Date posted: 24/07/2020 5 min read

How to repel a COVID-19 spike in cyber threats

With more people working at home, businesses risk greater exposure to fraud and cybercrime.

In Brief

  • Businesses with weak internal controls or inadequate accounting policies are most at risk of cyber fraud.
  • Online scammers frequently use hacked email accounts to catch businesses out.
  • More people working offsite as a result of COVID-19 is increasing the risk of cybercrime for businesses.

By Stuart Ridley

Fraud is a horribly opportunistic crime because it involves people exploiting trust to take advantage of a business. And businesses with weak internal controls or inadequate accounting policies are most at risk.

“The biggest fraud risk you’ve got is people inside the business,” explains Andrew Tragardh, barrister and managing director at fraud investigation firm Duxton Hill.

“With more people working at home some businesses haven’t had the same checks and balances for multi-person authentication of transactions.”

“With more people working at home some businesses haven’t had the same checks and balances for multi-person authentication of transactions.”
Andrew Tragardh

“So, we’re seeing a spike in threats within businesses on two levels: the rogue employee who is misappropriating company funds and the naïve employee who makes mistakes because they don’t have their antenna up for scams.”

Big transactions need multi-factor authentication

Even before the pandemic, some fraud cases investigated by Tragardh revealed astoundingly simply errors of judgment. He recalls a business with two partners who authorised payments with individual security tokens. Both tokens were given to the bookkeeper when the partners retired.

The bookkeeper then exploited the opportunity to commit multimillion-dollar fraud that likely wouldn’t have happened if at least one of the security tokens was held by another person in the business.

Similarly, online scammers frequently use hacked email accounts to catch businesses out by changing key details during the transaction process.

“If a scammer has infiltrated someone’s email they’ll say: ‘We’ve changed the account, please call this number to verify’ and hope the recipient can’t be bothered to check they have the right number,” warns Robyn McKern CA, founding partner and forensic and advisory specialist at McGrathNichol.

“You should never make large payments without calling the parties involved to confirm the details are correct anyway. And before you make those calls, also go back to your own records to check you have the right numbers. Or make a video call to confirm you’re dealing with the right person.”

Security might not be convenient – but it’s necessary

Although many firms had strict policies for remote access to their systems pre-COVID-19, some of the best-intentioned plans seemed to go out the window when everyone suddenly had to work from home.

“In the rush to be effective and get things done it’s easy to overlook how vulnerable you might be,” cautions McKern.

She points to the rapid adoption of video-conferencing tools with built-in file sharing as an example of businesses opening themselves to more risk if they don’t also adopt strict new security rules for video tools when working off-site.

She suggests businesses should always check the security controls first, and in some cases the business will need to prevent employees from sharing data or files within the tool as an extra security measure.

“Information and money have value, so you need to protect them both. Really look at your risk profile and what is of value to the business,” says McKern, noting that while technical safeguards are essential, so too is a culture of risk awareness.

“A lot of successful frauds go into a grooming or social engineering modus operandi, which rely on catching people with their guards down. Be more vigilant than ever about following strict security rules – even or especially if they feel inconvenient.”

“Be more vigilant than ever about following strict security rules – even or especially if they feel inconvenient.”
Robyn McKern CA

What a business can do if it’s a victim of fraud

It’s human nature to express intense emotions when attacked, but if an owner discovers the business has been scammed, those feelings can muddy decision-making, warns Tragardh. Here’s the action sequence he advises businesses follow:

1. Don’t call the police first – “The job of the police is to secure a conviction, not to get your money back.” The ‘How to Report Fraud’ advice on the WA Police Force website, for example, confirms this: “Criminal law is not about recovering money for the victim. If your sole desire is to recover money, then you should commence civil proceedings.”

2. Engage a fraud investigator but keep it quiet – “Our job is to get the money back, so the worst thing you can do is let the fraudster know they’re under investigation. Don’t be an amateur sleuth. You need to quickly get forensic accountants to look at the business’s transactions, and if the scammer is an employee, we’ll covertly look at computers when they’re not at work and start surveillance.

3. Notify the business’s insurer – “If there is evidence of fraud – not just a mere suspicion of fraud – and the business has fraud insurance, immediately notify the insurer.”

4. Start civil proceedings and get a freezing order – “We need to start civil proceedings quickly to help prevent further losses. When we have enough material to bring a case to court, we’ll immediately get a freezing order for the amount of the claim to lock down the assets of the defendants. Critically, it also gives us time to find out precisely what assets the defendant has, which the police can’t do.”

5. Get a search order – “It’s almost like a police search warrant and it’s a critical step because it allows us to go into business and private premises and take images (copies of data) from all electronic devices to secure the evidence. It helps stop a rogue from destroying evidence.”

6. Go deeper with IT and accounting forensics – “Forensic investigations trace where money has been transferred, including purchases of property and cryptocurrency, or payments to bank accounts. We can also subpoena banks to stop the misappropriated money disappearing.”

7. Prosecute – “If the business acted swiftly, you’ve got the evidence, locked down the assets and it’s game over. These cases tend not to take years if they’re brought swiftly. Remember, focus on getting the money back first.”

Read more:

Reporting and fraud risk arising from COVID-19

Find out more

Facing the new frontier: How tech is changing the way fraud is detected and prevented

Find out more

The reasons why CAs are investigated

Find out more