Organisations have taken swift action to comply with government guidelines over social distancing, which has led to many organisations now working remotely and establishing new ways of working...
Because of this, business continuity plans have been put into action over the last few weeks. But, as the dust settles over changes to the working environment, sadly, fraudsters will try to take advantage of the emergency and changes to working environment measures in an attempt to defraud organisations.
Action Fraud has reported that fraud reports related to COVID-19 increased by 400% in March alone. The figures reported include fraud scams to both individuals and organisations. Action Fraud has also reported over 200 instances of COVID-19-themed phishing emails.
Changes to ways of working requires careful consideration. It is important to analyse how the existing control framework and compliance with policy and procedures are being applied throughout the organisation and at an operational level. Many organisations have furloughed staff who were key to operating key controls which means those controls are no longer functioning or, have been allocated to others and thus, creating a potential lack of segregation of duties. With many individuals also working from home, this means there is reduced physical contact time and often, that certain processes and control work-arounds are being introduced to limit business interruption.
We have evaluated key fraud risks that organisations need to be aware of to minimise their impact. Key areas to consider include:
- Bank detail changes (payment diversion) – this has been a well-known scam by fraudsters where supplier bank detail changes are requested via email or letter. Any change request to standing data requires validating and should be done using contact details available in the database or public domain to verify the change.
- New supplier fraud – setting up new suppliers remains a key control where appropriate due diligence checks are essential before a supplier is set up on the ledger.
- Payroll/HR related fraud – change requests to HR regarding employee’s payroll bank details should be validated and not just completed based on email communication or phone numbers given in the email requesting the change.
- Internal fraud – as more people work remotely and staff members are being furloughed, segregation of duties requires careful consideration. The situation gives rise to risk of internal fraud around payments and financial reporting or failure to spot an external fraud attempt.
- Courier fraud – as more people self-isolate, fraudsters will carry out courier fraud by cold calling the organisation, purporting to be a bank to gain their trust. The ultimate aim of this call is to trick the organisation into handing over money or their bank details. Raising awareness about fraud instances and reinforcing protocols about unsolicited calls is vital.
- Remote working and IT security fraud – fraudsters may capitalise on slow networks and IT problems caused by the increased numbers working from home, to commit computer software service fraud. Be wary of cold calls or unsolicited emails offering you help with your organisation devices or to fix a problem.
- Phishing fraud – these attempt to trick people into opening malicious attachments which could lead to fraudsters stealing organisation’s sensitive information, email logins and passwords, and banking details.
- Impersonation of HMRC or other regulators – there have been several instances where fraudsters are impersonating regulators. Organisations should be vigilant and contact regulators using contact information available in the public domain or a reliable source.
Here are 6 simple steps for organisations to take preventative measures against fraud scams:
- Provide guidelines to reinforce your existing policy and procedures and raise awareness over fraud matters.
- Monitor the current situation and keep up to speed with common fraud themes and alerts given by Action Fraud.
- Contact your bank immediately if you think you’ve fallen for a scam. Your bank will NEVER ask you to transfer money or move it to a 'safe' account.
- Implement additional verification checks and procedures before making changes to standing data i.e supplier bank details or employee bank details.
- Implement additional verification checks and procedures before making any payments, for example making use of video conferencing facilities.
- Report all fraud instances to Action Fraud.
If you wish to discuss the above article and/or any other COVID-19 related initiatives, you can contact haysmacintyre via email: CV19@haysmacintyre.com.
This article was originally featured on the haysmacintyre website.