame if they do take this very well-crafted bait.
It's like a cultural thing, and those things are simple, but not easy. Just because something's simple doesn't make it easy to do. You can't just throw money and tech at the situation. We need that, but we also need this human communication side, this cultural element that gives us an environment where, when we do suspect something, we can raise it. When we do find something, we know where to report it. It's kind of a basic management cultural thing, as well as doing the best we can from a technical perspective.
Charlie: So I guess what I'm taking from that is, at a kind of foundational, schematic level, the scams are still the same old scams. They're just being done in enhanced ways. Is that a fair way of characterizing it?
Jenny: Completely. Whenever I see an article like the one we were speaking about at the front of this discussion, or whenever I see something in the news, whenever I go on radio or TV or anything like that, people say, what's the latest scam? What's the latest scam? And the thing is, the technology changes the way they're delivered to people, right? So the delivery can change. But the fundamental core of all the scams really comes down to money, out-of-context, unexpected, unusual requests, urgency, emotion, all the things that Rob said, that I've said. At the end of the day, what they are after and the way that they get it still comes down to the same playbook. It's just the delivery that's changed with the evolution of technology.
And that's really quite a good thing, because it ties back to those simple-but-not-easy principles to bear in mind. No matter how it comes to you, if you're aware of those red flags, we're in with a chance of preventing it, stopping it, slowing it down, tracking it.
Charlie: Let's talk about who's at risk here. Because as I was saying earlier, we often think of payments fraud as being a problem for consumers, because that's often the story we hear about in the press a lot. But, clearly, it's a massive problem for businesses. Rob, you know about this more than anyone, really. How big a problem is it for finance professionals? Can you give us a sense of the scale of this issue?
Robert: Look, I can't give you dollar figures or percentages. What I can tell you, Charlie, is every business will get hit. The scammers, the fraudsters, the thieves at the end of the day, which is what they are, they're not going to go for your multimillion-dollar payments. They may be bold and go for that, but they'll go for something that is not going to stick out, something that's going to just fit into the normal accounts payable run, because that's what they're looking to do, and they'll do it multiple times across multiple businesses.
One thing I wanna point out on this: we often think of these scammers as individuals sitting in a dark room with a hoodie over their heads, facing the screen, just banging away at a keyboard, trying to scam people all around the world. These are very well-organized businesses. These are actually funded, and they are there for the volume game. So in terms of the types of payments that they look to defraud, they are smaller payments. It's not gonna be your typical grocery or staff supplies type payments, but it'll be in the tens of thousands of dollars, or maybe in the hundreds of thousands of dollars, multiple times across multiple businesses.
As far as how big this is, what the scale is, my only answer to that, Charlie, is you've got to assume that every business at some point in time is going to face this. Whether they face it once or twice or more than that, it's really up to them to develop the awareness, to develop the training, to try and minimize the loss. One thing that we've learned across our group: it's not a question of will it happen to us. It's a question of when it happens to us, how quickly can we respond, how quickly can we minimize the loss. And so you've just gotta be ready the whole time.
Charlie: Who specifically within an organization is most at risk, Rob? I mean, is this a matter for CFOs? Is this really something for the finance team, the people making the payments? Is this something for everyone in the business? Who tends to get targeted?
Robert: Absolutely the finance team. So if you've got an accounts payable team, I'd put them up there as number one. They are the team that are loading payments into the accounting system, into the banking payments portal. They are the ones that ultimately put the details into the system and, in many cases, press pay. And then, of course, your financial controllers are always targeted. And then you've got your people in some sort of approval position, so those that are approving payments: your CFOs, your chief operating officers, partners in a firm. So it's really the finance team that is very well targeted, and then the people that sit above the finance team, those in authority.
Jenny: I just wanna come in with something else on what Rob said, if we think of the question, who's being targeted within an organization? And I do agree with Rob. Obviously, the first red flag that I talk about when we guard against social engineering is money, and if you work for a financial organization, almost everything that you do is gonna have money linked to it. But when we put an attacker hat on, when we look at things with an attack mindset, it's not that we go straight for that financial team necessarily, or decision makers, or anything else.
What you have to understand is that every person in an organization is a node on the network, right? They're a link in the chain. And very often, what me and my team would do in our simulated, ethical (just to emphasize) attacks is look at other people in the organization as routes in, often very subtly, so that it doesn't flag up straight away that we're speaking to the financial controller. They will be high-risk individuals, and any security program worth its salt will have them covered: they'll get enhanced training, and their accounts will be kept a very close eye on. So everyone associated with the company, even suppliers of things like the coffee and the cleaning, it's all part of that big network.
So everyone in a company is at risk, because everyone's a route towards the target, right? You've got this big Easter egg at the end, and, yes, we need someone with the authority to press go on payments at some point, but the routes in are multiple, varied, and complex, and I would not necessarily start with someone who I know will have had enhanced training and will be aware of what's normal in terms of money movement across a company.
So it's very important, when we look at this and when the audience is thinking about what to worry about, that you don't just think, oh, well, these are the people who've got immediate access to those payment processes. You have to think secretaries, suppliers, anyone connected with that company, because what we need to do is get onto that network. And if we can get onto that network through someone whose account isn't seen as so important, that's such a great way of doing it. If I can get in under the radar, I absolutely will.
Charlie: Thanks. And the reason they go to those sorts of lengths is because there can be a lot of money at stake. But beyond the immediate financial loss to a company, there are presumably some longer-term consequences as well. Rob, from your experience, what does it mean for a company when they are the victim of a scam of a meaningful size? Beyond the immediate loss, what kind of other second-order implications are there?
Robert: Look, Charlie, I can tell you it's horrible to have to work through. There's the financial loss for a start, and trying to figure out whether or not that hole can be plugged, and the impact that has on the financial position of the business. That's only the beginning. From there, you're talking to the banks. You're trying to shut down bank accounts. You're trying to put blocks on bank transfers. You've got lawyers involved, and this is when it starts to get really messy. You've got the lawyers interviewing people within the firm. It can become a criminal case as well, and so you've then got the police involved.
At times, and thankfully in a very limited number of situations a few years ago, which is where we've learned about this, we've had people down at police stations looking at CCTV, trying to identify faces on a camera to see who actually opened up the bank account into which the fraudulent monies were paid. Normally those people, unfortunately, have had nothing to do with the scam in the first place. They've been scammed themselves, and they're a part of the damage as well. You know, they end up being charged by the police. They end up having to go to court. Their relationships are impacted.
And then, coming back to the organization that suffered the financial loss, you've then got trust that has been damaged. The processes within that company are under scrutiny. The finance team is under scrutiny. It's just not a process, not an experience, that you wanna live through at all.
Charlie: Let's get into what we do about this, then. What do you think finance professionals need to do to prepare their departments to actually take on this new threat landscape? Robert, from your experiences, is there anything that you wish you had known in the first place to prevent those things from happening?
Robert: Sorry, I'll start with a very cliched answer: there's no silver bullet here. But I see the answer as being two parts. The first part is there are a number of tools you can implement immediately that help reduce the chances of something getting through. And the number one tool that everyone should be turning on as mandatory is multifactor authentication, right, where if somebody is trying to log into your account, you're getting an SMS, or an authenticator app has to be used as well to get into that account. And, hopefully, that separation and those approvals to get into your email account and onto your network stop people from getting in. It's not going to stop 100 percent of the intrusions, but it will stop a lot of them, especially the less sophisticated ones. So I'd say multifactor authentication, or MFA, is probably the first tool I'd look to be employing.
Training and awareness across your team is absolutely paramount, so I put that on par with multifactor authentication. Fraudsters will slip through. They'll manage to break into your network and impersonate through an email chain, change bank accounts, and they will have a go. And so it then comes back to your processes and the training and the awareness of your people. So you gotta make sure that your team is aware of this. And as Jenny said, it's gotta be the entire team, so training doesn't just go to the finance team. It goes across the whole team: making them aware of phishing exercises, running simulations across the business, and making the results known across the team, so people know, only after the fact, that a test email was sent, who clicked on it, who didn't, and what was done with it. That team awareness, that team training, and those simulations are absolutely critical.
And then lastly, I'll stop quickly: you really need to make sure that when you are paying somebody money, whether it's a supplier, whether it's a contractor, whether it's an investor, do all of your know-your-customer checks upfront. This is not about anti-money laundering. This is not about counterterrorism financing checks. This is about making sure you know who the person is that you're about to pay money to. And that's really important, because there will come a time when you think you're paying money to that person, and you will need to verify that it is the right counterparty that you're paying. And that's where your upfront KYC work really pays off, in some of those checks that you'll need to do down the track.
Charlie: Thanks. Jenny, I'd love to bring you in here. I'd like to get into what we can do about social engineering more broadly in a second, but I just wondered about some of these specific new threats, like deepfakes. Is there anything that we can do to combat those in particular? Because they can be so persuasive, right? And it could be video that's really persuasive. It might not just be voice. So what can we do about stuff like that?
Jenny: Well, I think the answer builds on what Rob says, really. I mean, one of the things I always say is you've gotta hand back the security to your team as well. So I always talk about having a security moment with every team meeting, at that line management level. Someone in the team's nominated to bring a security moment into that team meeting, just a minute. We used to do it with health and safety back in the olden days, and someone had to bring something in. So with security: did you read an article? Did you get a phishing email? Did you see a movie? Did you see something on the news? And they talk about that for just about a minute, right? And you do that in every meeting. And the reason to do that is that you've gotta put that back into the conversation, into people's mouths. So that's one of the things that I'd say on this.
In terms of spotting deepfakes and things like that, again, I'm gonna go back to it: you've got to say to people, it doesn't matter how this message is conveyed. It doesn't matter what the carrier of the approach is. It's what people are asking you to do that's the red flag. And with deepfakes particularly, I always think humor's a good thing to use. So show them the videos of politicians who hate each other endorsing each other. Show them some of the showbiz ones that are out there for entertainment purposes. And what I did with one team I was working with is we swapped people's faces in that team and put them on little clips and GIFs. So there was a guy who was the most shy guy in the world that you can ever imagine, and we put his face on gangster faces from movies, you know, for his team to see and just have a little laugh. It looks very harmless, but it means people get familiar with the idea that what you're seeing is not necessarily what you can believe.
So I would say the red flags are the red flags. I don't care how convincing the video is, how convincing the voice is at the end of the phone. Red flags are the red flags. People have to bring the security moment to you. Don't just give it to them, right? It's a two-way conversation. Did you see anything this week? Did you watch anything this week? It's those two things, along with good cyber hygiene and the kind of four-eyes principle: nothing happens without someone else checking what you're about to do. All of those things together is really what you can do for any social engineering attack, including deepfake videos.
Charlie: I mean, as you say, a lot of these scams just... oh, please go ahead.
Robert: I just wanted to jump in on a comment that Jenny's just made, which I 100 percent agree with. Nothing happens without someone else checking. That is such an important, let's call it a principle, within a finance team. If you can hold dear to that principle, it really will significantly reduce the risk of something happening. Whether it's another team member checking, or, you know, we've got a couple of system tools that we use to run checks. We use Eftsure, which we found to be a really good tool to run an independent check, so that if we do get hit with some sort of deepfake approach, whether it's a phone call or even video, it's an independently validated database that helps us run those checks. So that principle that Jenny's just highlighted, nothing happens without someone else checking, really will go a long way.
Jenny: Sorry, Charlie, but I was just gonna add one more thing, since we're speaking to senior people as well. You have to make a commitment, if you're a leader in your organization, and you have to do it publicly, actually, and say: I will never ask any of this team to go around our standard operating procedure. I commit to you now that no matter who it is, no matter how urgent it is, no matter what the circumstances, no matter how big the emergency, we will always stick to our processes. You will never hear me do it. And then they have to never do it. And if leaders and teams do that, when that fake video or call comes through, your people not only know that it can't be you, but it builds the trust within the company. Now and again that's gonna get violated, but that is how to build a strong sense of trust in the team. Leaders have to lead and say, this is urgent, but I'm not going around the normal procedure.
Charlie: That's really good advice. I mean, Jenny, you obviously spend your working life getting past companies' security processes, even when they've got really good best practice in place, so you really know how to get past people. From doing that, are there any other really valuable, perhaps slightly less obvious, tactics which you think organizations ought to deploy to safeguard against social engineering? More generally, I suppose, because we are saying that all of this stuff is really just souped-up social engineering. Is there anything that some of your clients could be doing that really would just stop you getting in, stop you influencing that person, stop you convincing them to make that payment, perhaps?
Jenny: Well, as Rob said, there's no silver bullets. It's not like there's one thing, and I think we've really gone over them: knowing those red flags, making sure people are bringing that security conversation to you and to the wider team, because then they're interested. I mean, security should be an interesting topic, so, ideally, we don't bore people to death with awareness training that doesn't fit the team. Some teams like the video, some teams like to listen to something, some teams like to read something, but it needs to be something that's kind of in-house.
The other thing I'd say is have a culture of challenging. Say to people, you're allowed to challenge. And what I've done with a lot of our clients for this is I've given them little cards that I've put together with management that give them the phrase that they say if they're suspicious, which is along the lines of: I'm sorry to stop this now, but we've had security training, and I'm under instruction to pause this transaction, pause this conversation, until some secondary checks are made. I promise you that we'll get back onto it and help you as soon as we can, but this is mandatory in this firm. It's things that people can actually read, so they don't have to think on their feet. Oh, god, what if this really is our most important client and I'm stopping something happening? What if it is the CFO and now I'm not doing what they say? So there's no silver bullet, but the things that are very effective to do are things that really don't cost that much and are more human, more cultural. And alongside the tech that reduces the number of times a human has to make that decision, that's really the most effective thing.
But the reason that it's not widely done is because it's really difficult to do, because it requires time and effort and focus and energy over time, and consistency, whereas other things seem to be easy: you can just put them in place and it's done. So like MFA: put it in place, it's mandatory, and that gives you a lot of protection. But the cultural element takes time and effort. And here's the thing: the business landscape, and not just the business landscape, the world we're in now, is this world, right? And what we have to do is use the lessons that we learn from becoming more secure as companies and businesses to grow as companies and organizations, because it makes us more agile. It makes our culture more fluid and communicative and safer. These are good lessons.
So instead of always being on the defense, it's about using these ideas and these principles to actually make the companies better and more agile. I really think that's an important point to take away.
Charlie: Thanks. And AI is obviously evolving really fast, and therefore so are the threat vectors for payments fraud. And as you say, they are all variations on a theme, but being aware that deepfakes exist can keep you attuned to the possibility that you're not talking to the person you think you're talking to. What's the best way to stay on top of developments in this space? I really like the thing you said earlier about people having a security moment in every meeting, because that's one way of saying, well, I've read about this, you should be aware of that. Is there anything else, just to make sure that in busy companies, where people are doing a hundred different things and this is not front of mind, you're not gonna let little things slip through the net and you really stay abreast of key developments? Is there anything that you guys would recommend? Rob, do you wanna come in on that?
Robert: Yeah, sure. It comes down to training, keeping in touch with your advisers, and having a trusted firm who will work with you on reviewing your network setup and your network security, and just sharing that across the firm. I always just bring it back to awareness, and that applies to everyone in the firm.
Charlie: And finally, I think we're almost at the end of the session, so just to wrap up, I wanted to have your reflections on something that I've encountered since covering the payment space myself, which is that there often seems to be this disconnect: everyone's aware these scams are out there, and they read the headlines, but sometimes when you talk to business people in practice, they say, well, the thing is, I'm unlikely to be a target because I'm just not important enough, my company is just not big enough. Or the flip side of that is, these scammers are so sophisticated, I suspect if they really wanted to get to me, they could. So there's this kind of fatalistic thing. Or simply, there are budget constraints: we haven't got the resources to really mount serious defenses against this stuff. I'd love to have both of you reflect on that kind of attitude, what you make of it, and what you would counsel somebody who is talking like that.
Robert: Yeah, why don't I jump in on that one, Charlie. It does not cost a lot to build an awareness culture. It involves talking to your team and being aware of the latest developments. It doesn't mean you need to invest thousands into technology. Some of the simple tools that we've mentioned here today, like MFA, like Eftsure, they are very cheap, and I would even suggest that any business should be able to afford them. The cost of these small tech tools is so much less than the cost of losing money to fraud. That would cost you a lot more.
So there really is no reason to not embark on a journey of improving your security environment, whether that's the small add-on tools along the way, or training your team, becoming more aware, and just investing in getting to know your customers, your suppliers, the people that you're paying money to. I don't think protecting yourself is out of reach of anybody, no matter what the size of your business is, no matter how sophisticated, high profile, or low profile you may be.
Charlie: And, Jenny, how do you motivate your clients to really grip this?
Jenny: So this idea of, oh, I'm not important enough, or the company's not big enough, is not something that you can run with anymore, right? Everyone's worth hacking. Everyone's a step on the ladder, a link in the chain, a node on the network. So, first of all, forget that: everyone is worth hacking. And what Rob said is absolutely true as well: you can get so many resources which are very good value for money and are so much cheaper than being hacked, because at the very least it's inconvenience, and at worst it's the end of business as you know it. The reputation, the cost, the hassle, all of it.
But the other thing I hear is when people say, it's so sophisticated that I sort of feel like there's no point in me even trying. And to me, that's like, you do not pre-surrender to criminals, right? It might be true, and Rob said it as well, that at some point most or all businesses will suffer from a breach, an attack, a hack. But don't give up before that happens. Don't pre-surrender to the bad guys. Do what you can. Put things in place, right? Cultivate a culture that's aware of this. Be ready, so that you know where your assets are, and you know what you do in the situation. Run that kind of fire drill, run that emergency drill, so that when it does happen, people know what they're gonna do. They expect it. This is something that happens. It happens, but don't give up before it does. Don't make it easy. Make yourself the most difficult target that you can be. Get ready for when the worst happens, and then get on with your business, as opposed to giving in to bullies and criminals before they've even hit you. And that needs to come from leadership, and it needs to be instilled over and over again into people.
And within the culture, you can't take a fatalistic attitude to it, right? It almost has to be: look, it's gonna happen, so what do we do when it happens? Try and introduce some levity into that situation, so that people don't get fatigued and give up altogether, because that's not what we should be encouraging, and that's not what the firms who cope best with being attacked do.
Charlie: I think that's a great way to approach it. I'd love to carry on talking about this, I think it's such an interesting topic, but sadly, that's all the time we've got today, so we'll have to wrap it up there. It's been a really fascinating discussion, and it'll be really interesting to see how this space continues to develop and how people continue to counter these threats. Jenny, Rob, thank you very much for being here today, for joining us, and for sharing your expertise and experience. And to everyone who has tuned in, thank you for being here with us, and we'll see you next time.
Jenny and Robert: Thank you.
