How COVID-19 left the door open for fraud

Cybercriminals are opportunists. Seeing opportunity, they attack and one of the biggest opportunities to commit fraud is a global pandemic upturning the world in every way possible. The old ways of doing business have been overhauled in an instant; in many cases, the office itself has disappeared. Chaos and confusion have reigned, opening the door for fraud.

Phishing attacks increased by 667 per cent in March alone, as criminals seized their opportunity. As a result, awareness of fraud and privacy has never been more important. “Everything that’s new is going to have a new security angle we hadn’t thought of,” says Dr Eerke Boiten, professor of cybersecurity at Leicester’s De Montfort University. “How that’s going to be exploited is going to be interesting.”

The fault lines are obvious and plentiful, and criminals are scurrying through the cracks. Remote working is one major area ripe to be exploited. More business is being transacted by email and the number of spear phishing attacks is on the rise. One wrong click, or the opening of a suspicious attachment in error, can result in a breach of privacy and the potential for enormous fraud against organisations.

“We’ve seen, and will continue to see, scams and frauds that exploit disruption,” says cybersecurity expert Jessica Barker. Preying on fears, such as messages purporting to be from a firm’s human resources department, informing staff members that a colleague has tested positive for the coronavirus and should click on an attachment outlining procedures, is one way into networks and has already victimised at least one Canadian company.

But there are far greater risks than employees being out of the office, out of sight and therefore out of mind. The gradual return to workplaces worldwide is itself a potential vector for fraud, says Barker, who believes employees could easily field phone calls from scammers pretending to be in-house IT support asking for passwords to get access to systems.

Fake supplier fraud is a risk

The broader economic disruption, with a quarter of UK workers furloughed and tens of millions worldwide unemployed, provides another way to commit fraud. There’s the potential for supplier impersonation stemming from disruption to the norms of business. For example, fraudsters could send emails or make phone calls to companies claiming that the normal contact at a firm has left their job, asking them to change key details, including where they pay invoices.

“The whole point of spear phishing and social engineering is to force people to make quick decisions, possibly by perturbing their normal situation a bit,” says Boiten. “We’re already in that situation, doing unusual things all the time now.” Coupled with the fear of acting quickly to address any issues, and an attempt to catch up on lost business, the opportunity to crack open the door and enter a business’s systems fraudulently has theoretically never been easier.

Fraud statistics

Companies who would ordinarily be in the business of receiving goods and delivering services to others may have to scramble to seek alternative sources for the original product to be able to deliver their services to clients, potentially overlooking due diligence and falling into fraud traps. “Everyone is worried,” says Barker. “This all creates a perfect storm for cybercriminals to seek to exploit.”

It’s not just current staff members being hoodwinked that managers and their IT department need to be wary of. Insider threats are also a real risk, with people within organisations potentially being more likely to cause problems. We know economic uncertainty and unemployment is a driver of increased crime in general and cyber-fraud is no different.

“A lot of people are feeling uncertain, upset and have financial worries. Some may feel it’s unfair their pay is frozen,” says Barker. “All these feelings mean the risk of malicious insiders may be higher.”

Employees seeking sick days

Some may be doing so for personal gain or the ability to take advantage of hesitancy around illnesses. One American employee of a Fortune 500 company told his boss he had tested positive for COVID-19, though he hadn’t been affected by the virus. He supplied a hospital letter he had faked for the purpose.

The company, fearing the worker could have contaminated the workplace, quarantined a plant, advised some of his closest colleagues to self-isolate and spent more than $100,000 to do so. Federal prosecutors charged the man in May with defrauding his employer.

The FBI has also warned businesses to be on the lookout for employees trying to take advantage of the pandemic. The Insurance Fraud Bureau has cautioned insurance fraud is likely because of the economic hardship the coronavirus is wreaking.

Others may be willing to siphon off data from inside and give it to competitors or trade it on illicit online markets. Insider fraud, with a particular focus on the disclosure of internal processes to facilitate fraud, is one of the major concerns raised by the Fraud Advisory Panel, a UK industry body,  alongside phishing emails and the subsequent compromise of business accounts.

Compulsion is often driven by disgruntled employees who feel wronged by businesses, which could be an issue when people are returning to work in a high-stress situation and being asked to do more with less support.

Trying to help employees feel less distant and alone is more vital than ever and making sure they feel willing to come forward if tricked by an outside attacker is crucial. “When people are potentially still working from home, and if they click a link in an email or download something or transfer money, they don’t have a colleague to turn to and ask what to do, so there’s a danger we might not know about incidents,” Barker concludes.