Guest blog: Martin Robinson, CIA, CFIIA, QiCA

COVID-19 presents yet another opportunity for scammers and professional fraudsters – how can business and internal audit help reduce the risk and impact?

Sadly, as soon as there is any crisis or disaster the fraudsters, hackers and scammers manage to react at an alarming pace. While society is trying to cope these criminals care only for their personal gain and do not care about any harm or damage they cause.

We all need to be on our guard to watch out for unusual emails, SMS messages and phone calls and be even more suspicious than usual.

Fraudsters appreciate that in times of both financial and emotional stress we all become more trusting and believing than normal.

We need to make sure that all employees are aware of the increased risk of scams and frauds, particularly as remote working might impact the extent of security monitoring and awareness being undertaken by the business.

Criminals fully appreciate that remote working is a great opportunity for them to extract money, data and information from all of us which is then used to perpetrate more focused attacks on businesses.

Some of the latest reported scams impacting individuals and businesses following the virus outbreak include the following:

  • Numerous phishing, vishing, smishing attacks apparently from HMRC, UK Government, banks and telecommunication companies. These could well be expanded in the future to include law enforcement, DWP, Ministry of Housing, Communities and Local Government and utility companies.
  • Various online ‘offers’ which could encourage staff to respond or open, including face masks, hand sanitisers, coronavirus testing and treatment kits etc. Some emails could well contain malware that could be downloaded. This could increase the risk of identity theft with company and personal passwords, contacts and bank details being compromised.
  • Action Fraud has been inundated with complaints about ‘cons’ totalling almost £1m during March 2020 including a medical company that lost £15,000 after it had ordered a batch of face masks from a bogus on-line firm.
  • A well-known internet security company has seen hundreds of thousands of phishing emails in recent weeks coming from eastern Europe Russia, the former Soviet States and Nigeria.
  • Fake online resources, for example, fake coronavirus maps that deliver malware by way of a Trojan which can infiltrate a variety of sensitive data (recently identified by National Trading Standards).
  • An increased number of charity scams aimed at individuals and businesses encouraging donations to fund research or vaccines.

Some tips for businesses

  • All staff should be regularly reminded to maintain awareness of potential frauds and scams and always be ‘on their guard’ for new attempts to infiltrate organisations and compromise or steal valuable information or data.
  • Whenever possible training should be updated to reflect the current published attacks with particular focus on the current crisis.
  • Staff should be encouraged to report any ‘strange’ emails, texts and phone calls which appear out of the ordinary, which may not have been identified by normal monitoring. Even something that appears innocuous could result in a potential attack at a later stage.
  • Warnings should also be provided to staff not to reveal confidential information unless they are totally sure who they are providing it to. Content from government bodies, regulators, service providers should be regarded as potentially suspicious.
  • IT and security teams should be even more vigilant in regularly reviewing suspicious activity reports and identify attacks, particularly those that could emanate from less well protected working from home systems.

Some tips for internal auditors

  • Ensure that your organisation is aware of the current emerging fraud risks.
  • Provide assurance that current policies regarding potentially damaging attacks are constantly reinforced particularly during this period of remote working.
  • Focus on the work of those monitoring suspicious reporting to ensure that their level of alert is maintained.
  • Provide a valuable source of information to your business of the nature and examples of the current reported attacks.
  • Support your business in any way possible to reduce the impact of these risks.

Further reading

National Cyber Security Centre (NCSC) suspicious emails advice

National Cyber Security Centre (NCSC) weekly threat reports

Fraud Advisory Panel – has considerable guidance on frauds and scams and latest updates

UK Government - COVID-19 guidance (Fraud Control in Emergency Management)

Financial Conduct Authority (FCA) guidance on coronavirus scams

National Trading Standards – scam guidance for individuals and smaller businesses

Cybersecurity guidance – many organisations are providing good checklists

Content reviewed: 8 April 2021