Why have fraudsters flourished?
There are more opportunities to attack businesses’ systems.
Fraudsters gaining access to a company’s data and systems can cause significant damage ranging from loss of customers to loss of funds and reputation. Some of the new fraud vulnerabilities that businesses have been grappling with over the last year include those linked to the following:
- many businesses had to scramble to ensure workers had the necessary equipment and access to systems to work remotely, with these changes came a significant rise in data security risk;
- workers formerly used to operating in comparatively secure office locations were suddenly working at home in huge numbers, with many accessing work data on a range of mobile devices;
- the sudden need for devices also saw some businesses bringing older pooled laptops back into service or even providing employees’ personal devices with system accessibility;
- variations in the levels of encryption and security settings across devices has meant some businesses were wide open to attack; and
- in the struggle to remain operational many businesses also made significant, often hurried changes to their systems, access rights and authorisation processes.
Controls have often not kept pace
The changes made to working practices, operational systems and employee access left some businesses struggling to ensure their control environment kept pace with the new threats. Not all businesses undertook full risk assessments and the normal level of physical supervision and monitoring of staff was also inevitably impacted by home working.
Some businesses have found their existing control and detection procedures are simply no longer fit for purpose.
New opportunities for both internally and externally generated fraud
The internal threat has increased significantly with many more employees provided access to sensitive data, sometimes with less physical or remote supervision. 2020 also saw the amplification of a number of potential incentives for employees to commit fraud including fears of potential redundancy or a pressure to report positive financial results amid the economic downturn. Pay and bonus freezes also left some employees finding it easier to rationalise fraud, especially those feeling disengaged/abandoned after the prolonged period of remote working.
Businesses have also had to cope with a huge spike in the level of externally driven cyber-attacks with phishing attacks remaining a huge threat. Fraudsters are creating more and more believable emails which aim to persuade employees to open an apparently genuine document which in reality installs malware onto their device leading to data loss or access to the system or employee profile.
Ransomware attacks are still prevalent with commonly targeted businesses including those with weak systems, deep pockets or those holding particularly sensitive data including, despicably, the NHS.
Increasingly businesses are also being targeted by more sophisticated “deepfake” audio attacks, with fraudsters generating fake voice recordings of senior individuals to try to trick employees into authorising fund transfers.
These cyber security threats represented a big enough challenge to businesses in the pre pandemic world let alone now when many employees are working at home with broader access to sensitive data on a range of devices and are often working on new or unfamiliar systems rolled out in haste.
Fraud risks as employees’ business and work lives merge
The last year has seen a real blurring of lines between employees’ ‘business’ and ‘personal’ environments and home working has raised a number of wider concerns for many businesses:
- the challenge of ensuring the social media habits of employees are not transferred to their working practices, eg sharing work information on informal platforms like WhatsApp;
- the risk that fraud committed personally on the individual employees can percolate into the business domain eg
- ‘careless clicking’ on communications received personally leading to fraud risk to the business if the device is being used for both work and private use; or
- employees seeking to recoup their personal losses by committing fraud against their employer; and
- with many employees sharing a home working space with others, enhanced confidentiality risks include safe storage and disposal of sensitive hard copy documentation, safely conducting confidential calls and being mindful of a new generation of ‘listening’ devices such as Alexa.
What do businesses need to focus on to prevent further losses?
No business, no matter how vigilant, can entirely eliminate the risks associated with working from home, but by focussing on the following five core steps businesses can significantly enhance their ability to combat fraud:
1. Carefully assess the new and old fraud risks
- ensure regular business-wide fraud risk assessments are conducted including testing of new systems and vulnerability testing;
- conduct IT/internal audit driven spot testing in targeted risk areas, following up on arising issues; and
- ensure a fraud action plan is in place to enable an effective response to any arising concerns including defined internal roles and pre-approved external advisors (preferably having agreed a call-off agreement so they can start work immediately when necessary).
2. Update systems and procedures to reflect new or enhanced risks
- ensure new systems reflect risks altered by home working including IT security, segregation of duties, confidentiality and supervision protocols; and
- roll out updated policies to staff and reiterate core messaging, including the use of personal devices, minimising the use of hard copy documentation and the use of social media and other informal communication platforms.
3. Focus on employee data access
- make sure the business is fully aware of exactly what devices employees are using and ensure that they are fully encrypted; and
- monitor compliance with IT polices and the use of company laptops and phones and remain vigilant to red flags represented by, for example, the use of unapproved communication platforms or employees sending work attachments to personal email addresses.
4. Know who data is being shared with
- ensure the business is fully aware of who they are doing business (and sharing data) with;
- ensure appropriate pre-acceptance due diligence is done on suppliers and external consultants including IT security; and
- carry out checks on key partner’s protocols, after all if that partner’s systems are weak then the business’s own data could easily be under threat too.
5. Adapt training and set a culture to fit the new world
- ensure employees are provided clear messaging on fraud, updated fraud awareness training and are fully cognisant of the entity’s IT systems and procedures;
- give careful consideration to internal communications and the culture set in the business. Whilst it is important to maintain supervision and vigilance, it is also vital to generate and maintain employee engagement and morale. A motivated, fully engaged team will be much more likely to detect fraud and less likely to commit it themselves.
With the internal and external fraud threat still very much lingering, BDO would urge all businesses to pay sufficient care and attention to the enhanced risks and take a robust stance against fraud.