Why fraudsters love working from home

The events of 2020 saw many organisations face their most challenging times, yet fraudsters thrived in the same conditions. What made this time of global upheaval such a good year for fraudsters? What do organisations need to focus on now to prevent further fraud losses?

BDO’s Forensic Services team explore the opportunities fraudsters are taking advantage of and highlight where your organisation may be at risk.

Why have fraudsters flourished?

More opportunities to attack organisational systems

Fraudsters gaining access to an organisation’s data and systems can cause significant damage ranging from loss of clients/customers to loss of funds and reputation. Some of the new fraud vulnerabilities that have recently emerged, include:

  • Workers requiring the necessary equipment and system access to work remotely. With these hasty changes came a significant rise in data security risk
  • Workers now working at home in large numbers, with many accessing sensitive organisational data on a range of mobile devices
  • Organisations bringing aged laptops back into service or providing employees’ personal devices with system accessibility, because of the sudden need for devices and a corresponding shortage of hardware availability
  • Variations in the levels of encryption and security across devices leaving organisations vulnerable to a cyber attack
  • Organisations making significant, often hurried, changes to their systems, access rights and authorisation processes as they struggle to remain operational

Controls have often not kept pace

The changes made to working practices, operational systems and employee access left many organisations struggling to ensure their control environment kept pace with the new threats. Industries also had to be flexible in how they operate. The pivot to working from home in this new environment has seen changes to the approach of cyber attacks with a greater focus on uncertain users, as reported in our latest BDO and AusCERT Cyber Security Report.  Attackers were quick to respond to government press releases, providing tailored phishing emails claiming to provide information on government incentives, ranging from early access superannuation to inside information regarding vaccine rollouts.

The unexpected timing of lockdown announcements meant that many organisations did not undertake sufficient risk assessments. Simultaneously, typical levels of physical supervision and monitoring of staff were inevitably impacted by remote working.  However, organisations that implemented the top five controls experienced almost a third fewer incidents, and they were more likely to report stronger alignment between their cyber capability and business strategy.

In many instances, organisations have found their existing control and detection procedures are simply no longer fit for purpose in this new working environment.

New opportunities for fraud - both internally and externally

The internal threat of fraud has risen with an increasing number of employees given access to sensitive data, simultaneously with less physical or remote supervision and controls.

When combined with a rise in potential incentives for committing fraud (e.g. pressure to report positive financial results amid the economic downturn), the threat only increases. A real human element also comes into play. Some staff facing pay and bonus freezes, stand downs and salary cuts could feel disengaged or abandoned after the prolonged period of remote working. It is under these types of conditions that people can find it easier to rationalise fraud. 

Externally, things continue to change, the COVID-19 pandemic presents a range of unique challenges. It’s important for business owners and leaders to stay on top of these risks within their organisations and implement appropriate strategies to mitigate these risks.

Organisations must now cope with the spike in externally driven cyber-attacks. According to our survey report, organisations experienced a higher number of phishing and ransomware attacks in 2020 than expected, while data loss and theft of confidential information is expected to increase throughout 2021.

Fraudster’s phishing emails are also becoming increasingly sophisticated, resulting in greater success in persuading employees to click a link or open an apparently genuine document, resulting in data loss or unauthorised access to a system or employee profile. Ransomware attacks also remain prevalent. Commonly targeted organisations are those with weak systems, deep pockets or who hold particularly sensitive data, such as the healthcare sector.

Increasingly, organisations are also being targeted by more sophisticated “deepfake” audio attacks, with fraudsters generating fake voice recordings of senior individuals to try to trick employees into authorising fund transfers.

These threats represented a large enough challenge before the pandemic, let alone now when many employees are working at home on new or unfamiliar systems, with broader access to sensitive data on a range of devices.  

Employees’ work and personal lives are merging

The past year saw a real blurring of lines between employees’ work and personal environments. Home working has raised a number of wider concerns for many organisations, including:

  • The challenge of ensuring the social media habits of employees are not transferred to their working practices, e.g. sharing work information on informal platforms
  • The risk that fraud committed personally by individual employees can percolate into the organisation’s domain. For example, ‘careless clicking’ on communications received personally that leads to fraud risk to the organisation if the device is being used for both work and private use. There is also the risk of employees seeking to recoup their personal losses by committing fraud against their employer
  • Enhanced confidentiality risks include safe storage and disposal of sensitive hard copy documentation, safely conducting confidential calls and being mindful of a new generation of ‘listening’ types of devices such as Alexa and Google Home.

What should businesses focus on to prevent further losses?

No matter how vigilant, organisations cannot entirely eliminate the risks associated with working from home. BDO’s Forensic Services team has identified five critical factors organisations can implement to enhance their ability to combat fraud.

1. Carefully assess the new and old fraud risks

  • Ensure regular business-wide fraud risk assessments are conducted, including testing of new systems and vulnerability testing.
  • Conduct Information Technology (IT) and internal audit driven spot testing targeted at risk areas and follow up on identified issues.
  • Ensure a fraud action plan is in place to enable an effective response to any arising concerns, including defined internal roles and pre-approved external advisers. Having an existing agreement will assist organisations to start work immediately, which can be a distinct advantage when time is of the essence.

2. Update systems and procedures to reflect new or enhanced risks

  • Ensure new systems reflect risks altered by remote working including IT security, segregation of duties, confidentiality and supervision protocols.
  • Roll out updated policies to staff and reiterate core messaging, including the use of personal devices, minimising the cross-collateral use of social media and other informal communication platforms.

3. Focus on employee data access

  • Make sure your organisation’s IT department and management team are fully aware of exactly what devices employees are using and ensure they are protected.
  • Monitor compliance with IT polices and the use of company laptops and phones. Remain vigilant to red flags represented by situations such as the use of unapproved communication platforms or employees sending work attachments to personal email addresses.

4. Know who data is being shared with

  • Ensure the organisation’s management team is fully aware of who they are doing business (and sharing data) with.
  • Ensure appropriate pre-acceptance due diligence is done on suppliers and external consultants including IT security.
  • Set your employees up for success by equipping them with safe processes, technologies and education to share information appropriately with external parties.

5. Adapt training and set a culture to fit the new world

  • Ensure employees are provided clear messaging on fraud, updated fraud awareness training and are fully cognisant of the organisation’s IT systems and procedures.
  • Give careful consideration to internal communication and the culture set in the organisation. Whilst it is important to maintain supervision and vigilance, it is also vital to generate and maintain employee engagement and morale. A motivated, fully engaged team will be much more likely to detect fraud and less likely to commit it.

The internal and external threat of fraud is still lingering, so all organisations should pay sufficient care and attention to the enhanced risks and take a robust stance against fraud. 

Should you have any questions about how you can safeguard your organisation from the ongoing fraud threat, or what policies and procedures would best suit your needs, reach out to our team of dedicated Forensic Services and Cyber Security experts.