27th May 2020
This article was last updated on 27 May at 10:30.
Organisations have taken swift action to comply with government guidelines over social distancing which has led to many organisations now working remotely and establishing new ways of working. This has meant putting business continuity plans into action over the last few weeks. As the dust settles over changes to the working environment, sadly, fraudsters will try to take advantage of the emergency and change of working environment measures to defraud organisations.
Action Fraud has reported fraud reports related to COVID-19 have increased by 400% in March alone. The figures reported include fraud scams to both individuals and organisations. Action Fraud has also reported over 200 instances of COVID-19-themed phishing emails. In May, the public have flagged more than 160,000 messages to the new suspicious email reporting service of the National Cyber Security Centre (NCSC). In just over two weeks since the NCSC and police launched the service, the public has passed on more than 160,000 suspect emails, leading to the removal of over 1,400 links to bogus sites.
Changes in the way of working requires careful consideration. It is important to analyse how the existing control framework and compliance with policy and procedures are being applied throughout the organisation and at an operational level. Many organisations have furloughed staff who were key to operating controls which means these controls are no longer functioning or allocated to others creating potential lack of segregation of duties. Individuals working from home also means reduced physical contact time with colleagues and certain processes and control work-arounds being introduced to limit business interruption.
We have evaluated key fraud risks that organisations need to be aware of to minimise their impact. Key areas to consider include:
- Procurement fraud – there are a number of ways an organisation can be defrauded. Some scams involve the sale of personal protective equipment, such as face masks and gloves online. Some sellers have been fraudulent by not delivering items after payment has been made or delivering items that are not up to standard.
- Bank detail changes (payment diversion) – this has been a well-known scam by fraudsters where supplier bank detail changes are requested by email or letter. Any change request to standing data requires validating and this should be done using contact details available in the database or public domain to verify the change.
- New supplier fraud – setting up new suppliers remains a key control where appropriate due diligence checks are essential before a supplier is set up on the ledger.
- Payroll/HR related fraud – change requests to HR records regarding employee’s payroll bank details should be validated and not just completed based on email communication or a phone number given in the email requesting the change.
- Internal fraud – as people work remotely and staff members are being furloughed, the segregation of duties requires careful consideration. The situation gives rise to risk of internal fraud around payments and financial reporting or failure to spot an external fraud attempt.
- Courier fraud – as more people self-isolate, fraudsters will carry out courier fraud by cold calling the organisation, purporting to be a bank to gain their trust. The ultimate aim of this call is to trick the organisation into handing over money or their bank details. Raising awareness about fraud instances and reinforcing protocols about unsolicited calls is vital.
- Remote working and cyber fraud – as more people work from home, fraudsters may capitalise on slow networks and IT problems, to commit computer software service fraud. Be wary of cold calls or unsolicited emails offering you help with your organisation devices or to fix a problem.
- Phishing fraud – these attempt to trick people into opening malicious attachments which could lead to fraudsters stealing organisation’s sensitive information, email logins and passwords, and banking details.
- Impersonation of HMRC or other regulators – there have been several instances where fraudsters are impersonating regulators. Organisations should be vigilant and contact regulators using contact information available in the public domain or a reliable source.
Simple steps for organisations to take preventative measures:
- Provide guidelines to reinforce existing policy and procedures and raise awareness over fraud matters.
- Monitor the current situation and keep up to speed with common fraud themes and alerts given by Action Fraud and the NCSC.
- Carry out due diligence on suppliers that the organisation engages with.
- Do not click on links or attachments in unexpected or suspicious emails.
- Contact your bank immediately if you think you’ve fallen for a scam. Your bank will NEVER ask you to transfer money or move it to a ‘safe’ account.
- Implement additional verification checks and procedures before making changes to standing data i.e. supplier bank details or employee bank details.
- Implement additional verification checks and procedures before making payments, for example making use of video conferencing facilities.
- Report all fraud instances to Action Fraud.
If you wish to discuss the above article and/or any other COVID-19 related initiatives please contact your usual haysmacintyre contact or email CV19@haysmacintyre.com.