Managing insider-fraud risks in a pandemic

When a medical device packaging company fired Christopher Dobbins in March last year just as the COVID-19 virus was starting to spread across the U.S., he decided to seek revenge on his former employer.

Shortly after receiving his last paycheck on March 26, 2020, Dobbins accessed the company’s computer system with a fake user account and sabotaged its electronic shipping records. The hack resulted in $200,000 in damages and, perhaps worst of all, delayed the delivery of vital personal protective equipment to Americans seeking ways to defend themselves against the threat of the new virus. (See Former employee of medical packaging company sentenced to federal prison for disrupting PPE shipments, U.S. Attorney’s Office, Northern District of Georgia.)

While such acts of revenge have long been commonplace among employees, the COVID-19 pandemic has only exacerbated the threats from insider fraud. Perceived unshareable financial need, perceived opportunity and rationalization — the three components of the Fraud Triangle — have been increasingly present during the COVID-19 pandemic. The economic hardship caused by the health crisis and the subsequent psychological pressures have brought these motivating factors to the forefront for committing fraud.

This is especially true for insider or internal occupational fraud. With many organizations laying off employees and many fearing for their jobs, the motivation to embezzle funds to cover basic financial needs is strong.

Employees’ desire to seek revenge for severe layoffs and pay cuts might also spur staff to undertake fraudulent activity. Consulting firm Deloitte, which emphasized these dangers in a recent report, warned that organizations’ efforts to cut costs during the economic downturn through layoffs could create incentives for employees to commit fraud. (See COVID-19 Operating in the ‘new normal’ – A backdoor to increased fraud risk? Deloitte.)

Indeed, amid the uncertain economic backdrop caused by COVID-19, both financial motives and perceived opportunities for insider fraud abound. Some U.S. and U.K. insurance experts have warned that insurance staff  working from home could carry out opportunistic fraud to alleviate some of the financial difficulties caused by the pandemic. They said that those employees are also vulnerable to professional fraudsters who use social engineering to steal data from insurance policies and claims. (See Industry experts warn of insider fraud as a result of Covid-19 pandemic, by Katie Scott, Insurance Times, April 30, 2020.)

Lockdowns and working at home have caused employees emotional stress, and even trauma, but they’ve also elevated insider and external fraud risks. Individuals under pressure are prone to rushed or irrational decision-making and hence are easy targets for criminals.

Companies of all sizes are vulnerable to this type of fraud. One such case recently occurred at electric car maker Tesla where a Russian national allegedly offered an employee $1 million to help orchestrate a ransomware attack at the company. (See Russian pleads not guilty in foiled Tesla ransomware plot, by Ken Ritter and Scott Sonner, AP, Sept. 24, 2020, and Russian National Indicted for Conspiracy to Introduce Malware into a Computer Network, U.S. Department of Justice, Sept. 4, 2020.) Organizations that fail to reassure and support employees to help alleviate the psychological impacts of the pandemic could increase motivations and rationalizations to commit insider fraud.

Cutting costs but increasing fraud risks

Some organizations, faced with a tougher economic environment, have sought to save costs by reducing controls that are integral to fighting insider fraud. But this increases opportunities for fraud as illustrated by recent cases at companies with weak internal controls. (See sidebar Managing insider-fraud risk during COVID-19.)

TAL Education Group, a tutoring business in China, last year discovered that an employee had forged contracts to inflate sales. (See press release, TAL Education Group Discovered Employee Wrongdoing, April 7, 2020.) The news added to concerns about corporate governance in mainland China where Luckin Coffee Inc. had recently exposed its own fraudulent sales. (See: 5 most scandalous frauds of 2020, Fraud Magazine, January/February.)

Similarly, U.K. car dealership chain Lookers recently disclosed a 45.5 million pounds ($60.5 million) loss after it discovered a former employee had committed accounting fraud in 2019 because of weaknesses in its corporate governance system, particularly its risk management system. (See Lookers reveals £46m loss after fraud investigation, by Peter Campbell, The Financial Times, Nov. 25, 2020.) “The last 12 months has been extremely challenging for Lookers with the ongoing impact of Covid-19 and the accounting issues,” said Lookers Chairman Phil White in the FT article.

Robust controls

The pandemic has not only increased internal fraud risks but it has also opened opportunities for external fraudsters to take advantage of disruptions in everyday business operations. That’s why it’s more important than ever to have a robust control environment. Companies should be committed to integrity and ethical values, effective human resources policies and practices, effective participation from boards of directors and audit committees, and holding individuals accountable for their actions. (See COSO Internal Control – Integrated Framework, AICPA, May 14, 2013.)

Keep abreast of some of the newly emerging external fraud types during COVID-19. These include fraudulent deals and discounts, health care-related fraud (see SEC Charges Penny Stock Company and Its CEO for Misleading Covid-19 Claims, May 14, 2020, U.S. Securities and Exchange Commission), furlough fraud (in which an employer deliberately claims back wages under a job retention scheme while an employee is still working), free school meals fraud (where fraudsters target families with fraudulent messages including malicious links regarding free school meals funded by the government), and criminals collecting money up front from elderly residents to do the shopping and then failing to deliver the groceries.

Another increasingly common scheme is vacation fraud where fraudsters send fake refund links to individuals who’d booked holidays before the pandemic with the intention of either duping the victims to share payment details or infecting their laptops with malware.

Regulators and professional bodies also have important roles to play in managing insider fraud risk during the pandemic. Anti-fraud regulators (e.g., Serious Fraud Office, Financial Reporting Council, Government Counter Fraud Profession, Action Fraud and National Audit Office, all in the U.K.; and in the U.S., the  Securities and Exchange Commission, FBI, IRS, and the Small Business Administration) and professional bodies (e.g., ACFE, American Institute of Certified Public Accountants, Institute of Internal Auditors and various chartered accountant associations) should encourage organizations to be more proactive in tackling fraud by focusing on prevention and continuous risk assessment rather than just detection. They should share fraud data among themselves and other law enforcement.

Investing in academic research funding and free anti-fraud education also helps. Governments and regulators should invite academics and researchers to conduct research that provides meaningful insights about the impact of COVID-19 on fraud risk, the sectors that have been affected badly by fraud during the pandemic and how organizations can best manage fraud risk during and post-crisis.

Governments should also provide more financial support to businesses to reduce the motivations and rationalizations for fraud, such as extending furlough plans. These are job-retention plans that give employers access to government support to continue paying part of their employees’ salaries and potentially protecting those employees from layoffs. In the U.K., for example, such plans are only limited to a few months. Finally, regulators should consider increasing penalties on insider-fraud criminals.

Rasha Kassem, Ph.D., CFE, is an assistant professor in accounting at Coventry University in the U.K. Contact her at Rasha.kassem@coventry.ac.uk.

Managing insider-fraud risk during COVID-19

Organizations could take the following steps to manage insider-fraud risk during the COVID-19 pandemic.

Avoid reducing essential anti-fraud controls

While cost-cutting measures seem practical during this crisis, it’s not prudent to save the cost of anti-fraud controls because this will make businesses more vulnerable to fraud. Also, the cost of fraud exceeds the cost of implementing anti-fraud controls. Investing in anti-fraud controls obviously reduces opportunities for fraud.

Examples of effective controls include anti-fraud education and training, anonymous fraud-reporting hotlines, continuous management review, adequate segregation of duties, proper safeguards over assets and records, surprise audits and thorough examinations of documents. (See: 2020 Report to the Nations: organizations opting more for civil litigation, internal punishment, from ACFE News, July/August 2020 Fraud Magazine.)

Incorporate adequate monitoring methods

Working from home increases the opportunity for fraud because of lack of monitoring. Management can help deter fraud by regularly checking on employees and holding virtual follow-up meetings. This type of monitoring could range from watching for downloads on work computers to providing emotional support to employees and ensuring they have all the resources they need to carry out their duties.

Consider continuous fraud risk assessment and reporting

Organizations should be proactive in assessing and managing fraud risk to protect themselves and their customers. If organizations don’t actively look for fraud, they can’t prevent it. Preventing fraud through effective counter-fraud practices reduces organizations’ losses and reputational damages. It also requires fewer resources than an approach that just focuses on detection and recovery.

Some examples of effective counter-fraud practices include establishing anonymous and secure whistleblowers’ reporting mechanisms, investing in anti-fraud training, appointing a dedicated fraud specialist or team for assessing fraud risk, designing policy statements and codes of ethics with zero tolerance to fraud and unethical behavior, conducting regular background checks on new and current employees, and ensuring fair and transparent pay and promotions.

Reduce factors that could increase potential motivations and rationalizations of fraud

Organizations should decrease employee layoffs and pay cuts as much as possible by seeking alternative approaches to reducing costs. Alternatives could include voluntary reductions in paid leaves, furloughs, going paperless, lending employees to other companies that need them, and allowing staff to work from home more to save on utility costs and rent.

Organizations should also encourage and support employees, be empathetic, and help alleviate their physical and psychological suffering. They should treat employees fairly and with respect, and care about their health and well-being during and post-pandemic. This is crucial because revenge, of course, can motivate insiders to commit fraud.

The World Health Organization (see Mental health and psychosocial considerations during the COVID-19 outbreak, WHO, March 18, 2020) provides some guidance on how to care about staff well-being during and post-pandemic:

• Rotate workers from higher- to lower-stress functions.
• Partner inexperienced workers with more experienced colleagues.
• Initiate, encourage and monitor work breaks.
• Implement flexible schedules for workers who are directly impacted or have family members affected by stressful events.
• Provide social support to staff.
• Ensure staff are aware of where and how they can access mental health and psychosocial support services and facilitate access to such services.
• Ensure managers act as role models for self-care strategies to mitigate stress.