The fraudsters aren’t in self-isolation
Keeping safe from Coronavirus (COVID-19) is obviously at the forefront of everyone’s minds across the globe. Unfortunately, fraudsters are taking advantage of the disruption and depleted staffing levels to attack businesses and individuals.
Since the beginning of the outbreak, there has been a spike in reports to Action Fraud and as expected it is escalating. Whilst the vast majority relate to online shopping orders for protective face masks and hand sanitisers which have never arrived, there has been a 400% increase in reports of COVID-19 themed phishing emails.
As organisations try to keep operating in these very difficult times, the usual control, policies, systems and processes will doubtless take second place, so now is a vital time to consider and re-visit where these attacks will likely come from and how you can protect yourselves.
Doubtless, fraudsters will be taking advantage of reduced staffing levels due to illness or being deployed elsewhere (and possible lack of experience with new staff being hired to cover shortfalls) to circumnavigate segregations of duties, especially in finance, HR, procurement, contracting and other payment authorisations. Bank mandate fraud will also likely increase as fraudsters exploit the opportunity with key personnel in Finance being overstretched or unavailable. Businesses should review their checks and controls to ensure they are suitable for mass ‘home-working’. HR should focus on agency and temporary staff pre-employment checks to ensure recruits are suitable, especially in high-risk areas such as finance and procurement.
Other fraudsters are purporting to be from research groups that provide a list and daily updates of active infections in the recipient’s area whereby the victim clicks on a link which redirects them to a credential-stealing page. There are also examples of requests for money to help relatives or calls from hospital officials requesting personal information; others are linked to scam investment or tax refund schemes.
To protect yourself, remain professionally sceptical and cynical both at work and home, looking out for scam messages and emails. You should continue to work closely with your finance, HR and procurement teams to ensure they remain vigilant to fraud risks. Despite all the other pressures, now is the time to revisit your fraud risk assessments in the light of the emergency measures being introduced by the government and ensure that business continuity plans take into account the rapidly emerging fraud risks.
From a technology perspective, it is important you keep your anti-virus software up to date and ensure it is applied to laptops where people are working remotely. Undertake Phishing exercises if you can.
You should remind staff of the increased risks that come with disruption. Remind staff not to use personal emails for company business, even when working at home, and to use secure file sharing tools for the sharing of sensitive data.
Before you take any action; stop, think and check - and remember, trust is not a control.
For support and advice, please contact Sarah Hillary.
BDO London - Baker Street