The COVID-19 crisis abruptly changed how businesses operate. Tasks previously done in a controlled workplace setting shifted to employees’ homes. Workers were asked to do more with less, or change their job scope completely. Entire supply chains needed to be reshaped due to disruptions around the globe.
In the midst of this stressful environment, criminals have found a golden opportunity. Fraudsters had already been increasing the
frequency of their attempts in the past few years, but the unprecedented disruption has emboldened them. In the US, by the end of May,
2020, the Internet Crime Complaint Center had received nearly the same number of complaints in 2020 as for all of 2019
Between 2013 and 2019, losses from international business email compromise (BEC) schemes totaled more than $26 billion.3 BEC accounted for half of the cyber-crime losses in 2019, resulting in an average loss of almost $75,000.4 The latest AFP survey shows 75% of American businesses experienced a BEC attempt last year.5
BEC is a broad term that covers any scenario where the fraudster sends an emailed request for a payment to be sent to a new beneficiary. BEC began with impersonation of C-suite executives and has since expanded to the supply chain. Most recently, there have been spike in BEC on M&A transactions, with the seller impersonated by criminals. To add credibility, the group often sends a separate supporting email purporting to come from a well-known law firm.
Supplier impersonation has proved successful because it is harder to contact people in a different organization to verify a request. Moreover, these scams often reference a genuine transaction, so the request details appear genuine, reinforcing its credibility.
The lockdown has increased demand and scarcity in certain goods or services, creating an opportunity for procurement fraud. The most obvious examples are personal protective equipment (PPE) – such as face masks and hand sanitizer – but there have been shortages of many goods.
Fraudsters worldwide have exploited this situation, by promising to supply key goods at reduced prices or with expedited delivery. Procurement fraud, already a major problem for companies – representing 19% of all fraud incidents6 – has boomed in recent months. These scams normally involve the victim making a large down payment to secure goods; the items never arrive, or cheap counterfeits are delivered.
There are several variations of this scheme, with the fraudsters impersonating large/respected suppliers, or acting as brokers or intermediaries offering goods. Firms may be procuring goods that they are unfamiliar with, such as PPE, or have to fill supply chain gaps at short notice in unfamiliar markets (China came out of lockdown when much of Europe and North American remained closed; many companies found themselves working with new counterparties as a result).
Given the pressure on companies to continue to provide services to their customers, they can be vulnerable to fraud. In unusual circumstances, some employees may fail to take the time to ascertain who they are liaising with, or respond to cold calls or unsolicited emails without sufficient caution.
Many companies do not like to face the uncomfortable reality of insider fraud – as it involves work colleagues, or employees they may have hired. However, insider fraud is an increasing problem: 37% of economic fraud results from an internal perpetrator, while a further 20% is the result of collusion between internal and external parties.7 In total, almost six in ten of all fraud cases involves an internal party.
Many of the most effective ways to address supplier impersonation, procurement fraud or insider fraud are surprisingly simple. Often, employees just need to pay greater attention to the task in hand or be more cautious when dealing with people they do not know, or using new payment details (the latter is rare among businesses as it is inconvenient and time consuming to contact stakeholders to inform them of a change).
In relation to supplier impersonation/BEC, whenever new payment details are supplied over email, the best control is to telephone the sender to confirm the request. Often, people take an email at face value or ask for written confirmation through the same channel, making it susceptible to fraud. Instead, they should use an alternative channel, such as telephone, to verify the authenticity (dialing a recognized number rather than one provided in the original email).
It is also valuable for a second person to look at any transaction. Humans make errors and fraudsters are highly skilled – they seek to put people under pressure to impair their judgment. Having a second person to check the details improves the chances of detection. More generally, education is important. While many people have an instinctive feel for what is wrong, training makes it easier to spot warning signs and take appropriate action.
Similarly, the risk of procurement fraud can be reduced using basic due diligence measures and common sense: like most scams, if an offer seems too good to be true, it usually is. Employees need to understand who they are engaging with. The simplest way is to go online, research the company, its trading history and core offering. Employees should speak to the individual to test their product knowledge; a scammer will not have deep product insights.Employees should also be wary of unsolicited calls or emails and always take extra steps to verify people’s details.
Companies should trust their employees when it comes to the risk of internal fraud. But they should not give them free reign. Dual payment approval is an important and easy measure to put in place. Standard processes such as segregation of duties and reconciliation can also be powerful tools to prevent fraud: if employees know there are checks in place, they are less likely to be tempted to commit fraud. Companies should also analyze their processes to identify high risk components that might be exploited by employees and build controls to eliminate vulnerabilities.
It is an unfortunate truth that many businesses will be subject to fraud, so companies need to think ahead and consider how they would respond to these situations. The well-known adage – prior preparation and planning prevent poor performance – rings particularly true. If a company does not have a clear plan, it has to make important decisions in a stressful environment. Consequently, mistakes will often be made or delays may occur that increase the potential for fraud and financial loss.
Almost all companies have business continuity plans; they need to approach fraud in the same methodical way, especially in the COVID-19 environment where it is no longer possible to raise queries in an office environment. Employees need to know how to react when they are suspicious and who to tell. And, if a loss ever occurs, they must let their bank know as quickly as possible so that attempts can be made to recover funds.