Fraud Is the New Normal

Fraudsters are taking advantage of the upheaval and anxiety of the COVID-19 crisis—here’s how to protect yourself and your organization. By Carolyn Kmet | Fall 2020



In the age of COVID-19, fear, desperation, and uncertainty are fueling fraud in every sector—public, private, and government—and anyone can be a victim. According to the Federal Trade Commission, Americans have lost more than $77 million in COVID-19-related fraud. Just within the past six months, there have been several highly visible hacks: In April, hackers infiltrated the U.S. Small Business Administration, gaining access to the personal information associated with nearly 8,000 Paycheck Protection Program applicants, including Social Security numbers, addresses, and phone numbers. In June, hackers used malware to extort $1.14 million from the University of California, San Francisco. And in July, hackers hijacked the Twitter accounts of Barack Obama, Joe Biden, Bill Gates, Elon Musk, and other prominent figures, leveraging their followers to net almost $116,000 in bitcoin.

“When there is a major change in business like the current pandemic, typically we see an increase in external frauds being reported,” observes Illinois CPA Society member Sean Kruskol, a principal at Cornerstone Research, an international economic and financial consulting firm. “Recent reports of layoffs and furloughs across multiple industries have led to a rise in the number of unemployed—and potentially disgruntled—individuals, as well as frustrated employees, who may now have the motive and time to commit fraud.”

Fraud in the Workplace

The fraud triangle, a model created by criminologist Donald Cressey in the 1950s, remains relevant today. The triangle explores the circumstances that motivate fraud: opportunity, pressure, and rationalization. Cressey believed that for fraud to occur, all three elements must be present. “

When we look at the fraud triangle, the current pandemic exacerbates two of the three sides: pressure and opportunity,” Kruskol says. “The perceived pressures and opportunities to commit fraud are encountered on a daily—if not hourly—basis.”

The financial pressures on organizations and individuals due to COVID-19’s economic impacts have become crushing. Unemployment and unrest have seen historic highs. Cash flows have slowed to a trickle. The pace of business has turned to a limp. Established, dependable processes have been completely upended. With no visible end to our current uncertainty, many business owners are desperately struggling to make ends meet. This pressure builds and builds, and eventually engulfs the business’ suppliers, employees, and partners, continuing the cycle.

Today’s environment also exponentially increases the opportunities for fraud. Given the almost instantaneous abolishment of standard operating procedures, businesses are scrambling to rebuild internal checks and balances in a remote environment. A dispersed workforce and the absence of centralized oversight combined undoubtedly create an environment ripe for fraud.

“With more remote work arrangements and fewer face-to-face interactions, the lack of human interaction could lead certain individuals to feel more anonymous. With an increased level of anonymity comes an increased perception that they will not be caught,” Kruskol explains. “Some people need routine to hold them accountable. Some people need other people to hold them accountable. The current pandemic has altered those systems of accountability.”

The combined presence of opportunity and extreme pressure can lead to rationalization, the third element in Cressey’s fraud triangle. Justifying fraudulent activity in today’s environment comes easy: I need to provide for my family; I’ll pay it back later. Or: I pay taxes every year, and I just need to pay my bills. I deserve the help.

Unfortunately, regardless of the urgency of need or the intent, fraud is still fraud. “It may be harder for employees to resist the temptation to sell confidential information or access to internal systems, particularly if the pandemic has reduced their household income or the future of their position is in doubt,” observes Stephen Cobb, an independent security and risk management researcher. “Ironically, employees may have greater system access in order to work at home during the pandemic, and home is an environment where norms of behavior may be less of a deterrent to criminal activity.”

Victims of Fear

Fear of the unknown operates as both motivation and hook, not only driving people to commit fraud, but to be more susceptible to fraud themselves.

“Fraud thrives on the effects that a disruptive phenomenon like a pandemic can produce: urgent need, suffering, fear, economic stress, resource diversion, and regulatory distraction,” Cobb notes.

Cobb has seen increased incidences of fraud during other times of disruption, such as wars, terror campaigns, and recessions. “The financial pressures of the Great Recession led some people, who in less stressful times would know better, to fall for get-rich-quick schemes,” he says.

Today, those get-rich-quick messages might be replaced with miracle COVID-19 cures or free antibody tests. By playing to people’s fears, scammers are able to pocket some cash or obtain personally identifiable information, such as names, birth dates, and Social Security numbers. Personal information can then be used for further defrauding: This July, the FBI reported a spike in fraudulent unemployment insurance claims involving the use of stolen information.

“The pandemic is creating uncertainty, and uncertainty is fertile ground for fraud,” says Aviram Jenik, CEO at Beyond Security, a global provider of network and application security solutions. “What outrageous or unbelievable things have we heard in the last six months that ended up being true? Each time that happens, we gradually condition our brains to accept outrageous claims as possible truths, which makes it easier to fall for fraud.”

Businesses are no less susceptible to these hoaxes. The pandemic has forced many businesses to change their focus from excellence to survival. For example, the rapid breakdown of supply chains triggered widespread shortages across multiple industries and regions. As businesses scrambled to identify new suppliers, corners were cut and acceptable standards lowered in favor of a quick solution. Many companies placed orders for masks and other personal protective equipment from unknown suppliers that either sent defective products or pocketed the money and sent nothing at all.

Supply chains aren’t the only system that’s suffered under COVID-19. Workflows and internal controls have also been compromised.

“Companies have been forced to recreate entire business processes and related workflows. When the pandemic hit, some organizations were prepared for a virtual working environment. Others were thrown into it without careful transition of the internal controls that once protected these business processes,” Kruskol explains. “For example, signatures for the review and approval of account reconciliation may be electronic now. Unless a verifiable and secure control is in place for signoffs, the risk of forgery via copying and pasting an electronic signature is increased.”

Fraud Inside and Out

Clearly, in this environment both internal and external fraud are rampant. Perpetrators of internal fraud can be low on the totem pole or high in the C-suite, including employees, managers, officers, and owners of the company. Jenik says that today’s remote work environment only exacerbates the potential for fraud. “We have six-figure financial transactions that need to be done from home, where the CFO handling the transaction is unable to walk over to the relevant manager to confirm the transfer face-to-face,” Jenik explains.

In other situations, internal employees might submit false or inflated invoices, issue payment for fictitious goods or services, or contract with shell companies. Expense reports with claims for personal purchases can be tampered with.

Jenik advises companies to revise their policies and update their protection strategies under the assumption that the current situation is permanent, or that it will at least last for many more months. “This means putting in place additional channels for verification to replace the foolproof face-to-face conversation,” Jenik says. He suggests that email requests should be confirmed by another communication method like chat or phone call; any critical process should have additional authentication and verification steps; and all information should be considered in-question until proven.

Financial pressure or uncertainty can also drive employees to falsify timecard data and alter the number of hours worked. Data can be used to detect these situations as well. Running a simple trend report to spot spikes in hours worked or pay received would help identify employees who might be taking advantage of the system.

Companies are also vulnerable to fraud instigated by external players. With less effective monitoring in place, and cybersecurity diffused across home offices and personal devices, hackers have more opportunities to gain access to corporate networks.

“Companies need increased cybersecurity vigilance in order to combat the many new opportunities hackers might take advantage of thanks to remote work,” says Darren Deslatte, vulnerability operations leader at Entrust Solutions. “Telework increases the number of possible endpoint devices, such as laptops or routers, that cybercriminals can use as entry points into an enterprise’s network. In addition, many employees do not have the same cybersecurity measures set up in their homes as their company may have implemented at their office.”

Deslatte urges companies to ensure that all employees, regardless of whether they work in IT or not, are trained in basic cybersecurity methods. “These staff trainings should include how to encrypt Wi- Fi routers, how to identify and report phishing scams, and how to create strong, unique passwords for all accounts,” Deslatte advises.

Phishing scams have also intensified as of late, with Google reporting more than 18 million daily malware and phishing emails related to COVID-19 over the course of a single week.

“In many cases, scammers will pose as someone you trust, whether that be a family member, your bank, a government official, or a company you purchase products or services from,” explains Todd Kartchner, an attorney and director of business litigation with law firm Fennemore Craig PC. “And while each category of fraud presents its own unique challenges, in nearly every instance fraudsters are seeking either money or personal information. You should automatically be on your guard when asked for either one.”

Kartchner advises that anyone receiving a strange or unexpected request from someone they know should contact that person directly through another channel to verify the request. “If you’re feeling pressured to make a decision in a hurry, that’s also a red flag. Scammers want to pressure you into acting quickly. If you’re feeling pressured, slow things down,” Kartchner says. “Look the company up online to see what you learn. If nothing else, talk to a friend or family member to gain their perspective. The more time you take to think something through, the more likely it is that you’ll be able to spot problems with what you’re being told.”

Both internal and external fraud are fueled by fear, and so it behooves businesses to assuage employee fear through open communication channels and clear strategies. “The tone at the top during these trying times is key,” Kruskol advises. “Management’s message should be one of solidarity and a shared sense of responsibility for getting through the pandemic and its aftermath.”

After all, fraud may be the new normal, but with clear heads and a spirit of camaraderie, we can leave the fraudsters empty-handed.