The Remote-Working Risk for Companies: More Scams
WHY YOU SHOULD CARE
Your unprotected work computer might be targeted.
By Matthew Vincent, Tabby Kinder and Kate Beioley
Mass home working as a result of the coronavirus has opened up opportunities for fraudsters to target companies, fueling a sharp rise in attempted scams in recent weeks.
While regulators have been quick to warn about schemes aimed at individuals amid the pandemic — such as financial data “phishing” attempts, or bank payment frauds — the danger to businesses and their investors is equally heightened, say advisers.
With millions of employees now working at home, companies face a higher risk of being defrauded by people from outside their operations, as it is harder to be sure of identities. And remote working can even increase risks without human involvement, according to cybersecurity company ThreatAware. In fact, it estimates that …
Up to 55 percent of business personal computers may be vulnerable to cyberattack as they are now connected to home networks that lack sophisticated protection.
“We’ve already seen bad actors seeking to exploit the panic caused by the pandemic to defraud individuals,” says Charles Delingpole, chief executive of regulation technology provider ComplyAdvantage. “This shouldn’t be unexpected for any financial institution.”
COVID-19-specific fraud reports in the U.K. rose to 396 during March, according to the National Economic Crime Center — a rapid increase on the 105 that had been logged in the six weeks to March 18. Suspected coronavirus scams accounted for 1 in 20 of the potential frauds logged with the Action Fraud reporting center over the month.
Lawyers forecast that the fraud could add millions to companies’ costs and losses as the economic crisis continues.
Graeme Biggar, director of the NECC, says criminals were “adjusting and jumping on the COVID-19 bandwagon as they always do when things develop and new opportunities present themselves.”
“Businesses [that] must conduct otherwise face-to-face business by telephone or video call may find they are vulnerable to impersonation, or ‘spear phishing’ or ‘whaling’ frauds — targeting or impersonating the C-suite,” says David McCluskey, a partner in the corporate crime and fraud unit at law firm Taylor Wessing.
Attempted frauds might involve sending emails purporting to be from senior executives authorizing fund transfers or requesting financial information. One executive at a big U.K. bank has already seen retailers being targeted in an advanced push-payment scam, in which emails instruct them to transfer money to an account supposedly at the Bank of England.
Biggar says that, in some instances, scammers could be pretending to be company suppliers, asking to change their bank details in order to route money to a criminal’s account.
Companies struggling to pay their bills as the coronavirus lockdown hits their income can also fall victim to fake creditors.
“Particular risks arise for businesses which must normally make substantial payments, for example, to landlords,” McCluskey warns. “A business may find itself approached by a person purporting to act on behalf of a landlord, agreeing to a rent deferral in return for a down payment of, say, 10 percent into an account different to the normal rent account.”
Alternatively, fraudsters may seek to use a company fighting for survival to defraud the tax authorities. New customers placing large repeat orders could be scammers who then resell the goods several times without paying the required taxes. In the current climate, desperate business owners would be less likely to check up on unusual requests, McCluskey says.
He is advising finance departments working remotely to take extra steps to ensure the person they are communicating with is who they say they are.
Internal communications, or the absence of them during enforced remote working, pose another fraud risk — from employees themselves. As Nicola Rabson, partner at law firm Linklaters, points out, “Employer systems may not be as sophisticated in detecting poor behavior when large numbers of the workforce are working in a different way to how they would ordinarily, whether that is remotely, more flexibly or in light of changes to their roles due to COVID-19.”
The coronavirus crisis has also thrown up other risks for businesses.
For investors, extra caution is needed around the data that is officially issued by companies. In late March, the Financial Conduct Authority asked London-listed companies to stop publishing preliminary results for two weeks, as trading conditions were changing so rapidly. It then gave them an extra two months to file audited annual accounts. Private companies were granted similar leeway by Companies House. But when accounts do appear, investors — and auditors — should adopt skepticism, says Bob Neate, head of U.K. audit at Mazars.
“Some companies might want to do some old-fashioned ‘big bath’ accounting, where they shove a lot more bad news into this period,” he says. “Some will … use this period to make their numbers look better in the future. There is an accentuated risk … that we, as auditors, must consider.”
Travel and meeting restrictions will mean some numbers cannot be checked at all. Accountancy firm BDO has cautioned that investors could be asked to make costly decisions on information that is intentionally misleading. “Take retailer inventory, where auditors cannot get to warehouses or stores to count stock,” says Scott Knight, head of audit at BDO. “If the company may have to do an equity raise in a few months, you can see how both the incentive and the opportunity for fraud is there.”
OZY partners with the U.K.'s Financial Times to bring you premium analysis and features. © The Financial Times Limited 2020.