VIEWPOINT: COVID-19 Changed Everything, including Fraud and IT Risks

VIEWPOINT: With the fast-paced evolution of Technology and continuously shifting business landscape, it’s always been a challenge for business leaders to identify and manage the various risk factors that threaten their business, employees, and customers. The methods of fraud and cyberattack have now changed again as businesses quickly pivot to withstand the impacts of COVID-19, […]

Already an Subcriber? Log in

Get Instant Access to This Article

Become a Central New York Business Journal subscriber and get immediate access to all of our subscriber-only content and much more.

VIEWPOINT:

With the fast-paced evolution of Technology and continuously shifting business landscape, it’s always been a challenge for business leaders to identify and manage the various risk factors that threaten their business, employees, and customers. The methods of fraud and cyberattack have now changed again as businesses quickly pivot to withstand the impacts of COVID-19, seek new forms of financial aid, and transition between remote work and offices. 

A survey by the Association of Certified Fraud Examiners conducted following the 2008 recession, found that 80 percent of anti-fraud professionals said they believe fraud levels increase in times of economic distress. A more recent survey by the same organization found that 92 percent of fraud examiners expect to see a further increase in the overall level of fraud during the next year. 

The current environment is ripe with the common factors that align to cause a person to commit fraud: pressure/motive (such as financial hardship), perceived opportunity (less oversight and distracted leadership), and rationalization (the ability to justify the crime to themselves). As these risks continue to increase, there are several emerging types of fraud business leaders should be looking out for, including the following.

Occupational employee fraud: With employees working from home, working in high-pressure environments with less internal controls, increased segregation of duties, and decreased oversight, as well as possible financial pressure on individual employees, instances of occupational fraud are on the rise. This can include fraudulent reporting of standard time and overtime; inappropriate access to business bank accounts, check stock and business credit cards; and skimming of cash receipts/payments, AR write-offs, and bad debt. 

Financial-institution fraud: Under the circumstances created by COVID-19, many businesses have been forced to utilize different channels to obtain necessary funds. As such, these businesses have become more susceptible to new account fraud, identity theft, imposter schemes, and money mule schemes — moving money on behalf of another entity/person due to COVID-19 limitations.

Small Business Administration (SBA) loan fraud: The SBA estimates that, as of July 2020, more than 70 percent of U.S. small businesses have been supported by the Paycheck Protection Program (PPP). With so many businesses working through the program, there are many types of fraud that can occur, including PPP applications with manipulated or fraudulent supporting documentation; PPP applications in different names that contain nearly identical application information and supporting documentation; fake businesses established during the pandemic applying for PPP funds; and loan advances or proceeds deposited into an account, and then immediately withdrawn in cash, wired out, transferred to an investment account or used to purchase luxury assets.

COVID-19-related fraud: There are also types of fraud directly related to the health and safety challenges of COVID-19, including virus and antibody-testing fraud schemes, PPE and hand-sanitizer fraud schemes, and price gouging on standard supplies and inventory.

Cyber fraud: Since COVID-19 took hold in the U.S., the FBI has fielded about 4,000 complaints of cybercrime per day — an increase of 400 percent. These incidents constitute any fraudulent crime which is conducted via a computer or computer data. Criminals use the cyber world to gain access to victims’ personal identity, their online accounts, and their bank accounts.

One way to start the prevention process for all types of fraud is through an assessment asking leadership the following questions: 

• Is ongoing anti-fraud training provided to all employees of the organization? 

• Is an effective fraud reporting mechanism in place? 

• Are fraud-risk assessments performed to proactively identify and mitigate vulnerabilities to internal and external fraud? 

• Are strong anti-fraud controls in place and operating effectively? 

• Does the internal audit department have adequate resources and authority?

In understanding the different types of possible fraud and gaps in current security measures, business leaders can learn to efficiently reduce known risks through both planning and implementation of tools and resources. Fraud prevention starts at the top. Leaders must set the appropriate tone, create a positive work environment, and effectively distribute and communicate a written code of ethics to all employees. Businesses should not underestimate the importance of simple steps like checking employee references, consistently examining bank statements, and having an active fraud hotline.

As it relates to cyber fraud specifically, businesses have a number of administrative and technical control steps they can take to reduce their risk, including conducting employee security-awareness training, ensuring vendors and third-parties are secure through vendor risk management, incident-response planning, updated policies and procedures, internal and external penetration testing, security patching every month, and implementing anti-malware, firewalls, and intrusion prevention on all endpoints to name a few. 

It’s not a matter of if an incident of fraud will occur but when. In that event, business leaders must have a plan in place to react quickly but without panic. Businesses should establish — and consistently re-evaluate and update — an incident-response plan that will allow them to efficiently prepare, detect, contain, investigate, remediate, and debrief in any instance of fraud or cyberattack.

There will always be new ways for fraudsters and cyber-criminals to commit crimes. Businesses should stay alert and aware of existing and emerging threats, implementing all the prevention measures they can and preparing for the worst, so a fraud incident doesn’t cause irreparable damage to the organization.      

Tim Ball is an executive VP in The Bonadio Group’s government compliance and labor division and a certified fraud examiner (or CFE). He provides a wide range of consulting, forensic, and auditing services. John Roman is a practice lead at The Bonadio Group and president and COO of Bonadio’s information risk management and cybersecurity division, FoxPointe Solutions. In his role at FoxPointe, Roman is responsible for all aspects of the operations of a national cybersecurity consultancy.

Tim Ball and John Roman: