Fraud prevention: maintaining a controlled environment
Since the beginning of the outbreak, there has been a spike in reports to Action Fraud. Although the vast majority relate to online shopping orders for protective face masks and hand sanitizers that never arrived, there has been a 400% increase in reports of COVID-19-themed phishing emails.
Some fraudsters are purporting to be from research groups that provide daily updates of active infections in the recipient’s area. Victims click on a link that redirects them to a credential-stealing page. There are also examples of requests for money to help relatives or calls from supposed hospital officials requesting personal information. We have also heard reports of scam investment or tax refund schemes.
Fraudsters will try to take advantage of reduced staffing levels due to illness or people being deployed elsewhere (and a possible lack of experience if new staff are hired to cover shortfalls). They will seek to circumnavigate segregations of duties, especially in finance, HR, procurement, contracting and other payment authorisations. Bank mandate fraud is likely to increase if key personnel in finance functions are overstretched or unavailable.
It’s clearly important to maintain the usual controls, policies, systems and processes – despite the unusual operating conditions. It is also worth reconsidering where fraudulent attacks could come from and how organisations and individuals can protect themselves. Despite all the other pressures, now is the time to revisit your fraud risk assessments and business continuity plans, checking they remain fit for purpose. If you have responsibility for fraud prevention, you should continue to work closely with your finance, HR and procurement teams to ensure they remain vigilant to fraud risks.
In addition, organisations should review their checks and controls to ensure they are suitable for mass home-working. HR should focus on agency and temporary staff pre-employment checks to ensure recruits are suitable, especially in high-risk areas such as finance and procurement.
From a technology perspective, it is important you keep your anti-virus software up to date and ensure it is applied to laptops where people are working remotely. Undertake phishing exercises if you can in order to test your defences.
As individuals, we should all remain professionally sceptical and cynical, both at work and home, looking out for scam messages and emails. It’s important that staff are warned about the increased risks that come with disruption. They should be reminded not to use personal emails for company business, even when working at home, and to use secure file sharing tools for the sharing of sensitive data.
In the current environment, it’s likely that fraud threats and attacks will continue to evolve. Please bookmark this page and visit us weekly for updates.
Back to top
Staff absences and increased home working
With COVID-19 resulting in reduced staff levels and increased home-working, it is vital to ensure that controls are maintained. Above all, this means making sure that everyone knows what the controls are and applies them. Well-designed controls rarely fail themselves; any problems are more likely to stem from an organisation’s ‘pink software’, i.e. its people.
Controls fail in the main due to a number of (often non-fraudulent) reasons, including:
- Over-riding by management
- Poor application by staff and/or managers
- Lack of line management monitoring
- Assumptions that someone else had done it
- Lack of training.
Given the environment created by COVID-19, the reality is that many controls will slip due to operational urgency, staff shortages and lack of training for those replacing staff who are ill. Increased home-working may exacerbate the problem by giving people a false sense of greater security. In addition, Social distancing requirements mean that face-to-face meetings are no longer available. Documentation is likely to be sent electronically, potentially making it harder to validate. It is important therefore to think about workarounds that still give the appropriate level of assurance. Video-conferencing and seeking corroboration on paperwork have to be minimum considerations.
- Remind staff of their job descriptions and obligations, highlighting any controls for which they have responsibility.
- If not done so already, key controls should be process-mapped and walked through to test them against the current situation. They should then be revisited every time there is a change to staffing, processes or legislation. Even a small change can create an opportunity for exploitation – remember that the strongest chain is only as effective as the weakest link.
- Remind staff of the need to maintain the highest levels of security while home-working. Open tabs on laptops and PCs should be closed down and laptops switched off and stored securely when not in use.
- Be cautious in dealings via email and telephone, remembering that fraudsters can hijack communications in convincing ways.
- Ensure new staff (or staff deployed to new tasks) receive the proper levels of training in applying controls and conducting checks.
- Seek corroboration and additional supporting documentation where appropriate.
Back to top
Segregation of duties and authorisation
Fraudsters thrive on urgency, confusion and change – so now is a perfect storm. You and your colleagues may feel under pressure to take decisions swiftly. Fraudsters will create a false sense of urgency, pushing people into making bad decisions or overriding controls. You can protect your organisation by following some simple steps to reinforce segregation of duties and authorisation procedures.
- Before you take any actions, pause, reflect and check.
- Check your levels of authorisation on a daily basis. Who is available? If people are put into positions to cover more experienced colleagues, check they have received the basic level of training to do their job properly.
- If being pressured for action that would require controls to be circumvented, consider whether it could wait a few days. Most people are very understanding of the current situation and will probably accept a delay.
- Make sure you know who you are dealing with. Check the provenance of emails and calls before you take any actions, especially in relation to payments, money transfers and, most importantly, changes to bank accounts.
Back to top
HR policies and home–working challenges
Despite the COVID-19 outbreak, established policies still apply, even if some may have been relaxed to allow flexibility. Policies around home-working require careful handling. In most cases, people have managed to find an agile solution that enables them to work their core hours while managing their wider commitments at home.
However, there will be requests from some people who wish to formally adjust their working pattern, as they believe this will ease their ‘juggle struggle’. This is mostly because they have specific and personal childcare or carer needs. It is important that such requests are dealt with compassionately, while also considering the organisation’s needs and, especially, its security.
- Make sure all staff comply with core policies.
- Ensure you stay up-to-date with your organisation’s guidance and advice.
- Test any changes to working patterns or duties to ensure the organisation is not put at risk.
- Have regular catch-up calls with colleagues and staff you manage, ideally via video conferencing, to ensure they remain engaged.
Back to top
COVID 19 and fraud prevention: 10 key questions to ask
Despite – or even because of – current operating pressures, now is the time to revisit your fraud risk assessments and ensure that business continuity plans take account of emerging fraud risks.
Here are 10 key questions to ask:
- When did you last undertake a fraud and/or bribery risk assessment (strategic and/or operational)?
Since the COVID-19 outbreak, most organisations will have had to drastically change how they operate. It’s important to assess the impact of changes to staff numbers and experience. Now is the time to review key processes, especially in finance, procurement, HR and operations.
- Do you need assistance in undertaking investigations (criminal, civil, disciplinary and/or regulatory) or require training in such techniques?
We have seen a significant increase in fraud reports. It is vital that organisations are equipped to investigate suspicions and allegations of fraud in a professional and swift manner.
- Is your counter-fraud/bribery strategy properly designed, up-to-date, and working…and how often are your key controls evaluated for relevance and effectiveness?
Your organisation may have adopted new ways of working. Decisions will have been made as to what parts of the business may change in the long term. It is important to ‘fraud proof’ any new strategies or procedures and subsequent changes in controls.
- How effective are your whistleblowing arrangements?
Encouraging whistleblowing and ensuring staff can raise concerns is pivotal in identifying frauds. However, the focus will have changed to ensuring organisations keep running rather than on governance and fraud prevention. Whistleblowing policies and processes should be revisited to reflect any new working practices (e.g. new contractors and suppliers, and increased home-working).
- Has your organisation recently undergone (or is it planning) any major changes in personnel, structures and/or systems?
If so, have the fraud risks and controls been revisited and considered? The world has changed and will doubtless continue to do so. You need to ensure anti-fraud measures are built into changes from the outset, rather than waiting to address them after a fraud attack.
- What is your anti-fraud/bribery culture and what is the quality of the fraud awareness training (if it is) provided to your staff?
If you get the culture right, everything follows. Consider developing new (or reinforcing existing) messages about fraud prevention. People are tuning into working differently and applying new hygiene and social-distancing controls, so it’s a good time to think about change management across the organisation.
- Would your staff know what to look for and how to respond to suspicions of fraud?
Fraudsters thrive on change and uncertainty. Remind staff of the importance of controls, what fraud looks like, where the emerging frauds are coming from, and what to do when (and it is ‘when’ not ‘if’) fraud is discovered or suspected.
- When was the last time you updated your policies to ensure they are in line with current legislation, best practice and your anti-fraud and bribery policies?
Legislation and guidance has changed almost daily since the COVID-19 outbreak. Make sure your organisation remains lawful and complies with best practice and government guidance.
- How does your organisation respond to allegations of fraud?
It’s important to be prepared so that when a fraud is discovered or suspected, you don’t waste time working out what to do. Use any downtime to look at how your organisation can be better prepared for wider risks in addition to the immediate challenges presented by COVID-19.
- Does your organisation capture intelligence and does it have a systematic means of learning from past fraud incidents (whether or not they occurred in your organisation)?
Learn from other people’s mistakes. Scan the horizon to observe and understand how frauds are changing and their potential impact. When you read about a fraud, consider if it could happen to you and revisit your controls to ensure they can mitigate the risk of any similar attack.
We are all facing unprecedented challenges. Fraudsters will be making the most of the confusion, anxiety and stresses businesses and individuals are suffering. Take time to stop and think about how you can protect your finances and reputation. The phrase ‘prevention is better than cure’ has never made so much sense as it does now in these difficult times.
Back to top
Coronavirus Job Retention Scheme Fraud
It has been reported that HMRC have received nearly 800 whistle blowing reports from employees who suspect their employers are fraudulently claiming under the Government’s Coronavirus Job Retention Scheme.
With the UK Government starting to relax the lock down measures in England, and many organisations considering returning previously furloughed employees back to work, organisations need to ensure that they correctly remove any such employees from the scheme and should consult with their HR advisers if in any doubt.
Back to top