COVID-19: Using fraud prevention controls
Since the outbreak of the coronavirus pandemic just a few months ago, unfortunately we have seen a continuous rise in coronavirus related frauds targeting individuals, businesses and health authorities. Recent estimates suggest that already over £2million has been lost to coronavirus-fraud in the UK and over $13million in the US, and fraud complaints received by the City of London Police have reportedly increased by up to 400% in the last two months.
Two of the most common ways fraudsters are attacking businesses during this crisis are through either:
- Procurement frauds – including both the sale of counterfeit or non-existent goods
- Business email compromise frauds (BEC) - including spear-phishing emails in which the fraudster impersonates a senior executive authorising fund transfers or requesting financial information, or ransomware attacks.
To avoid becoming a victim of a coronavirus-related scam, we recommend that businesses review their existing fraud prevention controls and consider whether they reflect the following practical principles:
Education – Companies should talk openly with their staff about emerging types of coronavirus related frauds which could occur. Understanding the awareness of the fraud risks and the company’s vulnerabilities, will help both the leadership team and staff to become more vigilant, taking care not to click on links or attachments in suspicious emails.
Companies should also remind staff regularly of the existing internal fraud prevention procedures which should be followed, including:
- Never paying a supplier invoice unless it matches a valid purchase order and goods received notice, and checking the bank account details on the invoice match those held for that supplier; and
- Escalating any suspicions of fraudulent activity or attempted phishing scams through the company’s designated escalation and reporting procedures.
Communication – Casual conversations which are usually commonplace in the office do not occur when the entire workforce are working from home, and this in itself can be an issue. These informal chats often reassure an employee that they are right to be suspicious of a strange, very urgent request for payment from a supplier, and that caution should indeed be observed and that double checking the request is absolutely the right thing to do. Companies should ensure that finance teams in particular are able to communicate regularly through easily accessible channels, and feel assured that they have a sufficient support network to raise queries or concerns.
Due Diligence - With increasing numbers of procurement frauds, extra vigilance around the supply chain is critical. Knowing your regular suppliers and third parties is an important defence against fraud, but in these challenging times it will not always be possible to use existing suppliers and new suppliers may need to be onboarded urgently. It is vital that companies ensure that proportionate due diligence is conducted before onboarding any new supplier to ensure they are a legitimate company, capable of suppling the necessary goods or services.
Protection – Ensure all IT systems are up to date, and the latest software and application updates have been installed on devices to protect the business from the latest threats. IT teams are no doubt stretched to capacity at the moment, but ensuring all the relevant protections and software are up to date and working is critical in prevention and detection of fraud attacks.
Checking email addresses carefully should become second nature throughout the company, for example firstname.lastname@example.org could become email@example.com and may go unnoticed if not checked carefully. This is particularly important for emails which appear to come from senior executives with payment or transfer instructions.
Respond - Finally, businesses should have response strategies and procedures to be deployed immediately in the event of a fraud or cyber attack. Well documented and robust response plans that can be put into action swiftly should mean less disruption and lower levels of loss.
If you would like to know more about fraud typologies and fraud prevention programmes and controls, the Konexo Fraud Risk Management team and Eversheds Sutherland Corporate Crime & Investigations team would be happy to help you.