The COVID-19 crisis abruptly changed how businesses operate. Tasks previously done in a controlled workplace setting shifted to employees’ homes. Workers were asked to do more with less, or change their job scope completely. Entire supply chains needed to be reshaped due to disruptions around the globe.
In the midst of this stressful environment, criminals have found a golden opportunity. Fraudsters had already been increasing the frequency of their attempts in the past few years, but the unprecedented disruption has emboldened them. In the US, by the end of May, 2020, the Internet Crime Complaint Center had received nearly the same number of complaints in 2020 as for all of 2019 ; in the UK, fraud rates for financial products (for both businesses and retail) increased by 33% in April.2 The good news is that companies can curb these fast-growing types of fraud with simple measures and careful planning.
Why Business Email Compromise is growing
Between 2013 and 2019, losses from international business email compromise (BEC) schemes totaled more than $26 billion.3 BEC accounted for half of the cyber-crime losses in 2019, resulting in an average loss of almost $75,000.4 The latest AFP survey shows 75% of American businesses experienced a BEC attempt last year.5
BEC is a broad term that covers any scenario where the fraudster sends an emailed request for a payment to be sent to a new beneficiary. BEC began with impersonation of C-suite executives and has since expanded to the supply chain. Most recently, there have been spike in BEC on M&A transactions, with the seller impersonated by criminals. To add credibility, the group often sends a separate supporting email purporting to come from a well-known law firm.
Supplier impersonation has proved successful because it is harder to contact people in a different organization to verify a request. Moreover, these scams often reference a genuine transaction, so the request details appear genuine, reinforcing its credibility.
COVID-19 has created opportunities for new forms of supplier impersonation and exacerbated risks for a number of reasons:
- Criminals have a realistic reason, such as lockdown restrictions or cash flow problems, to ask for the payment to be sent to another bank account.
- Many scams work by putting their victims under pressure. COVID-19 provides a useful context to accelerate payments.
- Remote working gives criminals a justification for using a different email address.
- With teams working remotely, individuals may be less attentive compared to working in a normal office environment.
Conditions are ideal for increased procurement fraud
The lockdown has increased demand and scarcity in certain goods or services, creating an opportunity for procurement fraud. The most obvious examples are personal protective equipment (PPE) – such as face masks and hand sanitizer – but there have been shortages of many goods.
Fraudsters worldwide have exploited this situation, by promising to supply key goods at reduced prices or with expedited delivery. Procurement fraud, already a major problem for companies – representing 19% of all fraud incidents6 – has boomed in recent months. These scams normally involve the victim making a large down payment to secure goods; the items never arrive, or cheap counterfeits are delivered.
There are several variations of this scheme, with the fraudsters impersonating large/respected suppliers, or acting as brokers or intermediaries offering goods. Firms may be procuring goods that they are unfamiliar with, such as PPE, or have to fill supply chain gaps at short notice in unfamiliar markets (China came out of lockdown when much of Europe and North American remained closed; many companies found themselves working with new counterparties as a result).
Given the pressure on companies to continue to provide services to their customers, they can be vulnerable to fraud. In unusual circumstances, some employees may fail to take the time to ascertain who they are liaising with, or respond to cold calls or unsolicited emails without sufficient caution.
Remote working raises the risk of insider fraud
Many companies do not like to face the uncomfortable reality of insider fraud – as it involves work colleagues, or employees they may have hired. However, insider fraud is an increasing problem: 37% of economic fraud results from an internal perpetrator, while a further 20% is the result of collusion between internal and external parties.7 In total, almost six in ten of all fraud cases involves an internal party.
The current environment increases the risk of employee fraud in three principal ways:
1. Employees are performing higher risk activities remotely to keep businesses operating. Often, proper risk assessments were not carried out given the need to switch to remote working rapidly.
2. Employee motivation may have increased. COVID-19 will have a severe financial impact on many people. In desperate times, some people are prepared to take desperate measures. Much insider fraud is opportunistic. Remote working creates new opportunities for this.
3. As businesses adapt to survive – including letting employees go, or asking people to work longer hours – people may feel unfairly treated. Employees can use their grievances to justify/rationalize unethical behavior.
Tackling increased fraud risk in the ‘new normal’
Many of the most effective ways to address supplier impersonation, procurement fraud or insider fraud are surprisingly simple. Often, employees just need to pay greater attention to the task in hand or be more cautious when dealing with people they do not know, or using new payment details (the latter is rare among businesses as it is inconvenient and time consuming to contact stakeholders to inform them of a change).
In relation to supplier impersonation/BEC, whenever new payment details are supplied over email, the best control is to telephone the sender to confirm the request. Often, people take an email at face value or ask for written confirmation through the same channel, making it susceptible to fraud. Instead, they should use an alternative channel, such as telephone, to verify the authenticity (dialing a recognized number rather than one provided in the original email).
It is also valuable for a second person to look at any transaction. Humans make errors and fraudsters are highly skilled – they seek to put people under pressure to impair their judgment. Having a second person to check the details improves the chances of detection. More generally, education is important. While many people have an instinctive feel for what is wrong, training makes it easier to spot warning signs and take appropriate action.
Similarly, the risk of procurement fraud can be reduced using basic due diligence measures and common sense: like most scams, if an offer seems too good to be true, it usually is. Employees need to understand who they are engaging with. The simplest way is to go online, research the company, its trading history and core offering. Employees should speak to the individual to test their product knowledge; a scammer will not have deep product insights.
Employees should also be wary of unsolicited calls or emails and always take extra steps to verify people’s details.
Companies should trust their employees when it comes to the risk of internal fraud. But they should not give them free reign. Dual payment approval is an important and easy measure to put in place. Standard processes such as segregation of duties and reconciliation can also be powerful tools to prevent fraud: if employees know there are checks in place, they are less likely to be tempted to commit fraud. Companies should also analyze their processes to identify high risk components that might be exploited by employees and build controls to eliminate vulnerabilities.