In our new feature, ‘Talk of the Town: Cyber Insiders’ which we first teased last week, we spoke to Conservatory Florist – a flower shop in Ripley, Derbyshire – who became victims of an audacious cybercrime. Read their case study here…

In this new feature, we speak to small businesses - usually situated on the high street or in town centres - who have fallen victim to cybercrime. Most businesses are aware that cybercrime exists, but they might think that because they’re a small business, it won’t ever affect them. This feature lifts the lid on the murky world of cybercrime and tells how it very much does impact small businesses in the form of case studies.

Take Conservatory Florist, a small, pretty flower shop in Ripley, Derbyshire. They have been trading for 12 years, and there’s been a flower shop in that spot for over 66 years.

Serving the local townsfolk with their floral needs – and also delivering to the surrounding areas with online orders – they would have never expected to be on the receiving end of a plot to steal a substantial amount of money from them.

EMCRC Comms Lead Phil Viles went along to speak to the business owner, Ian Woodcock (pictured above), about their online ordeal...

So tell us what happened…

"So about 7 or 8 years ago we experienced a form of cybercrime. We kept getting locked out of our business account with my bank, and the website kept asking is to refill all our criteria because an error had occurred - so that was our long unique password, the bank account number and the sort code, which we submitted and it all failed. So we thought we had probably put a digit in wrong so decided to do it again a few times."

But all was not well… 

"It turned out that a company had actually cloned the log on page of my bank, and that took the money out of our account. It took about £7,800, a lot for a small business like ours. Eventually (via the bank) we got to understand how this money went all over Europe, from Chechnya, to Croatia, all over the place, and my bank actually couldn't find where it had gone.

"Now, because we had used my bank's banking log-on application on the system to detect irregularities, we were actually insured through the bank so eventually we got our money back. It took about six or seven days and it had virtually travelled around the world, but we got it back."

So clever!

"The fraudsters had cloned my bank's website to create this fake page. It was so cleverly done that I thought it was the official bank's page when I went to access my banking on my mainframe computer. It was so clever how they (the fraudsters) did it. It was 100% the same as my bank's. There was no difference in colour, the fonts were the same and the pictures were the same, and it was so swift...it's made us really cautious ever since as to how we operate our banking procedures.

"These days I log on via an Apple phone, because they are supposed to have more security than any other phone, so rather than go to the main website and go onto the desktop - because the desktop might not be as secure as you think it is because you've got lots of other things running in the background. It could have been catastrophic. The bank may not have given us the money back; we could have lost it, and you can get very easily conned because you don't realise it’s cloned because they’re so clever how they do it."

So where the police involved?

"We didn't contact the police; we left that to the bank - we thought it would be a good idea for the bank to follow through and in fact the bank said it happens quite a lot! They sent us new banking details and our account has never been a problem since, but we’re very, very dubious now."

Has it made you, as a business, more aware of how cybercrime can impact a small business? And if you had a message to a similar-sized business, what would it be?

"It’s made us very aware! I’d say be bold, take out better security; consider a virus interceptor on your computer, use a specialist IT company to do your IT, and be careful even down to the credit card machines that you use.

"We found with credit cards that if you don't take the postcode from a person you're getting the order from over the phone, the card isn't valid! We had a case when we didn't take the postcode from a guy that wanted to order some roses. He wanted £300 worth! We did the order for him and he actually collected the flowers, but the card wasn't his, it was fraudulent, and the bank didn't cover us on that occasion. The bank actually said, 'because you haven't done your due diligence - you haven't taken the postcode of where the debit card/credit card has been issued to - we can't pay out that money'. So when somebody rings through with an order now, we have to check the postcode and then we'll go through all the checks of the card and make sure everything is all right - and if it's registered to that address – then we can process the order. If it comes up as not being registered to that address, we don't process the order."

So you have a security checklist almost?

"Yes, absolutely!"

So, when did you realise you had been the victim of fraud? 

"We logged onto the banking app to find out what money was coming in and out overnight  - as we always do to pay bills or to make monthly IntaFlora payments etc. It was then that we realised there was this amount of money that was missing. We didn't even know the person it had gone to, and anything over £5,000 we’d be suspicious – and this was almost £8,000!"

We’d like to thank Ian for his time and for sharing his story. By publishing case studies such as this, it's hoped that more similar-sized businesses read it and take note and understand that you don’t have to be one of the big players to be on the wrong end of cybercrime.

In fact, more than 40% of small businesses fell victim to a cyberattack last year, and a lot of those businesses don't have a big IT team or a financial cushion to deal with an attack, and these attacks are on the rise.

We offer advice and guidance via information packs and a community membership for small businesses which is free to download via our website. It’s hoped that with the information we can provide, businesses can better protect themselves against the prevalent risks and threats. Don’t ever think you’re too small: size doesn’t matter to criminals.

You can order flowers from Conservatory Florist via their website, and check out their Facebook page, their Instagram account and their X account.

Further reading

Read more about website cloning in our recent blog: Clone wars: website cloning, and what you should know

Picture gallery

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).