Fraud thrives in chaos. The past 18 months revealed new opportunities on massive scales for fraud actors to take advantage of unsuspecting people and businesses. Successful criminal operators will only continue to refine their skills. Don’t wait to boost your defenses until it’s too late.
Any time businesses change the way they operate, fraud actors see opportunities. And, as we all know, the last year-and-a-half was full of opportunities.
The COVID-19 pandemic created a major shift in consumer behavior as well as work arrangements for most people. Cyber-enabled fraud risks like ransomware, business email compromise and account takeovers were all on the rise before 2020, and legions of remote workers have only expanded the attack surface. The pandemic also delivered soft fraud targets in the form of government stimulus funding, which was rolled out urgently and without fully realized fraud controls. Unfortunately, we’re now seeing widespread reports of fraud within the Paycheck Protection Program (PPP), Economic Injury Disaster Loan (EIDL) and unemployment insurance programs.
The impact of these fraud attempts is felt by both the government agencies that provide pandemic stimulus funding and the commercial entities involved in processing those funds.
The Impact of Pandemic-Related Fraud
First, let’s unpack PPP fraud. While the Small Business Administration runs the PPP program, individual banks and lenders are responsible for processing the loan applications. This has put a strain on a variety of institutions to maintain their normal services for their existing customer base while scaling up to handle a massive increase in applications. If that wasn’t already a big enough challenge, the fraud rate in those applications also appears to be much higher than normal. The result is a spike in the number of fraud attempts and, unfortunately, many successful thefts of funds.
Fraud actors are also stealing the benefits received by legitimate applicants. In some cases, these actors use social engineering methods to trick unsuspecting beneficiaries into providing their credentials, allowing the bad actors to abscond with their precious benefit funds. But the impact of fraud doesn’t stop when the act is successful.
Financial institutions also need to deal with the after effects of fraudulent activity. Regardless of the scam, fraud actors often need to move funds and launder the proceeds of their crimes. In some cases, this involves using “mule” accounts to pass illicit proceeds through a web of transactions to obscure their true source. Account holders are sometimes complicit in the fraud, but in other cases, they may be unwitting accomplices duped into moving money for reasons that sound legitimate — like sending funds to a pandemic relief charity that they don’t realize is bogus.
An Identity Crisis
One particularly nefarious aspect of these rising fraud scams is the rise in identity crime. Identity theft — stealing the identity of someone else — is a common way criminals can apply for multiple benefits simultaneously, dramatically increasing their payday. Over 20 percent of identity theft victims who contacted the Identity Theft Resource Center in 2020 about a COVID-19-related identity issue indicated that someone stole their stimulus benefit. Nearly a quarter indicated that that someone had fraudulently filed for unemployment benefits in their name. Other scams may use synthetic identities — an identity created by combining legitimate credentials like a valid social security number with fake information like a name and address.
Synthetic identity crime can be especially challenging. Since the fraud actor created the identity, they have all the answers to any potential questions. This means they can circumvent fraud controls like knowledge-based authentication or multi-factor authentication codes. These scams often use the legitimate credentials of children who have valid social security numbers but whose names are not yet being used in the banking ecosystem, creating an entire population of unsuspecting victims who often only find out their information has been stolen when they first apply for credit as a young adult. By that point, fraud scams tied to their identity may have been occurring for more than a decade.
The evolving nature of these different types of fraud behaviors represents new threats and new variations on old ones. Banks, retailers, insurance companies, government agencies and organizations of all kinds need to deal with the traditional fraud attempts they have always seen while simultaneously reacting to the new wave of fraud brought on by the pandemic.
More Risks on the Horizon
Worse yet, data indicate more risks are coming down the pike. I believe a new generation of fraud actors whet their appetites on the gateway drug of stimulus program fraud and are now ready to focus their energy on new targets. My firm, Grant Thornton LLP, and the Association of Certified Fraud Examiners (ACFE) recently released a fraud risk benchmarking report that captured some striking data. Specifically, we found that a whopping 71 percent of companies expect fraud to increase over the coming year. The report also revealed several factors that may play an important role in the next wave of fraud. But most importantly, it helped us understand how companies can best prepare for that wave.
Prepare for the “Next Normal” of Fraud
Many companies are either headed back to the office or implementing a hybrid approach to work. But before they do, they would be wise to consider the activities detailed above. Just as importantly, business leaders need to know how to respond to this “next normal” of fraud activity.
Here are some recommendations.
Update Your Fraud Awareness Training
This includes identifying new fraud schemes and red flags — especially for those employees who are no longer working in the office. According to the ACFE, tips to an ethics hotline have historically been the most common way to identify occupational fraud. But as more workers have gone remote, those tips have declined. The likely reason: fewer people are in the office, so fewer people can see questionable behavior in person. In the next normal, we need to teach employees how to identify internal and external fraud threats and promptly report suspect activity, even when operating remotely. Dusting off last year’s anti-fraud training might check the compliance box, but it is woefully inadequate for most organizations in today’s new fraud risk landscape.
Enhance Your Fraud Risk Assessment
Many organizations update their fraud risk assessments on an annual basis, but fraud actors don’t follow a 12-month timetable. Major changes like a merger or acquisition, a new product launch, a new payment channel or entrance to a new market can significantly change your fraud risk. Plus, new procedures such as remote or hybrid work may impact the way existing controls are executed. Some organizations have had to circumvent their controls in order to work remotely or handle unprecedented workloads. In these instances, there may be an increase in residual fraud risk. Be sure to consider how processes are operating in the current environment — not just how they are documented in the policy manual.
Upgrade Your Anti-Fraud Technology
We often think of technology as a solution to a problem. While it can be a tremendous asset, it also requires ongoing monitoring and attention. In fact, our research shows that technological challenges are expected to increase over the course of the next year. In a survey of CFOs just published by Grant Thornton, 64 percent of the leaders surveyed said they will be spending more money on anti-fraud technology in the year ahead. I recommend updating your anti-fraud technology systems and making plans to revise those programs over the coming months as your organization eases into the next normal. Furthermore, you should practice good cyber hygiene by requiring strong passwords with multi-factor authentication, implementing a regular backup and recovery process and maintaining timely antivirus and patching protocols.
Trust the Fundamentals
There is no silver bullet to stop fraud, but there are helpful practices. I strongly recommend revisiting the five pillars provided in the Committee of Sponsoring Organizations (COSO) fraud risk management guidance: governance, risk assessment, controls, investigation and monitoring. When you act according to those pillars, you’ll have a strong anti-fraud program that will help you remain agile within this new fraud landscape.
Lastly, if your organization wants to fully understand the intricacies of fraud prevention, I recommend the Anti-Fraud Playbook published by the ACFE and Grant Thornton. The Playbook is a tangible guide with real-world suggestions for implementing each of the five pillars above.
Armed with this knowledge, your organization can upgrade your fraud risk management program and prepare for the next normal. And when you’re prepared, the risks ahead won’t seem so daunting. You — and your company — can thrive.