Fraud Is the New Normal
Fraudsters are taking advantage of the upheaval and anxiety of the COVID-19
crisis—here’s how to protect yourself and your organization.
By Carolyn Kmet | Fall 2020
In the age of COVID-19, fear, desperation, and uncertainty
are fueling fraud in every sector—public, private, and
government—and anyone can be a victim. According to
the Federal Trade Commission, Americans have lost
more than $77 million in COVID-19-related fraud. Just
within the past six months, there have been several highly visible
hacks: In April, hackers infiltrated the U.S. Small Business
Administration, gaining access to the personal information associated
with nearly 8,000 Paycheck Protection Program applicants, including
Social Security numbers, addresses, and phone numbers. In June,
hackers used malware to extort $1.14 million from the University of
California, San Francisco. And in July, hackers hijacked the Twitter
accounts of Barack Obama, Joe Biden, Bill Gates, Elon Musk, and
other prominent figures, leveraging their followers to net almost
$116,000 in bitcoin.
“When there is a major change in business like the current
pandemic, typically we see an increase in external frauds being
reported,” observes Illinois CPA Society member Sean Kruskol, a
principal at Cornerstone Research, an international economic and
financial consulting firm. “Recent reports of layoffs and furloughs
across multiple industries have led to a rise in the number of
unemployed—and potentially disgruntled—individuals, as well as
frustrated employees, who may now have the motive and time to
commit fraud.”
Fraud in the Workplace
The fraud triangle, a model created by criminologist Donald
Cressey in the 1950s, remains relevant today. The triangle explores
the circumstances that motivate fraud: opportunity, pressure, and
rationalization. Cressey believed that for fraud to occur, all three
elements must be present.
“
When we look at the fraud triangle, the current pandemic
exacerbates two of the three sides: pressure and opportunity,”
Kruskol says. “The perceived pressures and opportunities to
commit fraud are encountered on a daily—if not hourly—basis.”
The financial pressures on organizations and individuals due to
COVID-19’s economic impacts have become crushing.
Unemployment and unrest have seen historic highs. Cash flows
have slowed to a trickle. The pace of business has turned to a limp.
Established, dependable processes have been completely
upended. With no visible end to our current uncertainty, many
business owners are desperately struggling to make ends meet.
This pressure builds and builds, and eventually engulfs the
business’ suppliers, employees, and partners, continuing the cycle.
Today’s environment also exponentially increases the opportunities
for fraud. Given the almost instantaneous abolishment of standard
operating procedures, businesses are scrambling to rebuild internal
checks and balances in a remote environment. A dispersed
workforce and the absence of centralized oversight combined
undoubtedly create an environment ripe for fraud.
“With more remote work arrangements and fewer face-to-face
interactions, the lack of human interaction could lead certain
individuals to feel more anonymous. With an increased level of
anonymity comes an increased perception that they will not be
caught,” Kruskol explains. “Some people need routine to hold
them accountable. Some people need other people to hold
them accountable. The current pandemic has altered those
systems of accountability.”
The combined presence of opportunity and extreme pressure can
lead to rationalization, the third element in Cressey’s fraud triangle.
Justifying fraudulent activity in today’s environment comes easy:
I need to provide for my family; I’ll pay it back later. Or:
I pay taxes
every year, and I just need to pay my bills. I deserve the help.
Unfortunately, regardless of the urgency of need or the intent, fraud
is still fraud. “It may be harder for employees to resist the temptation
to sell confidential information or access to internal systems,
particularly if the pandemic has reduced their household income or
the future of their position is in doubt,” observes Stephen Cobb, an
independent security and risk management researcher. “Ironically,
employees may have greater system access in order to work at
home during the pandemic, and home is an environment where
norms of behavior may be less of a deterrent to criminal activity.”
Victims of Fear
Fear of the unknown operates as both motivation and hook, not
only driving people to commit fraud, but to be more susceptible to
fraud themselves.
“Fraud thrives on the effects that a disruptive phenomenon like a
pandemic can produce: urgent need, suffering, fear, economic
stress, resource diversion, and regulatory distraction,” Cobb notes.
Cobb has seen increased incidences of fraud during other times
of disruption, such as wars, terror campaigns, and recessions. “The
financial pressures of the Great Recession led some people, who
in less stressful times would know better, to fall for get-rich-quick
schemes,” he says.
Today, those get-rich-quick messages might be replaced with
miracle COVID-19 cures or free antibody tests. By playing to
people’s fears, scammers are able to pocket some cash or obtain
personally identifiable information, such as names, birth dates,
and Social Security numbers. Personal information can then be
used for further defrauding: This July, the FBI reported a spike in
fraudulent unemployment insurance claims involving the use of
stolen information.
“The pandemic is creating uncertainty, and uncertainty is fertile
ground for fraud,” says Aviram Jenik, CEO at Beyond Security, a
global provider of network and application security solutions. “What
outrageous or unbelievable things have we heard in the last six
months that ended up being true? Each time that happens, we
gradually condition our brains to accept outrageous claims as
possible truths, which makes it easier to fall for fraud.”
Businesses are no less susceptible to these hoaxes. The pandemic
has forced many businesses to change their focus from excellence
to survival. For example, the rapid breakdown of supply chains
triggered widespread shortages across multiple industries
and regions. As businesses scrambled to identify new suppliers,
corners were cut and acceptable standards lowered in favor of a
quick solution. Many companies placed orders for masks and
other personal protective equipment from unknown suppliers that
either sent defective products or pocketed the money and sent
nothing at all.
Supply chains aren’t the only system that’s suffered under COVID-19. Workflows and internal controls have also been compromised.
“Companies have been forced to recreate entire business
processes and related workflows. When the pandemic hit, some
organizations were prepared for a virtual working environment.
Others were thrown into it without careful transition of the internal
controls that once protected these business processes,” Kruskol
explains. “For example, signatures for the review and approval of
account reconciliation may be electronic now. Unless a verifiable
and secure control is in place for signoffs, the risk of forgery via
copying and pasting an electronic signature is increased.”
Fraud Inside and Out
Clearly, in this environment both internal and external fraud are
rampant. Perpetrators of internal fraud can be low on the totem pole
or high in the C-suite, including employees, managers, officers, and
owners of the company. Jenik says that today’s remote work
environment only exacerbates the potential for fraud. “We have six-figure
financial transactions that need to be done from home, where
the CFO handling the transaction is unable to walk over to the
relevant manager to confirm the transfer face-to-face,” Jenik explains.
In other situations, internal employees might submit false or inflated
invoices, issue payment for fictitious goods or services, or contract
with shell companies. Expense reports with claims for personal
purchases can be tampered with.
Jenik advises companies to revise their policies and update their
protection strategies under the assumption that the current situation
is permanent, or that it will at least last for many more months. “This
means putting in place additional channels for verification to
replace the foolproof face-to-face conversation,” Jenik says. He
suggests that email requests should be confirmed by another
communication method like chat or phone call; any critical process
should have additional authentication and verification steps; and all
information should be considered in-question until proven.
Financial pressure or uncertainty can also drive employees to falsify
timecard data and alter the number of hours worked. Data can be
used to detect these situations as well. Running a simple trend
report to spot spikes in hours worked or pay received would help
identify employees who might be taking advantage of the system.
Companies are also vulnerable to fraud instigated by external
players. With less effective monitoring in place, and cybersecurity
diffused across home offices and personal devices, hackers have
more opportunities to gain access to corporate networks.
“Companies need increased cybersecurity vigilance in order to
combat the many new opportunities hackers might take advantage
of thanks to remote work,” says Darren Deslatte, vulnerability
operations leader at Entrust Solutions. “Telework increases the
number of possible endpoint devices, such as laptops or routers,
that cybercriminals can use as entry points into an enterprise’s
network. In addition, many employees do not have the same
cybersecurity measures set up in their homes as their company
may have implemented at their office.”
Deslatte urges companies to ensure that all employees, regardless
of whether they work in IT or not, are trained in basic cybersecurity
methods. “These staff trainings should include how to encrypt Wi-
Fi routers, how to identify and report phishing scams, and how to
create strong, unique passwords for all accounts,” Deslatte advises.
Phishing scams have also intensified as of late, with Google
reporting more than 18 million daily malware and phishing emails
related to COVID-19 over the course of a single week.
“In many cases, scammers will pose as someone you trust, whether
that be a family member, your bank, a government official, or a
company you purchase products or services from,” explains Todd
Kartchner, an attorney and director of business litigation with law
firm Fennemore Craig PC. “And while each category of fraud
presents its own unique challenges, in nearly every instance
fraudsters are seeking either money or personal information. You
should automatically be on your guard when asked for either one.”
Kartchner advises that anyone receiving a strange or unexpected
request from someone they know should contact that person
directly through another channel to verify the request. “If you’re
feeling pressured to make a decision in a hurry, that’s also a red
flag. Scammers want to pressure you into acting quickly. If you’re
feeling pressured, slow things down,” Kartchner says. “Look the
company up online to see what you learn. If nothing else, talk to a
friend or family member to gain their perspective. The more time
you take to think something through, the more likely it is that you’ll
be able to spot problems with what you’re being told.”
Both internal and external fraud are fueled by fear, and so it
behooves businesses to assuage employee fear through open
communication channels and clear strategies. “The tone at the top
during these trying times is key,” Kruskol advises. “Management’s
message should be one of solidarity and a shared sense of
responsibility for getting through the pandemic and its aftermath.”
After all, fraud may be the new normal, but with clear heads and a
spirit of camaraderie, we can leave the fraudsters empty-handed.