Recent fraud studies highlight the significance COVID-19 has placed on the types and frequency of fraud risks for businesses and individuals. The December 2020 edition of the Association of Fraud Examiners (ACFE) “Fraud in the Wake of COVID-19: Benchmarking Report” reports the top fraud schemes currently observed or expected over the next twelve months due to COVID-19 are:
- Cyber fraud (business email compromise, hacking, ransomware and malware);
- Unemployment fraud;
- Payment fraud;
- Fraud by vendors and sellers;
- Healthcare fraud; and
- Identity theft.
Other fraud risks specifically considered in this study include: employee embezzlement, financial statement fraud, bribery and corruption, insurance fraud, loan and bank fraud, and bankruptcy fraud. All have seen upticks in prevalence and are also expected to rise over the next twelve months.
With no clear end in sight, cyber fraud risk and exposure continues to be the most heightened risk for organizations. Initially, most businesses expected the shutdown to last a couple of weeks. Ten months later, many employees are still working from home. Unfortunately most businesses did not have adequate crisis plans in place.
According to ReedSmith, in March 2020, scams increased by 400%; thereby making COVID-19 the largest-ever security threat.
Remote work has become the new “norm” for many individuals, leading to IT departments being pulled in a million different directions and stretched thin. This may lead to weakened controls such as network monitoring, allowing access to programs previously restricted, or failure to update systems with new security patches.
The majority of all purchases are now made on the internet. Purchases made on an unsecured WiFi connection puts your company credit card at risk. In addition, employees working on unsecured WiFi or WiFi mobile connections, may expose the company’s network.
Distractions at home have become a leading target for employees in email phishing attacks. An email phishing attack is where the individual spoofs the sender’s email. It is important to remind your employees to never click on a link in unsolicited emails. Hover over the email address to ensure a sender email is from the correct company (e.g. emails from a government source end in .gov). Never reply to the email requesting legitimacy. If you respond, you are simply replying to the hacker. Rather, call the sender or create a new email and enter their contact name from your address book.
Spear phishing emails are highly targeted. They are malicious emails which appear to be from a trusted source. A common example is an email sent to accounting, purported to be from the CEO or another high-ranking executive requesting an immediate transfer of funds. The email indicates they are in a meeting and unable to speak by phone. It’s important to be wary of any communications with focus on urgency; as this is a common tactic of hackers.
What you can do
Companies should take any precautionary measures to protect against fraud. Key best practices you can prioritize may include:
- Assess your crisis plans and reevaluate as necessary.
- Conduct a risk assessment and re-evaluate budgets relating to cybersecurity and technology.
- Train employees on awareness of fraud schemes (e.g. phishing attacks), secured connections, not sharing passwords, shutting down the computer to avoid sharing confidential information, and much more.
We can help you be prepared. Contact our team or your Mueller Prost specialist directly.