As COVID-19 has spread beyond China, capturing news headlines and shaking financial markets, companies have put together action plans to address the impact of the epidemic on their business — focusing on areas ranging from supply chain management to employee safety. Recently, the U.S. Center for Disease Control confirmed that, as many companies had forecasted, the virus reached U.S. shores, causing additional business and market disruption (try to find hand sanitizer or an N95-rated mask at the local grocery store).
Companies with effective risk management processes are making preparations to address how the virus will impact their business ecosystem. But corporate leaders aren’t the only ones making preparations. Global criminal organizations continually scour the news for potential fraud schemes. Fear and confusion create a climate ripe for fraud. And global companies with deep pockets are prime targets.
Here are some potential schemes company leaders and risk management executives should prepare for.
Corporate IT systems/Electronic intrusion, compromise
Executives should be on the lookout for communications (e.g., emails or texts) that seek to dupe employees and contain phishing or exploitation content. The communication may say something about COVID-19 and then request employees to take specific actions.
Here are some examples:
- “Your office location is closed, please remote in today (see hyperlink).”
- “Because of COVID-19, payroll is making adjustments, and we need to update account information (see hyperlink).”
- “All employees are asked to sign in (see hyperlink) and update their wellness status.”
- “Relief donations are being solicited (see hyperlink).”
There are endless variations of this low-tech phishing effort, but the result is the same: leverage news media and employee awareness of the virus and insert the fraud scheme into the company’s effort to remediate the impact on the company. The result of this exercise is collecting useful data from the employee that can be used for fraudulent purposes (personal identification information, account details, and other sensitive corporate data).
Sophisticated criminals may use social media platforms such as LinkedIn or Facebook to add social engineering elements to the scheme. They may know who employees are “connected” with and what type of things they post about. Enter a random employee in LinkedIn, and the site also pulls up other LinkedIn users commonly viewed by whoever looked at the employee. All of this data may be useful for fraudsters.
Fear creates supply shortages. In Houston last week, stores were selling out of water and hand sanitizer. If you want an N95-rated mask, forget it. Criminals will see another opportunity here to step in with counterfeit or defective products. Potential fake products include safety masks, vaccines, safety, prevention and detection products, and cleaning or sanitation products.
This effort can target victims within and outside a company, but company employees should be aware that when there are supply shortages or crises, criminal organizations will try to sell counterfeit items that at best may be ineffective, or at worst, harmful to use.
Fake charity schemes may come in the form of a phishing scheme or a more sophisticated fake charity operation with efforts targeting employees and soliciting donations for sick employees, family members, or other victims in different countries. Anytime there is a crisis, fraudulent charities immediately spring into action.
Platform consumer fraud risk
If your business serves as a platform for consumers that may be victimized by COVID-19-related fraud schemes, the U.S. government scrutinizes companies that have benefitted from fraud schemes — asking about their controls and compliance processes to prevent fraud and mitigate known risks. Any company with consumer risk should have a consumer fraud compliance program to address the risks. COVID-19 will provide a different narrative for criminals to perpetrate fraud across different platforms. Companies with this core risk to their business should assess their existing controls and whether the COVID-19 narrative enhances their risk (and, if so, how they can mitigate this enhanced risk).
The threats to companies posed by criminal organizations have not changed in the past few decades. Criminals have responded to globalization and digitization with different schemes that leverage the tools companies use to operate (e.g., communication platforms, global financial intuitions), but the goal has always been to take as much money from corporate victims as they can. The challenge for good corporate governance and the leadership team is to educate employees on this risk and develop good governance and compliance frameworks to protect the business and its stakeholders.
For more stories like this, including how insurance coverage may apply for businesses with coronavirus-related losses, please visit our Instant Insights page, “The coronavirus and its impact.”
Ryan McConnell and Matthew Boyden are lawyers at R. McConnell Group, a compliance and investigations/criminal defense boutique law firm in Houston, Texas. McConnell and Boyden are also both former federal prosecutors with a collective experience that includes thousands of complex white-collar investigations. Send column ideas to [email protected].