By Gregory W. Bangs
The halting of economic activity and rapid shift to remote work amid the COVID-19 pandemic has hurt businesses in many ways. State-mandated closures, disrupted supply chains, and stressed IT infrastructure are just some causes of loss.
Unfortunately, the crisis has also created opportunities for criminals looking to take advantage of heightened uncertainty. In particular, theft is on the rise, costing companies millions on top of other COVID-related losses.
Here are three types of theft exacerbated by the ongoing pandemic, and how businesses can reduce their exposure to this criminal activity:
I) Illegitimate funds transfer requests perpetrated via business email compromise
Fraudulent fund transfer requests stemming from business email compromise – more commonly known as social engineering scams — have jumped in both frequency and severity. Where losses in the tens or hundreds of thousands were once considered significant, it is not uncommon now to see figures in the millions or tens of millions.
In 2019, the FBI’s Internet Crime Complaint Center (IC3) received 23,775 reports of business email compromise with total losses exceeding $1.7 billion.
Fraudsters are becoming bolder, exploiting “COVID fatigue” among remote workforces.
It’s a scenario many of us are all too familiar with by now: employees working from home are suddenly attempting to juggle a full-time job with childcare and home schooling demands, pets crashing conference calls, checking in on elderly parents – all while coping with the stress and uncertainty created by the pandemic.
Mistakes are inevitable in this environment, and internal fraud detection protocols may suffer. Maybe an employee who normally pores over vendor invoices begins to approve them automatically, without checking inventory. Maybe checks and balances in place to authenticate transfer requests are bypassed. Maybe red flags that signal a potential phishing attempt go unnoticed.
So, when a scammer posing as a vendor emails new bank account information and asks that all future payments be routed there instead, the recipient is more likely to miss the discrepancies in the sender’s email address, format and style, and less likely to verify its legitimacy.
Unfortunately, the mistake is typically not discovered until the true vendor reaches out to ask why it hasn’t been paid.
II) Unauthorized transfers and route changes perpetrated via computer fraud
Internet-savvy thieves have also taken advantage of relaxed risk management practices to find openings for infiltration. By hacking into a company’s internal networks, perpetrators can initiate fraudulent transfers themselves without having to fool an employee with a convincing email, or redirect entire shipments of goods directly into their waiting hands.
The Austin Business Journal reported that some hackers have used stolen consumer information to break into online shoppers’ accounts and reroute grocery delivers to their own homes. Retailers and distributors are susceptible to the same type of theft, but on a larger scale.
With the holiday season approaching, expect this type of theft to become more prominent as more goods make their way around the country. With a larger number of deliveries in progress, hackers may have an easier time rerouting shipment without detection.
This exposure has also been exacerbated by the rapid shift to remote work. Companies lacking secure platforms and VPN networks make easy targets for hackers, especially if workers are relying on their personal devices and home wi-fi networks.
Some scammers have even tapped into the fear and anxiety associated with this unanticipated move by posing as expert cyber security consultants, pitching software that secures work-from-home environments… but is of course embedded with bugs and backdoors.
Once a cyber thief gains access to internal systems, he or she can quickly learn company processes and protocols well enough to manipulate them or imitate them, perpetuating fraudulent payments or shipping instructions without setting off alarms.
III) Break-ins and burglaries of vacant properties
When brick-and-mortar stores initially shut down in March and April, most business owners were forced to leave their inventory on site, protected by locked doors and windows, a security camera, and not much else while they figured out whether and where to move their product. In the meantime, these properties became low-hanging fruit for opportunistic thieves.
Burglary of vacant commercial properties has risen mostly in metropolitan areas. Both San Francisco and New York City reported a 42% increase in burglaries between January and June of 2020 compared to the same period in 2019. Philadelphia reported a 134% increase over the same period. In Seattle, some commercial districts saw 30% to 40% more burglaries in March and April compared to last year.
Because lockdown mandates were passed so quickly, most business owners didn’t have a chance to arrange stronger protection for their location, whether that meant installing an alarm system or contracting a security service. And because no one was certain how long the stay-at-home orders would last, many also wondered whether such measures would be worth the cost.
How to reduce your risk
While theft might be growing more prevalent during the pandemic, it is not a new risk. Minimizing your exposure is all about going back to basics.
Reiterate internal fraud prevention controls
Any employee receiving wire transfer or change of account information requests via email should call back the sender directly to verify the request — using the contact information on file, not what’s provided in the email.
It’s a quick and easy way to weed out fraud that could stop social engineering in its tracks if every employee stuck to protocol. In the midst of these stressful times, though, employers may need to send additional reminders and continually reinforce the importance of this practice to combat the effects of fatigue.
Strengthen cyber security defenses to keep hackers out
Use company VPN or VOIP systems rather than home wireless networks and cloud-based communication platforms, which may not be private or secure. Require two-factor authentication to log in to any company system. Run software updates as scheduled to ensure security bugs get patched. Continually remind employees not to seek their own workarounds to IT issues by downloading unapproved software or platforms.
And, if you need a cyber security consultant to help establish safer infrastructure in the work-from-home environment, make sure to vet them appropriately. Utilize insurer-recommended vendors to ensure a firm is not only legitimate, but skillful.
Invest in premises security systems
Though lockdowns have been lifted and most stores re-opened, albeit with reduced traffic, there is a chance that closures could become necessary again as new coronavirus infections are expected to surge through the fall and winter. Now is the time to install lighting and cameras around your property, which go a long way in deterring potential thieves.
Move inventory out of sight and make sure doors and windows are alarmed once the property is closed. You may consider hiring a security guard to patrol the property at night.
Know your coverage
Some companies think of theft through business email compromise or infiltration of internal systems as cyber losses and mistakenly believe that a cyber policy will cover them. But there are clear distinctions between what cyber policies and crime policies address.
Crime policies are intended to cover theft of tangible assets like money, securities or property, whereas cyber policies protect against loss or theft of data. Cyber policies may have very small extensions for business email compromise losses, but they are often very limited. Only a crime policy is 100% dedicated to covering losses from theft or social engineering fraud.
Given that it is very difficult to track down or recover stolen funds once a fraud has been uncovered, a crime policy is imperative for full recovery.
Gregory W. Bangs is senior vice president, crime regional leader for North America at AXA XL, a division of AXA. Over the last 30 years, he’s been underwriting insurance and developing new products in the U.S., UK, Hong Kong and France.