COVID-19 is affecting all areas of our lives. Unfortunately, cyber criminals are eager to prey on people during this stressful and unpredictable time. Scammers are targeting businesses and individuals through a variety of scams that range from health to technology. Government programs that have gone into place for COVID-19 relief are ripe for fraudsters to utilize for their own purposes.
Some of their scams may not be entirely new. “I’m concerned about criminals leveraging COVID-19 to tweak existing business email compromise and malware schemes,” says Dan Kautz, vice president of product risk & controls at U.S. Bank.
Here are some tips to protect yourself and your employees from scams relating to COVID-19.
“Education is paramount during these unprecedented times,” says Brett Frederick, director of enterprise fraud risk management at U.S Bank. “Make sure your workforce understands the risks related to business changes due to the pandemic.”
It’s important to have a strong security and fraud awareness culture embedded within the company. Many employees may be working at home for the first time, which means their routines will be different in many ways. Make sure fraud protection is part of everyone’s daily routine. Get back to the basics and reinforce how your company can safely manage day-to-day operations.
“I get concerned when there are more people working from home,” says Kautz. “You lose the security of the traditional business environment. There is the potential for unauthorized parties to see confidential information within the home. Home employees might also operate in a less secure fashion than they would in an office environment. I would encourage home employees to have a secure working area to keep prying eyes off sensitive information. Businesses should have an established set of remote working rules for their employees.”
Make sure redundant processes are in place for approvals, whether that’s money movement or those who manage your financial statements from fraud, says Frederick. The right people, and their approvers, should have their eyes on your company’s transactions and financials.
Business email compromise (BEC) scams target domestic and foreign businesses that regularly perform payment transfers. This continues to be a big fraud threat for organizations. BEC hasn’t been used exclusively with COVID-19, but Kautz is concerned that fraudsters are going to leverage COVID-19 to their advantage. The financial stresses of both your company and your customers or vendors can create opportunities for scammers to give a sense of urgency that results in skipped processes and fraud.
“Unfortunately, fraudsters are wonderful salespeople,” says Frederick. “They administer techniques to make you feel comfortable and divulge valuable information that you don’t even realize you’re providing them.”
Scams relating to impersonating company leaders are big due to the current environment. If someone is trying to pose as your company’s CEO or CFO, they will generally send an email. Pay close attention to small details. Perhaps the email address is slightly different by one letter or the language in the email seems odd. A sense of urgency should also raise alarm bells. Kautz has seen a lot of schemes where a fraudster poses as a CFO and requests an urgent money transfer. The employee is told to keep it confidential. This can prevent the employee from seeking validation because they feel like an authority figure is telling them to move money now. If this is the case, call the person directly to verify the request is legitimate.
“Think twice before you send something even if it’s urgent,” says Kautz. “Take prudent steps to make sure you’re not introducing risk into the process.”
A fraudster may also contact employees pretending to be someone from IT to divulge personal or confidential information or click on links that could introduce malware into their systems. The best line of defense against fraudsters is to keep the enemy outside the gate. Practice the same security measures you would in the office and keep the same protocols in place from an IT and information security perspective. Always use strong firewalls and secure VPN to keep malware and other compromises from happening. Prohibit forwarding business emails, especially with confidential information, to personal email accounts, as there could be hackers lurking without you even knowing.
It’s important to know how your company normally processes money movement requests. That way, you can be on alert if something seems off. “Look at anything that has to do with a payment request, whether it’s account changes or money movement, as a potential threat,” says Kautz.
Now is the time to be on top of payment fraud prevention. Validate payment request changes using known source information. Don’t reply to the email or use the phone number in the email signature. Call the company and ask if the payment changes are valid. Even if the request is urgent, have another pair of trusted eyes take a look.
Verification of transactions and changes can be challenging during a time that employees may be using cell phones. One practice that can help is doing call backs to the employee’s office number with instructions regarding verification. The fraudster will not be accessing the company voicemail, and you can avoid the trap of verifying with a fraudulent number.
Another major concern are the scams associated with government programs that have gone into place with COVID-19 relief, such as the personal $1,200 government checks and the Paycheck Protection Program (PPP) loans. “With the government programs coming out, there could be some gaps that allow fraudsters to take advantage of the system and trick our customers into giving them information or a payment,” says Kautz. The biggest tip here is to make sure payment instructions are verified.
Kautz is also concerned about communications coming out from financial institutions. For example, there may be fake communications from financial institutions stating “We care about you. Click on this link, and we’ll give you some more advice on how to handle COVID-19.” That link could be malware used for nefarious purposes.
Here are some more tips to keep your organization safe from BEC.
Make sure standard operating procedures are as seamless as possible. Have redundant processes in place for approvals and be clear about the segregation of duties or if they have changed.
Have frequent communication with employees about expectations and issues happening at the company. It’s important to try and keep employees and management connected despite the fact that they are not all together in the same office. This helps employees remain integrated and aware of issues that are coming up, says Kautz.
“These are challenging times for everybody,” says Frederick. “Due to the economically difficult times, companies are focused on keeping their businesses moving forward. Make sure you are frequently checking in on the health of your employees. If they are healthy from a mental well-being perspective, they will be more focused and productive throughout this unprecedented time.”
Visit our COVID-19 site for updates, insights and resources you need to navigate the changing environment.