The only things that never change when it comes to fraud are that it exists and the tactics behind it will always be evolving. The COVID-19 pandemic, which has upended countless lives and closed down offices across the world, is presenting new opportunities for fraudsters. One major threat is with business payments, where criminals have adopted new interception strategies that businesses must be aware of.
Fraudsters have significantly expanded phishing campaigns to include COVID-19 messaging. This preys on a person’s desire for information about the virus and the difficulty to figure out whether a piece of information is fraudulent or credible. In April, the Federal Trade Commission Consumer Division and the FBI distributed 30 alerts and press releases, many of which were directly related to COVID-19 fraud.
In the simplest form of phishing, a user clicks on the link to see a purported COVID-19 update, they are prompted for their username and password to view it. If they fall for the phishing attempt, those credentials are used to compromise their email account, often leading to a string of additional compromises, password resets, bank account takeovers and fraudulent payments. These account takeovers can be harder to detect and investigate because so many people are now working from home. Getting in contact with business customers who are not sitting in front of their business phone and may have their emails compromised can be challenging and problematic.
Cybersecurity expert Brian Krebs reported that coronavirus-related malware packages were being sold on several Russian cybercrime forums as of late February. These “coronavirus infection kits” were disguised as real-time infection maps developed by researchers at Johns Hopkins University. Those maps do exist, which makes this one of many examples where fraudsters are impersonating a large, reputable institution to gain trust. A good rule of thumb in these times is to go straight to the source through Google, or navigate directly to a reputable website, rather than clicking a download link on social media or from an email.
Fraudsters are also falsely indicating that they have Personal Protective Equipment (PPE) and other COVID-19-related items that are in high demand. The criminals pressure targets for payment before the delivery of goods never materializes. This makes it more important than ever for accounts payable (AP) and procurement departments to maintain strict due diligence processes for vendors. For example, doing independent research on a new vendor selling hard-to-find cleaning supplies or PPE is a good mandatory step.
The absence of information on a vendor or a vendor with information on a recently created website domain are both significant red flags. The aforementioned FBI and the Federal Trade Commission briefings on scams have advised caution on any new and unfamiliar sellers initiating first contact via phone or personal email.
The Association of Certified Fraud Examiners published a recent article indicating that more than 4,000 website domains containing words like “corona” or “COVID” have been registered since the beginning of this year. In all, 8% of those domains were flagged as malicious or suspicious, making those domains 50% more likely to be malicious than any other domain registered over that same timespan. If you are navigating to a domain to purchase goods or dealing with an email using COVID-19 in any capacity, you should immediately question the legitimacy of the interaction.
It’s not all doom and gloom for business payments and operations, but it is time for some policy enhancements and hyper-vigilance when it comes to transactions that will set businesses up with the right tools to protect themselves. Being proactive rather than reactive is central to a good strategy, which means blocking fraudsters out before a payment is sent during the new vendor vetting process. One step organizations can take is adding a layer of approval to the new vendor process.
An important example, unfortunately, is with payments to charities and non-profit organizations. Many businesses are supporting their communities in this tough time and are making charitable donations, but they are also being solicited for donations by fraudsters. These criminals have left no stone unturned in this crisis and have created fake charities and websites that appear to be legitimate, when they simply aren’t. Websites such as the National Association of State Charity Officials and Guidestar.org are good places to verify the legitimacy of a charity. Combining your web search with a business or charity name and the words “fraud” or “scam” are also good ways to uncover any negative news.
Change management processes, especially those involving bank account updates, are something AP departments should pay special attention to as well. Due to an increase in successful phishing activity, more vendor emails are going to be compromised by fraudsters aiming to conduct Business Email Account Compromise scams. These scams seek to misroute payments by socially engineering beneficiary account updates.
Callbacks are very important to this type of process to verify the activity. These can prove more challenging when the vendor’s Accounts Receivable team is working at home using their personal cell phones. One way to pull out red flags for potential fraud in these instances is to pay close attention to area codes and ensure they match with the reputed business location. Another step is adding a quick security question to the call about a past payment or invoice to get an additional point of contact or piece of information only your real vendor would know.
Banks and financial institutions are also feeling the impact of these phishing attempts. For a bank, these schemes let fraudsters access bank accounts and initiate payments from those accounts. Behavioral analytics, obtained by analyzing IP addresses and known devices, are key to this effort. Multi-factor authentication is critical to shut down fraudsters who have basic information but cannot answer detailed, personal questions. It’s important to provide proactive communication to customers and vendors about social engineering. Let them know that is they are asked to provide codes or passwords they should take extra steps to maintain a security posture in this time of new, unprecedented threats.
Fraud will be here long after the COVID-19 pandemic is under control. With traditional workplaces and payment security practices upended now and uncertain in the future, it’s the right time for businesses to invest capital and time in protecting themselves. Payers, vendors, suppliers, charities, banks and people in general are all in the same boat during this crisis. We’re all navigating the risk of payment fraud. Remember to be understanding, be reasonable, add layers of protection to riskier areas of the business such as AP and AR.
If you’re the one making changes to information understand that you might be asked to provide extra information because someone else is just being proactive, so no one has to be reactive later.
By Chris Gerda, Risk & Fraud Prevention Officer at Bottomline Technologies