Never ones to let sleeping dogs lie, fraudsters are exploiting the global COVID-19 pandemic to target people and companies into clicking on links and actioning emails or texts that will swindle them out of money.
Both the Federal Bureau of Investigation (FBI) and email and data protection company, Barracuda Networks, have claimed a spike in the number of COVID-19-related email attacks.
With isolation legislated across the globe, most companies are forced to close shop indefinitely or redeploy employees to work remotely. However, working from home has the potential to introduce a level of lowered control and reliance on staff to be extraordinarily vigilant. So, what can companies do to control fraudulent attempts better?
Keep them out
Ideally, says James Richardson, Head of Market Development Risk & Fraud, Bottomline Technologies, companies need robust fraud-prevention technology in place to catch criminal behaviour. However, he believes that “utopia is not necessarily where companies are today”.
Indeed, Bottomline’s own 2020 Payments Barometer research report, which is due out in June, will reveal that even the largest organisations agree that they should be doing more to mitigate payment fraud. “In the meantime, the most critical thing for firms to focus on is to remain vigilant,” says Richardson. “In such anxious and uncertain times, educating staff and customers about how criminals will attempt to infiltrate their organisations is key. They also need to know not to release payment or private information.”
Preying on human fear, fraudsters are duping users with fictitious emails from the World Health Organisation, the Centers for Disease Control and Prevention and other credible sources, claiming to offer information on the virus. “Don't use a company laptop to open unknown emails, attachments or links that users cannot validate,” warns Richardson.
Cyber-security company, Kaspersky, recently reported a fake US Centers for Disease Control (CDC) email asking for donations to develop a vaccine via cryptocurrency bitcoin. “Considering this from a cool-headed position, it seems almost laughable,” he comments. “But the email address, message and signature are convincing.” Kaspersky has detected over 500 emails with coronavirus in their title containing malware. The advice is for users to hover over links without clicking on them to see the real address the link leads to, if different from the link description.
As governments scramble to offer financial support to businesses and individuals during these difficult times, hackers are circling for easy prey. Treasurers can expect to receive phishing emails aimed at gathering company or personal information.
Less applicable to the treasury department, but one to be wary of, is anyone selling products that claim to prevent, treat, diagnose, or cure COVID-19. As companies return to the office, they may wish to offer employees protective gear. If so, only deal with known, trusted suppliers.
Indeed, says Richardson, precautionary measures go beyond email alone. Consider for a second, vulnerable mobile devices compared to a desktop where a treasurer is, for example, using a new mobile device to authorise payments. The device comes with a preloaded, out-of-date operating system. “Until installed with the most recent security patches, outdated software is vulnerable to attack,” warns Richardson. “Unless a device has robust access controls, it is susceptible to unauthorised use by anyone who has access to it.”
Treasurers should be alert to inadvertent installation of applications that include malware or data leakage due to poor programming and spyware. Spyware provides easy access for fraudsters to disable security safeguards, modify settings, access GPS locations, and forward email correspondence.
Fraud prevention tips
At the best of times, payment fraud prevention is important, but even more so in the coronavirus climate. There are several precautionary measures that companies can take. Richardson offers the following.
Using a Mobile Device Management (MDM) service, organisations can control, monitor and enforce policies on employee devices. Most MDM services work over the internet, allowing devices to be remotely configured and managed wherever they are in the world. This control means staff can work off-premises, securely.
Finance and treasury departments should be vigilant in vetting the people/companies they pay by validating bank details and verifying account ownership for any payment made – especially for new or revised payment requests via phone or email.
Implementing anomaly detection and user behaviour monitoring within payment flows is another sure-fire way to mitigate fraud or human error in payments. Sophisticated systems monitor who is adjusting payment data or processes, alerting companies to unusual behaviour and reducing the subsequent loss due to fraudulent or misdirected payments.
Sadly, organisations may need to cut jobs or reduce staff salaries. Experience has shown that this can create an incentive for fraud from those impacted and with access to payment systems, with risks being higher with remote working.
Advanced statistical machine learning algorithms, coupled with logic, also helps companies to analyse payment patterns tuned to a company- specific risk-based approach.
“Tackling potential payment fraud is difficult at the best of times, but even more so during this lockdown,” comments Richardson. “Companies should do all they can to keep fraudsters at bay and that means educating and forewarning, proactively protecting payment transactions, and monitoring employee behaviour.”