Fighting Fraud in a Post COVID-19 Business Environment

By Trever E. Campbell, Partner

Fraud alert

The economy is ramping back up, businesses are hiring, and people are starting to socialize again in public. There are lots of reason to be optimistic right now, and hopefully you are. However, there is another virus in our society that did not feel the pain of the COVID-19 pandemic. Throughout the last year and a half this menace has been busier than ever, and as things open back up, they are hoping that the good times will continue to roll. Unfortunately, I am referring to fraud.

Fraudsters thrive on the abnormal. Changes to our routines, whether positive or negative, all present new opportunities for fraud to occur in our businesses and lives. According to a recent poll conducted by the ACFE (Association of Certified Fraud Examiners), out of 1,700 respondents, 92% expect a significant increase in fraud during this coming year. Below are three fraud schemes to look out for as we recover from COVID-19, along with five ways you can combat them and turn the tables on fraudsters targeting you and your business.

Three Fraud Schemes to Look Out For

  1. Cyberfraud – We have already seen some highly publicized cases of ransomware occurring in 2021 (i.e., the Colonial Pipeline gas shortage). To avoid ransomware, you should be on alert for things like increased email phishing attacks. Understand that mobile devices are not exempt from these risks. Fraudulent text messages (smishing) can lead to your phone being taken over and even your phone number being transferred out of your control. Any information stored on your device, including work emails and contacts, can then be used to perpetrate even greater fraud schemes on others. This area of fraud is already at an all-time high and projected to increase 88% in the coming year.
  1. Payment Fraud – Closely related to cyberfraud, payment fraud is one of the most common, and potentially costly, fraud schemes a business can encounter. Some of the most common payment fraud schemes to be aware of include:
    • Wire transfer scams – These types of frauds can range from a few thousand dollars to millions. In most cases businesses must notify their financial institution of a suspected fraudulent ACH within 24 hours in order to have a chance of monetary recovery.
    • Merchant Identity Fraud – Fraudsters will set up a fake company, typically e-commerce, by stealing your business’s identification. Using the fake company (and likely some targeted phishing attacks on your current and potential customers) they can wreak havoc by stealing credit card information, personal data, and making false charges. As soon as the scheme is discovered, they will close up their virtual shop and leave the real company – your company – to deal with the unhappy customer complaints, chargebacks, and fraud reports.
    • Credit card fraud – Many people know that credit cards have some built in fraud protection. What is often not known is that the protection and monetary recovery is typically much harder for businesses than for individuals. The Fair Credit Billing Act that covers personal credit cards does not automatically cover business cards. Review the terms of your business card agreements to make sure your risk in this area is not unnecessarily high.
  1. Vendor/Seller Fraud – Fraud by vendors and sellers is up 67% in the last year and is expected to increase by another 80% in the coming year. These types of frauds can be perpetrated either internally or externally.
    • Internal – An employee may set up a false vendor within the company’s billing system using a P.O. box or an accomplice’s phone number and address. Alternatively, they could change the information for an old vendor that is already in the system but no longer active. Once the account is established, they can send or divert payments. Often times the payments are below known review thresholds or become so routine that they are not even caught when they are reviewed.
    • External – Duplicate invoicing, overbilling for legitimate goods and services, delivery of lower quality items than what was billed for, rigging bids between two or more vendors, and mark-up of overhead charges and/or agreed-upon service rates are all examples of vendor fraud. Long-term projects frequently lend themselves to this type of abuse. In many cases these types of frauds involve some kind of internal collusion with an employee as well.

Five Ways to Combat Fraud in your Business

  1. Expect more fraud and be more alert – Natural and social disasters (like COVID-19) are prime-time for fraud perpetrators. They know peoples’ guards are down being preoccupied with other issues, and business resources are stretched thin. It is important to not only maintain but try to consciously increase awareness of potential fraud during these times. Any “unusual” or atypical business requests should be approached with increased scrutiny and vigilance.
  1. Invest in anti-fraud programs and activities –
    • Code of Conduct – According to the ACFE’s 2020 Report to the Nations – a global study on occupational fraud and abuse (the Fraud Study) – the number one anti-fraud control to both reduce losses and limit the duration of a fraud is to establish a Code of Conduct for your organization. On average, for small organizations (less than 100 employees) a Code of Conduct only exists 48% of the time. If you do not already have a Code of Conduct written and communicated to your employees, begin that process as soon as possible. Sometimes the easiest solutions can have the greatest effect.
    • Staffing – Budgets are tight for many organizations right now. Whether you have had to lay off some staff, or are just having difficulty with rehiring, you may have people doing more than one job for a period of time. While this may be a business necessity at times, it’s important to know that it also carries financial risk. Segregation of duties is one of the best ways to prevent fraud. If additional staffing is not an option, understand that an increased level of review, likely at the management or owner level, may be needed to compensate. Cross training, job rotation, and forced vacations are among the best ways to limit the duration that a fraud will last, according to the Fraud Study. These are well-proven tools in fighting fraud. They ensure no one person has too much access for too long without proper oversight in an organization.
    • Training – Many staff are willing to help in the fight against fraud but lack the training to understand how. Whether you provide it internally, or through a third-party, there are lots of ways to train staff on how to recognize fraudulent activity in emails, phone calls, protecting assets left in cars (i.e., laptops), etc. The cost of these trainings is typically trivial in comparison to the potential losses that could occur if your business is the victim of a fraud or cyber-attack.
    • Insurance – If you have not looked into it already, consider the cost of fraud insurance for your business. Look at both cyber incident insurance and insurance against management or key staff committing fraud. While not a proactive solution, it may protect you from potentially crippling financial losses or help you recover funds that may otherwise be unrecoverable. This will typically also require you to implement certain internal controls which may be missing but incredibly beneficial to your organization.
    • External consulting and resources – According to the Fraud Study, the second-best way to reduce losses and the third best way to reduce duration of fraud is to implement an internal audit function in your organization. Many small organizations may think this is cost-prohibitive; however, this can be an outsourced activity that can be scaled to fit an organization of any size. Additionally, things like a fraud risk assessment and evaluation/design of better internal controls are proactive ways to protect your organization. These types of consulting services can have an exponential benefit and provide the safeguards that are missing from many businesses. Kernutt Stokes has helped many organizations with all of these types of activities in the past. Please reach out if you ever want to explore if/which options may be of benefit to you.
  1. Fraudulent Emails & Texts (Phishing & Smishing) –
    • Use the phone – If you are not sure if correspondence is legitimate, pick up the phone and call the organization or person directly to confirm. Use a number you already know, not one that is in the email. Never respond only via email, as there is a strong likelihood that your email has been hacked and is not under the control of the person you are trying to reach.
    • Unsolicited communications – Right now you may receive emails looking like they come from the SBA, IRS, or other governmental agencies asking you for information or payments. These organizations will not contact you unsolicited via email or phone. If you think the request may be legitimate, or want to confirm that it is not, navigate to their websites independently to obtain contact information, and follow up that way. Contact your CPA or attorney if you need assistance.
    • Hyperlinks – Beware of links that may imbed hyperlinks to false sites or documents. Hover over a link to see where it will direct you before clicking anything in an email. Make sure you know where the link goes, or do not click on it. If you have an IT department or staff, ask them to vet anything you are even 1% unsure about.
  1. Initiate or confirm – In general, if any organization or person is asking you for information that you did not initiate, you need to confirm that the correspondence is legitimate before you click or proceed. Instruct your employees that they should not “act now and ask for forgiveness later” when dealing with unusual or potentially fraudulent communications as doing so could put the entire organization, and its customers, at risk.
  1. Empower employees – Make sure your employees know that you want and need them to help fight fraud in your organization. The reason many fraudulent disbursements get made are because employees do not want to bother the owner or manager in the organization for fear that they will look lazy or incompetent for asking a “silly” question. Make sure you communicate to them that anything they do or ask in an effort to protect the organization against fraud will never be treated as a dumb or bothersome question. Consider encouraging that participation with praise and rewards, regardless of whether the perceived threat was real or not. The tone you set will be the example employees follow. When it comes to fighting fraud set a tone of proactive transparency.

These are only a few of the potential scenarios you may encounter and some low-hanging fruit in terms of how to combat them. In truth as soon as you stop one fraud scheme, another new one will likely pop up in its place. If something feels strange or wrong, take some time before you respond. Many schemes rely on a false sense of urgency. Just as we are all doing what we can to protect each other’s health, let us also work together to protect each other’s financial safety. Please reach out to Kernutt Stokes if you have questions or want help in protecting your organization against the risks of fraud in a post COVID-19 business environment.