Business Companion – free and impartial legal guidance for business
Business Companion provides free and impartial legal guidance for businesses and individuals that need to know about trading standards and consumer protection legislation. Key topics and business activities include fair trading law, product safety, underaged sales, food standards and safety, animal health & welfare and weights & measures.
Consumer Rights Act 2015 – information for businesses
Cyber-crime advice for business
Businesses, like consumers, are the targets of cyber-crime and small and medium sized businesses are often targeted. The Federation of Small Businesses estimates that up small businesses lose £800m each year to cyber-crime
Follow this advice to help you protect your business.
Common business related cyber-crime scams that businesses need to ensure their employees are aware of.
Advertising Scams. A business receives an email with an invoice for advertising. The email is similar to those sent by the business’s genuine advertisers and is mistakenly paid, the business believing that it was for a repeat advert. In reality, the email is bogus and has been sent by a criminal gang. Either the money simply disappears or an advert is placed in a magazine that has no circulation and is therefore worthless.
Business Invoice Virus. A business receives an email that appears to come from another legitimate trader, requesting payment dates for ‘invoices’ attached to the email. However these attachments contain viruses designed to steal personal and financial information if they are opened.
Business Rates Scam. A business receives an email from someone claiming they can appeal their business rate rise and achieve a large reduction. Many of these ‘rate reduction’ firms target businesses when their rates are re-valued and new rates applied (once every five years). Some charge fees of around £500 and may be making claims that cannot be substantiated.
Data Update Scams. Businesses receive official looking email requests for them to ‘update’ or ‘verify’ company data, often on a website directory. In reality, the business is not required to do anything and responding could lead them to unwittingly agreeing to a monthly registration fee.
Business Phishing Scams. Businesses receive bogus emails, often claiming to have been sent by HMRC or similar, asking them to follow a link on the email to complete tax return information etc. In reality, the link takes the business to a bogus website infected with viruses designed to steal personal and financial information. Many of these viruses may also contain ransomware, designed to lock a business out of their computer system until a ransom is paid.
DDos Attacks. DDoS (or denial of service) attacks happen when a businesses website is maliciously bombarded with requests from infected computers (without the computer owners knowledge), causing Internet traffic problems that slow the website down so much it becomes unusable, disrupting the business’s on-line trade. These attacks are coordinated by hackers or criminal gangs. Often, the criminal will contact the business first and demand money with the threat that an attack will be made if the business does not pay up.
Basic Cyber-Crime Advice
These are simple tips that all businesses can follow to protect themselves.
- Train employees in security principles. Establish basic security practices and policies for employees, such as requiring strong passwords and not opening or downloading attachments in unusual/unexpected emails or following links they may contain. Establish appropriate Internet use guidelines. Establish rules of behaviour describing how to handle and protect customer information and other vital data. Ensure staff can recognise the latest cyber-crime related frauds/scams and know how to deal with them.
- Protect information, computers, and networks from cyber-attacks. Use the latest security software, web browser, and operating system and keep these up to date. Install other key software updates as soon as they are available. Carry out regular scans.
- Provide firewall security for your Internet connection. Make sure the operating system’s firewall (or that supplied with your security software) is enabled.
- Create a mobile device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
- Make backup copies of important business data and information. Regularly backup the data on all computers. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
- Control physical access to your computers and create user accounts for each employee. Prevent access or use of business computers by unauthorized individuals. Administrative privileges should only be given to trusted IT staff and key personnel.
- Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
- Employ best practices on payment cards. Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
- Limit employee access to data and information, and limit authority to install software. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
- Passwords and authentication. Require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication.
More information for businesses
Cyber Aware This UK Government website and campaign has collected together a wealth of links to websites with information, advice and support for businesses and consumers wishing to protect themselves in cyberspace.
Businesses may wish to consider becoming Cyber Essentials adopters. Cyber Essentials is a new Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats. Businesses can seek to attain a Cyber Essential badge or simply to self-assess and apply the controls required.
Get Safe Online This website is a unique resource providing practical advice on how to protect yourself, your computers and mobiles device and your business against fraud, identity theft, viruses and many other problems encountered on-line. It contains guidance on many other related subjects too – including performing backups and how to avoid theft or loss of your computer, smartphone or tablet. Every conceivable topic is included on the site – including safe online shopping, gaming and dating … so now you really can stay safe with everything you do online.
Action Fraud is the UK’s national reporting centre for fraud and internet crime where you should report fraud if you have been scammed, defrauded or experienced cyber crime. The website and hotline provide a central point of contact for information about fraud and financially motivated internet crime. To report a fraud, contact Action Fraud or phone 0300 123 2040.
Advice for website developers creating websites for small businesses
A recent survey of e-commerce websites, operated by Warwickshire companies, found many offences being committed, because many web sites lacked key information.
The information contained on this webpage is designed to assist the developers of business web pages, to create e-commerce websites, that comply with Trading Standards laws. There is also some additional information on how web developers can work with businesses, to create bespoke terms and conditions.
Some e-commerce websites surveyed, were also failing to encrypt personal details and payment information. Sensitive information (including credit card numbers, user names and passwords) should always be encrypted with an SSL certificate.
SSL (or Secure Socket Layer) creates an encrypted connection between a web server and web browser, allowing for private information to be transmitted securely between trader and consumer.
Computer savvy consumers won’t share their information and certainly won’t attempt to buy anything from a website, that is not secured with an SSL Certificate. Therefore, it is in the interest of businesses to ensure that their websites are secure.
A more secure internet is good for business and consumers. Many paid for web hosting companies offer SSL certificates, as part of their service, but if you are developing a website on a free platform, you may not be offered encryption. There are however, organisations that offer free SSL certificates
Advice on Trading Standards law, including terms and conditions
Trading Standards laws relating to business information and e-commerce require that certain information appear on a business website.
All businesses, whether or not they are using their website to sell goods, must, on their homepage, ‘about us’ page, or ‘contact us’ page; provide:
1. the true trading name of the business
2. the full geographic address at which the trader is established
3. the companies’ registration number
4. the part of the United Kingdom in which the company is registered (e.g. England & Wales)
5. the companies registered office address.
If the business is using the website to sell goods or services, there are additional requirements.
The website must also provide:
• An easily accessible telephone number for consumer complaints or enquiries and an active email address
• A complaint-handling policy that should appear in a prominent place
• The name and address of the Alternative Dispute Resolution (ADR) entity or EU listed body (where the trader is compelled to use an EU approved ADR). Otherwise a link to the Online Dispute Resolution (ODR) platform on their website: (http://ec.europa.eu/odr)
• An accurate description of the main characteristics of the goods
• The total price of the goods, including VAT, where applicable and any additional costs, for example gift wrapping
• The cost of delivery or how it can calculated
• A VAT number, (where applicable)
Immediately prior to confirming the order, the website must show the buyer a clear “Order Summary” page, which contains as a minimum, the following:
1) A clear description of the main features of the products or services being purchased.
2) The total price of the products or services (inclusive of applicable taxes e.g. VAT).
3) A clear breakdown of any delivery charges or any other charges, (where applicable).
Before the final ‘buy it’ button is pressed, the website must also make it clear to the consumer, that they are submitting their order and undertaking an obligation to pay for it.
The website must also state that the consumer has a cancellation period (“Cooling Off” Period) of 14 days, starting the day after the goods have come into physical possession of the consumer (unless the goods are exempt), including basic delivery costs.
If the trader states in its terms & conditions, that it is the consumer’s responsibility to return the items, reimbursement must be made to the consumer within 14 days, after the day the goods have been received by the trader, or, the day on which the consumer supplies evidence of having sent the goods back.
For no-fault returns, if the trader wishes the consumer to bear the cost of returning the goods, this should be made clear in the terms and conditions on the website. The trader must provide a returns address.
Further guidance on terms and conditions
Unfortunately, when it comes to terms and conditions, there isn’t a one size fits all list. Terms and conditions need to be specifically written for the business you are creating the website for.
Therefore, it isn’t advisable to simply copy and paste the terms and conditions on one website, over to another.
A business’ terms and conditions should set out clearly what should happen in any given situation. They should include:
• A clear definition of what products or services will be provided
• Setting out the payment terms – when is payment due
• Any guarantees or warranties offered
• Timelines for delivery and any queries
• Specifying what happens if either party doesn’t deliver or pay, or wants to end the relationship
• The term of the agreement and what notice is required, to get out of it
• Which law shall govern the contract
Terms and conditions must also be fair. The Consumer Rights Act 2015 aims to protect consumers against unfair contract terms and notices.
Before producing any terms and conditions, for a business’s website, you should read the advice provided by the Competition and Markets Authority on writing fair contracts
This fair contract terms quiz may also assist you when developing web pages for businesses
• Fair terms for your customers: an introduction for businesses
• Common myths about contract terms
• Top tips when writing your contract terms
These at-a-glance guides (above) provide an overview of some of the main things you need to know to help you recognise what to avoid, when writing your terms.